Imperva CTO says Patch Tuesday only resolves disclosed vulnerabilities

London, June 2010 - Microsoft announced the other day that it was planning 10 patches the following next week, which by now will have arrived, with one of them addressing a vulnerability in Sharepoint. However, waiting for patch cycles to mitigate vulnerabilities will not protect enterprises.

Since April 12, Microsoft SharePoint users have been vulnerable to a web-based attack through their help.aspx page. The problem was made public on April 29, after which Microsoft has been working to produce a patch, due for Tuesday June 8.

“Many organizations have SharePoint servers accessible from the Internet, for partners and customers to access that may be unprotected. Having to wait almost two months for patching a vulnerability related to a very common attack vector (Cross Site Scripting) is just too long,” said Amichai Shulman, CTO, Imperva. “We are repeatedly reminded by such incidents that regardless of the amount of resources poured into SDLC applications still go out of the factory door with vulnerabilities in them. Some of them pop up as a side note on a patch and some as 0days.”

Shulman continues “We all rely on vendor patch cycles to keep us and our businesses secure, however as one vulnerability is patched, sooner or later another one will appear. Businesses need to ensure they are secure from all vulnerabilities whether notified or not.”

“The criminals do not need to wait for a vulnerability to be notified before they exploit it, so businesses with a public facing portal need to take a holistic approach to security and look at how they can protect their business at all times, especially between patch cycles, whether this is via a web application firewall (WAF) to mitigate vulnerabilities or other security tools. For those relying on Microsoft’s patch cycles the only mitigation possible in the short term is ‘virtual patching’ via a WAF,” Shulman adds.

For more on Microsofts Patch Tuesday -

For more information on Imperva –

But it was not just a SharePoint vulnerability that was at issue; other systems were in danger too and on top of that there was and still is, by nigh on the end of June 2010 a serious problem with Adobe Acrobat and Adobe Reader.

The latter is, in my opinion, reason enough to consider migrating PDF reader and creator software over to Open Source programs.

While there are people, especially those in the industry that are, in some way or the other, tied in way too tightly with the people in Redmond, who speak against using Open Source, claiming greater vulnerability, I have found the opposite to be true with the programs I use.

Nitro PDF is a great replacement for the Adobe Reader and in fact much better as it allows annotations and notes being added to a PDF file and permits those “changes” and additions to be saved as well.

PDF Creator is a free PDF creator, as the title suggests, and OpenOffice has a PDF maker built in allowing one-click PDF creation. However, I would recommend the use of the PDF Creator instead as the latter seems to compress the file better than the built-in one on OpenOffice.

Source: Eskenzi PR with additional writing by Michael Smith (Veshengro)