According to ThreatPost, Adobe was all set to roll out a new version of Reader when software testing revealed the update was full of flaws and security holes that would have exposed millions of users to cyber attacks.
Regression testing found the following errors in the Adobe Acrobat / Reader update:
- Memory corruption.
- DDoS vulnerability.
- Cross-site scripting.
- A way to bypass Windows sandboxing.
Many of the patched vulnerabilities would have allowed hackers to execute code remotely – one of the biggest vulnerabilities on the NIST scale. By fixing this patch, Adobe narrowly avoided another security nightmare, which would have come less than 12 months after last year's data breach in which millions of users' data was hacked. (For more details, see our article, "Data Breach Solutions: What You Can Learn from Adobe's Massive Data Breach.")
When your clients use third-party software, they expose their business to the risk of cyber attack or data breach. Many of your clients might assume that their software is secure when it comes from a "brand name" company like Adobe. But as an IT consultant, you know better.
How to Talk with Clients about Software Updates
Whether it's Microsoft Office, the Adobe suite, or QuickBooks, your clients can't avoid using third-party software. Unfortunately, even common software can have major security flaws that expose your clients to the risk of a data breach.
How do you reduce these risks on a client's network? To begin, you'll need to make sure your clients understand the how third-party software exposes them and what they can do to manage that risk. Remember to discuss these key points:
- Updates should be installed immediately. As an IT consultant, you could be hired to install commercial software, oversee a data migration, or perform other one-time tasks. It'll be up to your client to make sure updates and patches get installed on time. Once an update is released, hackers pick it apart and develop attacks to target old versions of the software. In our article, "Software Patches: The Good, the Bad, and the Liability," we outline how delayed updates lead to increased risk.
- Updates can cost money. While most patches are free, software updates can have indirect costs, which is why clients need to reserve money in their budget for IT maintenance. For example, say a client upgrades a piece of software and it no longer syncs with another application. They'll have to replace the other program with software that will sync properly.
- Updating software sounds easy, but sometimes it's not. Aside from the potential costs of upgrading software, having to install numerous updates for an entire company is so labor intensive that many small businesses put it off. Updating every employee's computer across the company may be daunting, but it’s necessary to prevent a data breach from a forgotten weak point.
- Risks compound in BYOD workplaces. While it can be difficult for your clients to make sure the company's software is up-to-date, it's nearly impossible for them to do so with an employee's personal device. If employees use personal laptops on the network, outdated software could expose a client's data to a cyber attack. That's part of the headache of a BYOD workplace.
Third-party risk exposure is an unavoidable part of any business's IT. The only way to manage this risk is to minimize the time your client's software is exposed to known attacks. You need to remind clients to update their software and teach them the importance of doing so quickly.
Stay tuned for Monday's blog where we’ll explore what developers need to know about software updates and cyber liability.
