Handling the spate of bad browser plug-in vulnerabilities

[David Escalante <david.escalante () BC EDU>]

Hi, we're concerned here at BC with the batch of really nasty
vulnerabilities that have come out in the past several weeks involving
very popular software including Adobe Acrobat, SUN Java, Apple
Quicktime, and RealPlayer.  All of these vulnerabilities have been
ranked a 9 or 10 on the CVSS severity scale, which ranges from a low of
1 to a high of 10. (Details below the signature for those who are
curious or who missed these announcements.)

Our network equipment is already seeing attacks using some of these
vulnerabilities.  The attacks require luring the user to a web site or
file download, so at least they're not like a worm, but one or more of
these pieces of software is likely installed on everyone's computer on
campus.

What we're wondering is what, if anything, other campuses are doing to
address this issue.  Simple notification is one option.  Automated
patching is not likely to be available for the student computers.  More
aggressive campaigns beyond simple notification also might have an
effect, as would attempting various network defenses, which would have
to rely on network technology that monitors outbound connections.  We
have also found, for what it's worth, that it's difficult to document
how to patch this software because there are so many versions of it out
there, along with "professional" and "free" editions, that all have
slightly different patching paths.  Some patch automatically or notify
the user that a patch is available, others do not.  Has anyone had any
strategy, technique, or lucky idea they've used to address the
smorgasbord of browser plug-in issues?
--
David Escalante
Boston College
-----------------------------------------------------------------
Acrobat:  CVE-2007-5020, CVSS base score: 9.3
Java: CVE-2007-5689, CVSS base score: 10.0
Quicktime: CVE-2007-[4672-4677], CVSS base score: 9.3
RealPlayer: CVE-2007-[5601,2263-4,4599,5080-1], CVSS base score: 9.3

Attachment: david.escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature