March 8, 2010

One of the nation’s largest providers of money-transfer and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader, the very application most targeted by criminal hackers and malicious software.

At issue is a non-public advisory issued by Fiserv, a Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide.

A reader who works in security for a mid-sized credit union shared with me a notice posted prominently to the “collaborative care” portion of Fiserv’s site, a section dedicated to security and IT managers at partner financial institutions.

In the notice, dated Feb. 16, 2010, Fiserv instructed its customers to avoid the latest Adobe Reader updates, apparently in favor of one that was released two years ago:

“NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.”

The notice continues:

“The following is of importance to all credit unions.

Until further notice, please do not upgrade Adobe Reader past version 8.1. We have recently found that there are potential compatibility issues with some of our Adobe-based products. If you have already upgraded past this version you can try uninstalling to a lower version. This may or may not be successful. For instructions on uninstalling, please visit www.Adobe.com.

We will provide you with further information when it is available.”

I have requested more information from Fiserv about what prompted this advisory, and will update this post when/if they respond.

Adobe 8.1 was first released in October 2007. But even if we give Fiserv the benefit of the doubt and assume that they really meant to say “Don’t migrate your systems past the latest 8.1 version — Adobe Reader 8.1.7 (released in October 2009) that would still leave financial institutions dangerously exposed to the Reader flaw that criminals are very actively exploiting to install data-stealing software, via spam and hacked or malicious Web sites.

According to a report issued last month by Web security firm ScanSafe, 80 percent of the Web-based attacks from malicious and hacked Web sites targeted Adobe Reader vulnerabilities in the last three months of 2009. Security firm F-Secure also has noted that Adobe Reader vulnerabilities by far are the most popular for use in targeted e-mail attacks.

This kind of advisory may seem shocking, but it’s incredibly common, said Didier Stevens, an IT security researcher who has done some extensive research on Adobe vulnerabilities. As Stevens noted, many application providers or companies will urge users to remain on outdated and insecure software platforms because upgrading may break functionality in custom software. Stevens said Fiserv’s advisory to customers is probably related to a similar custom-built application.

“I can imagine that in their software they are using some components of Adobe, for example, a component to display a PDF inside of a financial application, and they just haven’t upgraded that application yet,” Stevens said.

Indeed, just last month I wrote about opening up a new account at a local bank and noticing that the branch manager was still browsing the Web with Internet Explorer 6, just days after news surfaced that a zero-day vulnerability in IE6 was used in targeted attacks against Google, Adobe and a host of other Silicon Valley companies recently. For its part, Google said it would no longer support IE6 in its applications.

Update, March 9, 10:48 a.m.: Fiserv responded to this story with the following statement, sent via e-mail:

“We researched the client advisory mentioned in your posting.  We appreciate your attention to this matter, as the advisory did not effectively explain our advice, nor was it the right approach to the underlying issue of Adobe compatibility.

The advisory was not directed or available to all of our clients, but rather to clients of a single solution within one individual product line.   The advisory had been viewed by fewer than three dozen individuals at the time it was removed.  We are working hard to resolve the Adobe compatibility issue, and to improve the rigor of our content management on the client collaboration site where the advisory was posted.”


19 thoughts on “Fiserv to Banks: Stay on Outdated Adobe Reader

  1. Dennis

    Did the advisory at least advise Fiserv’s clients to disable javascript? Or, perhaps, do the Fiserv apps require javascript in its Adobe-linked products?

  2. Mohamed Mansour

    I have seen banks locally in Canada (ScotiaBank) to be exact, they use IE6 still and Adobe 8 still. I told the investment lady, why do you update your browser/plugins, she said we never get hacked.

  3. Chester

    Unfreakingbelieveable. That people in the business of “securing” customer banking information would do this may be common but it’s inexcusable nonetheless.

  4. Mike F

    I am an IT manager of a bank that is a FISERV customer and I can tell you I DO NOT permit Adobe Reader on our systems. We use Foxit Reader and I rest a little easier at night *note – a little easier. It is a problem however that large companies like this do not have the resources to upgrade with all the compatibility issues. Another problem is getting testing done on operating systems in a timely manner. I have voiced my frustration on this to FISERV in the past. Its that scenario where you are damned if you do, and you’re damned if you don’t, and I hate being put in that position. Security is tough enough as it is.

    1. Patrick Connors

      Do not have the resources? Or do not wish to have the profit margin infringed upon?

    2. roscoe

      Mike,

      Hire a team and develop your own software and maintain it so you dont have to rely on other companies.

      I hope you can remedy the problem :”It is a problem however that large companies like this do not have the resources to upgrade with all the compatibility issues. Another problem is getting testing done on operating systems in a timely manner”

      I would consider spending our money with you once you get this done.

  5. N3UJJ

    Funny that no-one has noticed that they just opened themselves up to a lawsuit. If a customer of Fiserv lost money due to malware on their system, they could claim they were forced by Fiserv to use INSECURE software.

    1. Peter

      Brian – N3UJJ (3:01, just above) raises a very interesting point. I wonder if fiserve’s legal department or principal counsel is even aware of the “stay with old Adobe” memo – official policy or otherwise.

      You might include the legal group in your inquiry. IT types usually fold v. legal. I’d like to see a follow-up.

      Peter

      1. N3UJJ

        Some of you may remember some of my earlier posts about being FORCED by vendors of legacy software to use outdated/insecure add-ons (ADP to be exact). While I can honestly say that I do my best to keep our systems patched, and up to date, I still have to run an OLD (outdated) Java, and they just recently (3 weeks ago) allowed me to update to Reader 9. I have created support cases (complaints) as well as written a registered letter to them informing them that should I be infected due to their requirements, I will hold them responsible. Did it do any good? Maybe. It would be interesting to see if something like that would hold up in court.

        1. roscoe

          If the Risk is to high for you to use a vendor product then stop using it nobody is forcing you.

          write your own software then you have yourself to blame.

  6. Hal

    Ironic… Fiserv is an Adobe Success Story in their customer showcase.

  7. Ray

    Adobe turned on “enhanced security” by default in Adobe Reader 9.3 and 8.2 when it was disabled in earlier versions. If they have a form that submits data to a domain that is different from the one where the PDF form was opened from, it breaks.

    Edit – Preferences – Security (enhanced)

    If Adobe Reader opens a PDF from your desktop and tries to sumbit it to an Internet site, it won’t work. We hit this with the State of Ohio tax forms. Even adding their site as an exception did not work unless we reconfigured Adobe Reader to open from within Internet Explorer.

    Apparently this can be fixed by adding a file named crossdomain.xml on the web server where the form is posting to, but not a lot of sites seem to have done that.

  8. Gene Spafford

    There are two primary attitudes behind a majority of today’s security problems. Both were crafted in the 1990s, but despite all that has happened, they are widespread today, in part because of false economics:

    1) It is more important to add features and get new releases out than it is to make the current release rock-solid. After all, if customers don’t pay for upgrades, where’s the revenue stream? We’ll patch it later.

    2) We have to be compatible with the quirks and non-standard behavior of what came before. We’ll just wrap everything in another layer of protection (first AV, then firewalls, then IDS, then DLP, then….) and everything will be fine.

    Maybe the above is okay for some consumer-oriented products, but not for mission-critical.

    Sigh. Back to tilting at windmills.

  9. ted

    Where is the DHS or Treasury in all of this? How is this NOT a national security issue?

    1. KFritz

      I CAN tell you that you cannot use the Library of Congress money-saving, bar-code based Copyright forms without the latest version of Adobe Acrobat. Foxit cannot substitute. Been there, done that.

  10. Fiserv Peon

    Well, I can only comment from the position of a guy in the trenches, but being as I am on one of the projects directed at addressing this and similar issues, I can tell you that Fiserv really is getting serious about security.

    No big mystery really as to why either. Fiserv is a for-profit company, and as such they try to be positioned such that they’re selling what their customers want to buy. Prior to this point the security of electronic transactions and of data storage from Internet based attacks hasn’t risen into the group of concerns that would be part of the typical banking system purchasing process. But now it has, and Fiserv is responding. And I’d bet that Fidelity and Jack Henry are too. Of course, whether or not they manage to stay far enough ahead of the bad guys to avoid the embarrassment of a breach remains to be seen, but they’re taking the right steps.

    For the audience here the idea that electronic security is a second, or even third tier concern, is shocking. But that’s the way it is – your average bank or CU officer is spending far more time thinking about risk management, new biz development, regulatory compliance and, oh yeah, profit, than about hackers.

    (Until there’s a breach, that is.)

  11. roscoe

    Your posting is irresponsible – Just trying to get yourself to the top of the blog sphere.

    Since you like to ASS U ME so much about the situation with Fiserv. You might want to consider that no company will hold back a security fix they have when they have so much on to lose. A company requesting its customers to hold back on updates Is the only option a company has when a third party product they depend on has not updated to the latest technology of even worse has switch technology which would require major re development on their part.

    What you have done here will not MAGICALLY provide a solution by Fiserv at the time of my posting. It might cause them to panic and push out an update with many other security holes.

    Every institution has the ability to place measure in place if they have the technical skill or can afford the technical skill regardless products they use. But to imply that Fiserv is required to consult every client and suggest mitigation approaches that are unique by client shows how green of security analyst you are.

    Thanks but no thanks! your posting has just created more static for CU where my moneys are.

  12. Alan Ulman

    We researched the client advisory mentioned in your posting. We appreciate your attention to this matter, as the advisory did not effectively explain our advice, nor was it the right approach to the underlying issue of Adobe compatibility.

    The advisory was not directed or available to all of our clients, but rather to clients of a single solution within one individual product line. The advisory had been viewed by fewer than three dozen individuals at the time it was removed. We are working hard to resolve the Adobe compatibility issue, and to improve the rigor of our content management on the client collaboration site where the advisory was posted

    – Alan Ulman, Fiserv Corporate Communications

  13. Fiserv Peon

    (Maybe I’m just being a jerk ’cause I’m in a bad mood today, so I offer my apologies in advance for any unnecessary grouchiness, BUT………)

    I think I liked this thread better before “the suit” got here. The plastering over of genuine problems with great globs of Corporate Buzz-speak is the very reason that this web site exists. IMHO, that Fiserv may have made a mistake somewhere is completely OK. It’s a big company with hundreds of products and dozens of web sites. You’re gonna miss stuff every now and then. Hell, nobody is more aware of that than the people who are responsible for keeping every little crack sealed up against the millions of little bugs that want to get in. So, I dunno, maybe lighten up just a bit.

    [/rant] OK. I feel better now. Back to work! And feel free to ignore me if appropriate.

Comments are closed.