Security Bulletin March 2009
The Cruzer® Enterprise series of USB flash drives emulates a
read-only CD-ROM partition to automatically run an application that
allows a user to initialize the device for first time use, manage
the device settings and enter a password for getting access to an
encrypted storage area.
SanDisk has recently identified and conducted an investigation as
to the possibility of tampering with the read-only CD-ROM partition
on some devices from the Cruzer Enterprise series of USB flash
drives. SanDisk looked into the possibility that an attack
mechanism specifically targeted to such devices might allow an
unauthorized user to compromise the integrity of the read-only
CD-ROM partition in these devices.
In order to protect against the possibility of such malicious
attacks, SanDisk has implemented a change, and this change is
embodied in all USB flash drives of the Cruzer Enterprise series
that are made hereafter.
In order to implement this change in existing Cruzer Enterprise
devices that are already deployed to the market, SanDisk is
offering a specific software update.
Important Note:
Under no circumstance does the above potential threat compromise
the encrypted data that is stored on the drive. The data on the
drive remains encrypted and secured regardless of the contents on
the read-only partition.
Devices to which this change applies:
- Cruzer Enterprise, CZ22 - 1GB, 2GB, 4GB,
8GB
- Cruzer Enterprise FIPS Edition, CZ32 - 1GB,
2GB, 4GB, 8GB
Recommendations
To implement this change, SanDisk recommends to users to install
an update file, following this procedure:
- Fill in the online form here. This will
direct you to a downloading site
- Download the update file and the Quick
Reference Guide with installations instructions
Summary
Preserving customer security and product reliability continues
to be a top priority at SanDisk. SanDisk will continue to work
diligently with customers as well as 3rd party security researchers
to maintain high levels of security.