Security: Why Adobe could be the new Microsoft

NEWS

If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.

In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.

Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF files, according to security vendor F-Secure. Meanwhile, the number of PDF files used in dangerous web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.

In addition, there are more and more zero day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.

There have been zero day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on websites. And in one case this spring, a zero day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.

One security researcher at the Black Hat security conference last week, who asked to remain anonymous, said: "As a result of the number of zero day attacks on PDFs this year, large banks hate Adobe."

Those scary statistics prompted Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.

Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.

"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realising that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.

An Adobe manager said the problem stems from the fact that its software is so broadly used.

"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.

Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.

Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.

The company established a Software Development Lifecycle programme, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.

Now it's Adobe's turn to step up to the plate.

"Microsoft is a model for patch management...they were forced into it. They really turned around," F-Secure's Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."

In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.

In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.

At the time of the Adobe announcement, Adobe's Arkin...

Click here for page 2