Is Adobe the next (pre-2002) Microsoft?
Summary: From a security perspective, Adobe looks an awful lot like Microsoft did back when Windows was getting blasted by viruses and vulnerabilities and before the company beefed up its defenses.
If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.
In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.
Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of PDF files used in dangerous Web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.
In addition, there are more and more zero-day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.
There have been zero-day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on Web sites. And in one case this spring, a zero-day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.
One security researcher at Black Hat last week, who asked to remain anonymous, said: "As a result of the number of zero-day attacks on PDFs this year, large banks hate Adobe."
F-Secure said it identified about 1,967 targeted attack files in 2008, the most popular type being .doc used in Microsoft Word.
(Credit: F-Secure)Those scary statistics prompted F-Secure researcher Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.
Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.
"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realizing that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.
An Adobe manager said the problem stems from the fact that it's software is so broadly used.
"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on Earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.
Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.
Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.
The company established a Software Development Lifecycle program, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.
During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDF. The change from the previous year is primarily due to the fact that there have been more vulnerabilities in Adobe Acrobat/Reader than in Microsoft Office, F-Secure said.
(Credit: F-Secure)Now it's Adobe's turn to step up to the plate.
"Microsoft is a model for patch management...they were forced into it. They really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."
In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.
In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.
At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself." He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."
The company was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which was being exploited, according to Arkin.
"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.
A zero-day exploit targeting Reader and Acrobat that Adobe learned about on April 27 was fixed about two weeks later, he said. And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.
"We are quite happy with the performance on those," Arkin said of the time frame for the patches.
The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall he said. "Adobe integrates the best practices you see at Microsoft and other companies."
The security researcher who asked not to be named complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.
The program's functions require it to be able to save and open files on the file system and thus have read and write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system," and the privileges between the two types of programs are similar, he added.
Security-versus-functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it's the favorite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.
"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.
"I'd like to think that they would start realizing that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"
Not really, the experts agreed.
Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.
"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.
"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.
"There's always a 'most vulnerable' attack surface."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
that's just M$ FUD
There are few security issues with Adobe and it looks like those are exploited only on windoze.
The solution is to use FOSS stacks!
Onely one POV
Open source communities have successfully developed many pieces of software although most computer users only use proprietary applications.
The usability of open source software is often regarded as one reason for this limited distribution.
At the end of the day, the OSS (open source software) community fall short of making their software because open source projects lack the resources to undertake high quality usability work.
The end user experienc is most important.
Using quaint concepts such as "M$" and FUD (Fear Uncertainty Doubt) is not going to change what is real, which is that if you want great software - it simply costs money - just not too much, is all.
For a good take on these issues and a fair appraisal see:
http://www.cs.waikato.ac.nz/~daven/docs/oss-wp.html
This simply is not true
If you delude yourself that programmers write better code if you drop money on them, then you simply aren't thinking too much. The problem is motive.
Bottom line: Microsoft makes software to make money. The money is where it's at. The developers at Microsoft write code because they want to make a living. Some may well enjoy it, some may not. The point is, if it means they will get paid, they don't mind writing a sloppy patch if it means it will look fixed and increase their paycheck.
On the other hand, Open Source Software (I prefer to use, "Free Software") developers don't get paid depending on how much they write. They don't get paid if 100 more users start to use their software, or if 1000 start to use it. They don't get paid to fix 100 more bugs then the next guy. By now, you get the picture - they simply don't get paid. They do what they do for a different reason: many of them want to write the best software they can and enjoy implementing their own, possibly previously unheard-of ideas into the software. In fact, many times it has been suggested to organize some sort of developer fund, but this has been rejected by the developers themselves because they understand that dropping money onto a problem doesn't solve it. They like to fix things *properly*.
In the latest version of Ubuntu, at least, I don't see what could be considered, "User-unfriendly", and, "Brown is a horrid colour so it's not user-friendly" doesn't count (1. Some people like it while others don't, and 2. That's something that can be changed with relative ease). Everything is quite clearly labeled, described and categorized when it comes to finding applications and preferences, the UI is arranged such that the applications are the focus and minimizes screen usage, the user preferences are easily found and changed and the application UIs are often either familiar (Firefox, OpenOffice and the File manager) or clear and easy to understand (Pidgin instant messenger, Totem and Rhythmbox media players). Every time I've introduced someone to Ubuntu, oftentimes novices, they have had no problems finding their way around and getting to what they need and have even a few times set up a printer without aid.
The problem with Linux, as it stands, is far from usability. The main reason people have declined Linux is because of a lack of support from hardware and software manufacturers (for example, for scanner drivers and proprietary applications), which doesn't happen because people don't use Linux because hardware and software manufacturers don't support it etc. etc. etc.
Autodesk
Just ma cent.
Heres another, Linux isnt quite as wide spread (yet) as Windows, so maybe we shall see more holes developing as Linux is used more, and developers implement new features.
Like I say, MAYBE!
What is the point then
Pretty Sad
Get it integrated with WSUS or go the hell away
Microsoft needs to work with 3rd parties on these issues.
Article author missed opportunity
The author of the article did not mention the age of the Adobe Flash Player vulnerability in the following sentence: "And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser."
Nor did the author of the article take Arkin to task for the the next sentence in the article: '"We are quite happy with the performance on those," Arkin said of the time frame for the patches.'
Two missed opportunities. And as far as I'm concerned, poor reporting/journalism.
-Steve_STR
RE: Is Adobe the next (pre-2002) Microsoft?