A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.
Are the flaws in Adobe's product line becoming the cybercriminal's favorite exploitation tactic? Depends, since from another perspective malicious attackers don't have preferences, they exploit whatever is exploitable.
From a cybercriminal's perspective, traffic optimization has evolved from exploit-specific wide-scale attacks, to today's cybercrime business model driven by web malware exploitation kits automatically enumerating potentially exploitable applications and browser plugins, and serving them the appropriate exploits. This malicious optimization of traffic has been an active strategy for several years, with the attackers realizing that the more exploits they introduce within their kits, the higher the probability of infection.
Chart courtesy of Trusteer research published in August, 2009
Therefore, the increasing use of malicious PDFs can also be interpreted as the direct result of the millions of users using outdated and exploitable Adobe products, with the only preference a malicious attacker could have in this case remaining the incentive based on the 99% penetration of Adobe Flash on Internet-enabled PCs. But how is the possible that with such a high market share, ScanSafe's report shows that Adobe Acrobat/Reader exploits grew while the use of Flash exploits declined?
Naturally, there are malicious attackers with clear preferences, based on a number of factors. Some of the widespread client-side exploit serving campaigns launched in the wild over the past few months, act as a good example of how cybercriminals actively monitor the metrics generated from their malicious campaigns, and tailor their exploitation tactics based on third-party application or browser plugins that contributed to most of the successful infections.
What these campaigns have in common, is the clear preference towards using Adobe Acrobat/Reader exploits only. Interestingly, the cybercriminals maintaining them are also relying on the KISS principle (Keep It Simple Stupid), since the campaigns are not necessarily exploiting the very latest flaws in Adobe's product line.
Case in point is the exclusive use of CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927; and CVE-2009-4324, with their choice either based on the already gathered metrics, which not surprisingly include traffic logs based on the hundreds of thousands of visitors hitting their fraudulent online properties. In this case, why would they bother buying a zero day on the underground market, when they already know that millions of end users are susceptible to exploits released two years ago? They won't.Making sure that you're running the latest versions, combined with the use of a browser allowing you to take full control of your browsing experience with security in mind, is highly recommended.
What do you think - are Adobe's products insecure in general, is the company leaving the "window of opportunity" wide open for too long, or are their products on the top of the exploitation list due to the fact that millions of users continue using old versions of the company's software?