If there was still any question that Adobe’s products have emerged as the prime targets for attackers right now, the events of the last week have removed any doubt. Within the space of six days, Adobe has been forced to release separate warnings about attacks targeting unpatched flaws in both its Reader and Flash Player products.
The latest warning came Monday afternoon when Adobe’s security team issued an advisory about a newly discovered vulnerability in Flash Player that enables attackers to get complete control of remote systems. The bug also affects Reader and Acrobat, as they include the vulnerable component. Adobe said that it has not seen any active attacks against this flaw in Reader or Acrobat yet, but there are reports that attackers have started exploiting the bug in Flash Player already.
This came just a few days after an announcement by Adobe that there was a new bug in its Reader software, which also is under active attack right now. At the time of the advisory, Adobe said that there was no mitigation available to help protect customers, and the company is not scheduled to patch Reader until next month. In the interim, Adobe worked with Microsoft security officials to ensure that Microsoft’s recently released Enhanced Mitigation Environment Tool 2.0 protects Adobe users from the current exploit.
These are just the latest two bugs in what has been a difficult 18 months or so for Adobe and its users. The company has been forced to issue numerous warnings like these about unpatched vulnerabilities, many of which had been under attack before an advisory was issued. A similar situation to this month’s pair of bugs occurred in June when Adobe warned about a new bug in Flash Player that was under active attack.
These bugs are made all the more serious by the fact that Flash and Reader are among the more widely installed pieces of software on the planet, making the target field wide and deep. And many of the company’s customers are home users who may not realize that malicious PDFs have become the go-to move for attackers looking to exploit large numbers of people as quickly as possible. Sending out rigged PDFs via spam messages and hosting malicious PDFs on phishing sites as part of a larger attack are simple, effective methods for attackers to compromise unwtting users.
PDFs are ubiquitous in both the corporate and consumer worlds, and using the Internet without Flash Player installed is difficult at best. Adobe has focused a lot of resources and energy on upgrading its software security practices and patching process in the last year or so, and the establishment of a predictable patch cycle has been a good step. But the continued attention from attackers has blown up that patch schedule of late.
That attention is not likely to diminish anytime soon, either, as attackers are loath to abandon successful techniques. That means that, while Adobe has made quite a bit of progress recently, the there’s likely just as much work, if not more, ahead for the company as it adjusts to life in the cross-hairs.