Microsoft and its endless portfolio of products have been the favorite targets of attackers for more than a decade now. But if the events of the past year or so are any indication, it looks like that dubious distiniction now belongs to Adobe.
The last 12 months have been rough for Adobe, the maker of the ubiquitous Reader, Acrobat and Flash products. It started in February with a critical buffer overflow vulnerability in Reader that attackers were using to take control of vulnerable systems. And it went downhill from there, with Adobe in March warning that attackers were targeting an unpatched JBIG2 flaw in Reader and Acrobat, and having plenty of success with it.
In the first quarter of 2009, seemingly not a week went by without the disclosure of another serious flaw in Flash or Reader. More troubling is the fact that these reports often were accompanied by news that the flaws already were being actively exploited.
It was with all of this as a backdrop that Adobe security chief Brad Arkin said in May that the company had decided to undertake a major overhaul of its security response process, a move that resulted in Adobe switching to a regular quarterly security update schedule. The patch releases coincide with Microsoft’s Patch Tuesday and have the same thinking behind them: giving users a predictable update schedule and more time to plan for patch deployment.
But the fact that Adobe needed to implement this program speaks to just how much of a target the company has become. But it also is an indication of how much pressure the Adobe security staff is under. Any way you look at it, Arkin has one of the more difficult jobs in security. Not only is he responsible for Adobe’s security response process and all of the public-facing communication about security, but he also oversees the company’s internal software security program and privacy initiatives. In other words, he’s in one of the positions that gets all of the blame and none of the credit.
Arkin is working with a small dedicated security staff, nothing like the security groups at Microsoft, Oracle or other major software vendors, and he’s dealing with a user base in the hundreds of millions. But users don’t care about any of this, nor should they. They’re only concerned with whether Adobe’s software is putting them at risk.
Part of this situation, like the one that Microsoft found itself in about 10 years ago, is a product of the ubiquity of Adobe’s software. Reader and Acrobat are the de facto standards for working with PDFs, and Flash is virtually impossible to escape on the Web. That ubiquity, combined with the general shift toward application attacks, makes Adobe’s products highly attractive targets for attackers.
“When you’re looking at it from the attacker’s perspective, the install base is – is a big attractive metric to look at. And with Adobe Reader and Flash Player, these are two applications that are installed on a lot more machines than Windows is, for instance. And so, that’s something that paints a bigger bull’s eye. And so, that’s something that’s not gonna change. You know, we’ve got this ubiquitous software, and the responsibility is on us in order to do the things that we can do in order to help protect our users,” Arkin said in a recent podcast on Adobe’s security processes.
Another piece of the puzzle is also related to Microsoft. Because Microsoft has spent so much time, money and effort improving the security and reliability of Windows, Internet Explorer and its other key products, attackers have had far less success going after these products in recent years. So they have turned their attention to third-party applications, browser plug-ins and Web applications. This translates to more attention, both from attackers and researchers, for Adobe, Apple and dozens of smaller ISVs.
So far, Adobe’s response to this shift in the threat landscape has consisted of two main components: establishing the regular quarterly patch release schedule and, most recently, the announcement that it will be using a silent updater for Reader for the first time with next week’s scheduled patch release. Adobe shipped the new updater in October and this month’s patch release will be the first time it’s used by beta testers for a full release.
These are both important steps, particularly the automatic updater. The widespread use of Microsoft’s Windows Update has been perhaps the most underrated change in the security landscape in recent years. The fact that millions of Windows users, who might otherwise go months or years without installing a patch, now have their PCs updated regularly is a big win.
This isn’t to say that Microsoft’s process is for everyone. Microsoft has personnel, resources and leverage that almost no other organization can muster and that makes this process easier. Not easy, but easier. And Microsoft also has been able to convince a lot of researchers to disclose vulnerabilities to them directly and privately, a long and painful process that has paid clear dividends in the form of fewer emergency zero-day responses and less exposure for users.
But if Arkin and Adobe can get automatic updates to work in their enormous user base as well, then they’re onto something. Keeping users safe should be a major priority, and keeping them safe from themselves is a big part of that. But Adobe also needs to pay attention to the internal part of this equation: writing more secure software. The company is working on this, as well, with its software security program. But those processes take time and the attackers aren’t waiting around.
In the short term, this does not bode well for Adobe. The automatic updates will take some time to reach critical mass, the software security program will take some time to bear fruit and the attackers will continue to hammer Adobe’s applications. But in the long term, as these efforts reach maturity, expect to see the volume and severity of the public vulnerabilities in Adobe’s software begin to decline and the number of successful attacks drop, as well, as more users are running updated versions.
As Microsoft can attest, that doesn’t mean the attackers will stop, but making their task more difficult has paid major dividends for Microsoft and could for Adobe as well.