Tough Road Ahead for Adobe on Security

Microsoft and its endless portfolio of products have been the favorite targets of attackers for more than a decade now. But if the events of the past year or so are any indication, it looks like that dubious distiniction now belongs to Adobe.

Microsoft and its endless portfolio of products have been the favorite targets of attackers for more than a decade now. But if the events of the past year or so are any indication, it looks like that dubious distiniction now belongs to Adobe.

The last 12 months have been rough for Adobe, the maker of the ubiquitous Reader, Acrobat and Flash products. It started in February with a critical buffer overflow vulnerability in Reader that attackers were using to take control of vulnerable systems. And it went downhill from there, with Adobe in March warning that attackers were targeting an unpatched JBIG2 flaw in Reader and Acrobat, and having plenty of success with it.

In the first quarter of 2009, seemingly not a week went by without the disclosure of another serious flaw in Flash or Reader. More troubling is the fact that these reports often were accompanied by news that the flaws already were being actively exploited.

It was with all of this as a backdrop that Adobe security chief Brad Arkin said in May that the company had decided to undertake a major overhaul of its security response process, a move that resulted in Adobe switching to a regular quarterly security update schedule. The patch releases coincide with Microsoft’s Patch Tuesday and have the same thinking behind them: giving users a predictable update schedule and more time to plan for patch deployment.

But the fact that Adobe needed to implement this program speaks to just how much of a target the company has become. But it also is an indication of how much pressure the Adobe security staff is under. Any way you look at it, Arkin has one of the more difficult jobs in security. Not only is he responsible for Adobe’s security response process and all of the public-facing communication about security, but he also oversees the company’s internal software security program and privacy initiatives. In other words, he’s in one of the positions that gets all of the blame and none of the credit.

Arkin is working with a small dedicated security staff, nothing like the security groups at Microsoft, Oracle or other major software vendors, and he’s dealing with a user base in the hundreds of millions. But users don’t care about any of this, nor should they. They’re only concerned with whether Adobe’s software is putting them at risk.

Part of this situation, like the one that Microsoft found itself in about 10 years ago, is a product of the ubiquity of Adobe’s software. Reader and Acrobat are the de facto standards for working with PDFs, and Flash is virtually impossible to escape on the Web. That ubiquity, combined with the general shift toward application attacks, makes Adobe’s products highly attractive targets for attackers.

“When you’re looking at it from the attacker’s perspective, the install base is – is a big attractive metric to look at. And with Adobe Reader and Flash Player, these are two applications that are installed on a lot more machines than Windows is, for instance. And so, that’s something that paints a bigger bull’s eye. And so, that’s something that’s not gonna change. You know, we’ve got this ubiquitous software, and the responsibility is on us in order to do the things that we can do in order to help protect our users,” Arkin said in a recent podcast on Adobe’s security processes.

Another piece of the puzzle is also related to Microsoft. Because Microsoft has spent so much time, money and effort improving the security and reliability of Windows, Internet Explorer and its other key products, attackers have had far less success going after these products in recent years. So they have turned their attention to third-party applications, browser plug-ins and Web applications. This translates to more attention, both from attackers and researchers, for Adobe, Apple and dozens of smaller ISVs.

So far, Adobe’s response to this shift in the threat landscape has consisted of two main components: establishing the regular quarterly patch release schedule and, most recently, the announcement that it will be using a silent updater for Reader for the first time with next week’s scheduled patch release. Adobe shipped the new updater in October and this month’s patch release will be the first time it’s used by beta testers for a full release.

These are both important steps, particularly the automatic updater. The widespread use of Microsoft’s Windows Update has been perhaps the most underrated change in the security landscape in recent years. The fact that millions of Windows users, who might otherwise go months or years without installing a patch, now have their PCs updated regularly is a big win.

This isn’t to say that Microsoft’s process is for everyone. Microsoft has personnel, resources and leverage that almost no other organization can muster and that makes this process easier. Not easy, but easier. And Microsoft also has been able to convince a lot of researchers to disclose vulnerabilities to them directly and privately, a long and painful process that has paid clear dividends in the form of fewer emergency zero-day responses and less exposure for users.

But if Arkin and Adobe can get automatic updates to work in their enormous user base as well, then they’re onto something. Keeping users safe should be a major priority, and keeping them safe from themselves is a big part of that. But Adobe also needs to pay attention to the internal part of this equation: writing more secure software. The company is working on this, as well, with its software security program. But those processes take time and the attackers aren’t waiting around.

In the short term, this does not bode well for Adobe. The automatic updates will take some time to reach critical mass, the software security program will take some time to bear fruit and the attackers will continue to hammer Adobe’s applications. But in the long term, as these efforts reach maturity, expect to see the volume and severity of the public vulnerabilities in Adobe’s software begin to decline and the number of successful attacks drop, as well, as more users are running updated versions.

As Microsoft can attest, that doesn’t mean the attackers will stop, but making their task more difficult has paid major dividends for Microsoft and could for Adobe as well.

Suggested articles

Discussion

  • Ronald Lewelling on

    My largest securitu threat so far has been from Kapersky. Undoubtedly someone in marketing my computer used Kapersky to clean it before it was sold to me. When the removed Kapersky they failed to turn off the switch hidden by Kapersky. Now I get Kapersky showing up as a threat. I have spent time with your online help and downloaded you program which is suppose to allow me to remove the remmanents of your application. Tried it without success. I may would not mind buying Kapersky as a security protection system. But I do not like the idea of being forced to purchase something from a company that caused the problem in the first place. You remove that problem and I may would buy your product.

  • Anonymous on

    I am starting to wonder if Anti-virus programs are becoming targets for hackers or maybe it is just ex-employees that hold a grudge.  Seems to me that BitDefender took a hit in its XP version of 2010.  Crutial files suddenly "disappeared" causing the definition update process to fail.  They never could figure out what the problem was and that's why I am now running Kaspersky.  Hope you guys keep your employees happy

  • davek on

    adobe flash not work in my vista/internet explorer system---sometimes.

    adobe says because 64 bit.

    when fix? how fix?

    also,best ways to manage passwords?

  • Kyle on

    Yeah, I had the same problem not being able to uninstall Kapersky.  In my case, I wasn't able to install another anti-virus ap. Had numerous contact with Kapersky. Downloading multiple aps which didn't work. The last call they expected me to manually edit my register.  Yeah, right.  At that point I had no other choice but to wipe my drive, reinstall the system and start from scratch.  Thank you Kapersky.

  • Anonymous on

    Thankyou, I thought something was fishy. I remember that one time that all my icons disapper I received a lot of messages Till this day Who took them. Or got them back. alot of things happen when i had that program I surpposly don't have him right now. But I now he's in there some-where. Thankyou for the information. Now how to I get rid of him.

  • T on

    Editing the registry is not difficult. Wiping the HD was the wrong approach and was the "nuclear" option , probably unnecessary. CCleaner would easily remove bogus registry entries left behind after SW uninstall.

  • Kim in NC on

    Thank YOU Kapersky! You have saved my computer more than once, therefore saving me lots of $$$$! PLEASE keep up the great work!

     

    Kim

  • Greg S on

    Hate to say it, but that's Vista-64.  There are a lot of apps that won't work properly, or at all, on that platform.  I was going to get that for my business computers until an IT friend of my told me to get the 32 bit version.  I had to revise the orders, but no problems.  Apparently a good decision.

  • Kyle on

    "Editing the registry is not difficult. Wiping the HD was the wrong approach and was the "nuclear" option , probably unnecessary. CCleaner would easily remove bogus registry entries left behind after SW uninstall."

    Doubt it.  I didn't keep a list, but K's support had me download a few of their aps as well as a handful of third party registery cleaners. As for registry editing, I don't consider myself geek qualified, especially when my first time is trying to follow instructions given by email.  This was after about a week of going back and forth and getting nowhere.  Yeah, I realize wiping a disk is the nuke option, but there is also a limit to how many days I could afford to spend spinning my wheels with one useless ap after another.

  • Anonymous on

    bit defender is not the only one taking hits mcaffees virus software is also under attack in my opinion its that hackers know these systems are weak or open and attack the most easily ones ,, i actually use two virus programs kasperskys and also web root i have seen that what kasperskys dont catch web root does and the reverse is also true about web root too

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.