Is Adobe the next (pre-2002) Microsoft?

If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.

In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.

Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of PDF files used in dangerous Web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.

In addition, there are more and more zero-day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.

There have been zero-day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on Web sites. And in one case this spring, a zero-day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.

One security researcher at Black Hat last week, who asked to remain anonymous, said: "As a result of the number of zero-day attacks on PDFs this year, large banks hate Adobe."

F-Secure said it identified about 1,967 targeted attack files in 2008, the most popular type being .doc used in Microsoft Word.

(Credit: F-Secure)

Those scary statistics prompted F-Secure researcher Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.

Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.

"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realizing that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.

An Adobe manager said the problem stems from the fact that it's software is so broadly used.

"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on Earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.

Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.

Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.

The company established a Security Development Lifecycle program, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.

During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDF. The change from the previous year is primarily due to the fact that there have been more vulnerabilities in Adobe Acrobat/Reader than in Microsoft Office, F-Secure said.

(Credit: F-Secure)

Now it's Adobe's turn to step up to the plate.

"Microsoft is a model for patch management...they were forced into it. They really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."

In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.

In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.

At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself." He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."

The company was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which was being exploited, according to Arkin.

"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.

Adobe "has a lot to learn from, of all places, Microsoft."

--Mikko Hypponen, F-Secure

A zero-day exploit targeting Reader and Acrobat that Adobe learned about on April 27 was fixed about two weeks later, he said. And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.

"We are quite happy with the performance on those," Arkin said of the time frame for the patches.

The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall he said. "Adobe integrates the best practices you see at Microsoft and other companies."

The security researcher who asked not to be named complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.

The program's functions require it to be able to save and open files on the file system and thus have read and write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system," and the privileges between the two types of programs are similar, he added.

Security-versus-functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it's the favorite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.

"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.

"I'd like to think that they would start realizing that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"

Not really, the experts agreed.

Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.

"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.

"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.

"There's always a 'most vulnerable' attack surface."

[dmac81]

Microsoft by those graphs is still over 50% of attacks! Yeah adobe sucks but really has Microsoft improved? No, just something easier came around and it's called Flash

[pjhenry1216]

There shares of attacks dropped significantly. Thats pretty much the definition of improvement. Plus, if you look at the graphs, Flash wasn't on there at all. Did you read the article?

[tektaktyks]

dude,read carefully,its all about market share,nothing to do with software,there are holes in every software,more ppl use it more attacks it gets,if appl had 85% of the market it would be same for them....

[Random_Walk]

To be fair, they have improved. While not as much as needed to match their competition, one must be fair - they have made quite a bit of effort.

[abcd9009]

@dmac81

I completely agree with @tektaktyks. It all comes down to how many people use the software. If only 10% use then what's the justification of an attack. The most vulnerable product right now is the iPhone being the hottest toy in the market.
There is no software on the planet which is 100% secure (and that includes UNIX). After all, software is developed by humans and nobody is perfect. What matters is how soon can you acknowledge the problem and equally how soon you can resolve it. Microsoft and Google have always been good at that. Apple on the other hand - well, need I say more. the most recent example with the bug on the iPhone SMS which Apple wouldn't even acknowledge until it released the patch for it in spite of knowing the issue since the person who found the bug had contacted Apple first before releasing it to others.
Who's better now?

[monkeyfun14]

@dmac

In 3 different programs.

Adobe has more vulnerabilities in one single program then Microsoft has in 3 of them.

[BingItOn]

Agree with monkeyfun14.

@dmac81 before posting read and analyze what is being said this 1 vs 3 App. And it is just a reader with no editing functionality, compared to 3 most highly used and versatile application.

[dhavleak]

@ dmac 81

"Microsoft by those graphs is still over 50% of attacks!"

>> The question is, 50% of what? The graphs just show 4 apps -- Word, Excel, PowerPoint, and Acrobat Reader. It's only analyzing file-types -- otherwise it would make sense to include Flash as well (which will reduce the % of all these 4 apps to a really small fraction). Or say Quicktime (which will give Flash some good competition). Also note that the graph doesn't take into account the ubiquity of each doc type. While each of these file formats is very widely used, word probably has the largest share by a huge margin, with PDFs next, excel next, and powerpoint next (pure speculation on my part of course -- but the point about not interpreting the graph literally remains valid).

[dmac81]

I love Microsoft fan boys that defend crap!!! Did I mention Apple? No!!! Yes I said Flash and the article talks about PDF's, so sorry that I skimmed the article (still Adobe), my bad. I'll just sit over on the other side of the fence that you guys are on and not have to rebuild my OS every 3 months like I did when I was on Windows ( I do not care how big the user base is on Mac or Linux, I will enjoy my freedom from a self destructive OS while it lasts). And yes I know that no software is 100% secure, but come on everyone, Windows has something like 200 thousand viruses, I just choose not to deal with that on a daily basis by not running any version of Windows.

[YankeePoodle]

@dmac81

Troll On!!!

[monkeyfun14]

@dmac

Rebuild your os every 3 months? You clearly must be doing something wrong then.

I love how you mention freedom with Apple.

How is it really freedom though? I mean they tell you what hardware you can use hardly what I would call freedom.

[FF2009]

always hated their Flash player. That needs to die and let other open source technologies take over where you sucked at doing.

[tektaktyks]

i agree,the problem is cs4,bunch of useful progs that work together

[shellcodes_coder]

Flash sucks, Silverlight is much better than flash

[aMUSICsite]

Flash is not even on the graphs! It's Acrobat that is the main problem. It show poor writing to name and shame Flash in the article but not to mention it's share of security holes as it's not on the pie charts. If it's less than powerpoints 5% and is installed on something like 95% of machines, then it would imply that it's quite secure.

Adobe do need to sort it's house out. dearadobe.com is a good place that list lots of peoples gripes about Adobe. Acrobat reader and the authoring software is the biggest bit of bloatware on most peoples machines and most people only use it to look as documents with text, images and the odd link. It's all the scripting, video and interaction stuff the have rammed into PDF's to sell the next generation of authoring software that has caused most of the problems.

The more bloated it is the harder it is to find the errors. Adobe need to get back to pdf's being the simple light weight online document format is started with.

And don't get me started on CS 4. a total waste of money which did not fix any of the security and performance problems that has crept into it's product range. Rather than concentrating on making more software collections than there are versions of windows, they need to get cheaper, lighter and much more reliable software that people want to by and keep up to date.

Otherwise Powerpoint, Excel and Word will soon become safer to use than Acrobat! That could kill Adobe....

[ed state--2008]

Not to mention Adobe's MSoft-like tactics: abusing their virtual software monopoly releasing broken software, completely ignoring their user base, making customers pay for minor updates to fix bugs, etc, etc.

[viper396]

"making customers pay for minor updates to fix bugs"

Do you have any evidence to prove that?

I like most others get their Adobe or Microsoft updates for free. If you have to make up information just so you can have something to complain about then your comments and your integrity are worthless.

[aMUSICsite]

@viper396

"Do you have any evidence to prove that? "

It would not take me to long to put together a list of bugs that have not got fixed. Maybe it should have been 'Making customers pay for minor updates without fixing the bugs" ;)

[YankeePoodle]

If you still think Adobe and Microsoft are responsible for misery in your life, you can
a. Get a life
b. Improvise and blame the economy

[monkeyfun14]

@aMUSICsite

Same can be said for Apple.

[w0rdwarri0r]

Yeah, I really dislike Flash and Adobe Acrobat is a bloated mess compared to Apple's Preview PDF viewing program. I don't have administrator rights to my Windows machine at work, despite being a programmer, so it's impossible for me to install Flash for Firefox. Oh yeah, and it doesn't allow you to install within the user context (as opposed to system-wide) as Firefox, Chrome and some other Windows apps allow you to. And, boy, do I notice the difference when surfing. Movie sites won't work at all. Car sites (ex Hyundai) won't work. Many restaurant sites won't work. The most jarring of all is YouTube, which doesn't have a production ready HTML 5 video site that I can view with Firefox.

Then there's the problem of rich internet applications (RIA). Web browsers represent disparate runtimes, each with its own quirks and behaviour. Even if all versions of IE were to drop off the face of the Earth, there are still significant differences among Firefox, Safari, Chrome and Opera. Flash, on the other hand, represents a cross-browser and cross-platform runtime that anybody can develop, test, QA, and deploy. This means Flash web applications can be delivered more quickly than HTML/CSS/JavaScript ones.

Silverlight brings the same problems as Flash, since it's also a proprietary technology. Yeah, parts of FlexBuilder are open source, but the Flash runtime is completely closed source, and alternative implementations of the runtime are prohibited by the license. The only RIA framework that has a snowball's chance in hell of being open sourced is JavaFX, but all bets are off once Oracle completes its acquisition of Sun.

[viper396]

Bo ho, you don't have Admin right....So basically you are complaining because your employer prefers that you not spend all you work hours surfing the internet? How was that relevent?

[unknown unknown]

@ viper396 Might want to re-read the post if that's all you got out of it.

@w0rdwarri0r YouTube not having an HTML 5 site ready to go is not surprising considering that HTML 5 is still a draft and support in browsers is still fairly new and support only a subset of features. Not to mention they're still bickering over codecs.

[jtnoble1]

Adobe's is stepping up to the plate. Listening to customers and addressing product vulnerability are vital to the company's success. The recently launched ideas portal to gain customer feedback and spur incremental product innovaiton is an indication of that shift.

http://ideas.acrobat.com

[surfandwork]

I guess somebody working at Adobe is reading this article! :)

[Nataku4ca]

@surfandwork

that was unneccessary

[ittesi259]

It was unnecessary, because it was completely obvious :)

[webdev511]

The title question is all wrong. It shouldn't be "Is Adobe the next (pre-2002) Microsoft?", but "How much longer is Adobe going to be able to treat security with a pre-2002 mindset?"

Until there's a competitor to Acrobat that's cross platform, has 85-90% of it's functionality, is less bloated and much more secure, I think we can count on Adobe to maintain their current practices. After all, what else are you going to use in place of PDF? XPS? Ha!

[w0rdwarri0r]

There are all kinds of third-party PDF readers without the same vulnerabilities, including Apple's Preview and several Linux utilities. I believe there are third party PDF readers for Windows as well.

[surfandwork]

There is a link in the article to the Free Software Foundation's PDFreaders.org website. There are many free and low cost PDF alternatives. I use PrimoPDF for simple static PDF output.

[Lerianis4]

We ASSUME that those third-party products don't have the same vulnerabilities...... I wouldn't be surprised if someone looked, that they do have the same or near same vulnerabilities in them.

[Softland]

there are already lots of less bloated alternatives, foxit for pdf viewing - http://www.foxitsoftware.com/pdf/rd_intro.php and dopdf for pdf creation - http://www.dopdf.com
both free, both lightweight compared to adobe's.

[rdeal2]

I gave up on Adobe Acrobat...$500 is a complete *rip off* for what you get. Also had many problems with their update service...in one instance I had to completely uninstall and reinstall to get the update functionality to work again. I've refused to move to the latest version of Adobe Acrobat. For the past few months I've been using a product called Nitro PDF Professional...for $99. I only need PDF functionality to make quick edits and comments...as well as reading...and for the price, you can't beat it.

[surfandwork]

There are many free PDF creating programs which basically redirects printer outputs to a PDF file. I use the free version of PrimoPDF. If you need more than a static printer output then you need to pay.

[Earl Benzar]

It's refreshing to see an Adobe fanboi vs. MS fanboi thread finally unfold. The Apple vs. MS threads became too predictable, and I lament their loss, but alas, I for one welcome our new Adobe overlords. MS fanboi's put that in your security pipe and smoke it. ;-)

[ballmerisanape]

I'm glad Preview is free.... I haven't used an Adobe product on my Mac in years. Flash is another issue... but the flash-blocking plug-ins for Safari have been good to me so far.

[kemblite]

The solution is very easy: just deny internet access to all these programs with your firewall. That's what I've always done with MS Office applications and Adobe Acrobat.

[SenorFrog]

Maybe very easy for those of us on this website but for those that are the target of these exploits, the average Joe or Jane is probably overwhelmed when being asked to make decisions when the firewall warnings pop up, the OS is asking your opinion, maybe the anti-malware program is demanding attention, you're asked should you enable PNP on the router, etc. I'm not surprised many just keep clicking until the applications just ****.

[shycelticwitch]

I cannot comment on how Adobe works on Windows PCs, but I can tell you that I have been using Adobe products since 1992. I have yet to have an issue with any of the programs in their suites. I heard a rumor once that since the Adobe software is primarily used for design and creative concepts, more options are written for Mac versions. I found this to be true in several instances just recently. A friend of mine who recently lost her two MacPros in a burglary was given a Windows Vista system to work on temporarily. It had the CS4 Master with all programs installed, but she primarily used Photoshop, InDesign and Acrobat Pro. Two days later she called me to ask if Adobe had changed some of it's options with the last update. She was not able to access several options in command windows that she used regularly on her Macs. I didn't believe it so I went to her office to check it out. Sure enough, in color profiles and several other command windows, certain options were not available that we had always used on the Mac. Thinking it might have been an install error, I had another colleague who had CS4 on a Windows PC and asked him to check. Same thing on his system.

In my opinion, all software is vulnerable to hackers. If you don't take precautions, use good judgement or take the time to learn how to safeguard against these attacks, you deserve what you get. Kind of like driving without a insurance if you ask me. Soooooooo... I guess the next question would be.... how many of you complaining about Adobe here are using a Windows platform?

A good guess would be all of you. : )

To Adobe... rock on. Your software suite is so well integrated and functional it allows me to make every working minute of my day profitable in more ways than I can count. Fix problems where they may be, but don't change a thing. On my end, I will make sure that I am careful how I use my computer so that any small inadequacies there may be with your wonderful software is not an issue for me to worry about. Thanks again for all your hard work geared towards the creative industries.

[BrandonLive]

Ask any security researcher whether attacking Adobe products is easier on Windows or Mac. You'll only get one answer, and it won't be Windows.

Adobe also offers a lot of features on the Windows versions of CS4 that aren't in the Mac versions. The Mac versions don't even include a 64-bit version yet (though that's mainly because Apple still hasn't released a proper 64-bit OS and has had a ridiculously confusing 64-bit developer story over the last years).

[shycelticwitch]

How about you point me to a source to back up your claims? Until then I stand by my statement. I specifically stated that all non-secured systems are vulnerable. But for your claim to have any substance the market shares would have to be reversed. Windows is still the most vulnerable software on the market when you consider it's user base.

[shycelticwitch]

PS... Apple is not always first at everything, but they are most definitely the best. They have never been in a hurry to push a product or technology that they have not fully developed. So step down off the soapbox, it's not an issue. And now you've made it absolutely necessary for me to repeat a post that I have made several times (to the ire of many because of it's kernel of truth)....

"Windows is.... A 64-bit shell for a 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense."

[lonban]

I find it ironic that Adobe is feeling so much heat and Microsoft is being lauded, when, even with the large jump in targeted attacks toward adobe reader, Microsoft still, combined, had the most targeted attacks this year so far (at least by these charts.)

[monkeyfun14]

Yeah in 3 different programs...

Adobe makes up nearly 50% in just one.

[BrandonLive]

The charts are pretty misleading, they only show 4 file types, and seem to focus only on a specific sort of attack (a malicious file that gets opened) which is a relatively rare attack vector these days. Severity of the attacks is also left out of the equation, along with the data about when a patch was made available. PDF files have a lower barrier to entry due to the way Adobe integrates them into the browser, so the severity of those attacks tend to be much higher given reduced user interaction needed to trigger an exploit.

[Hokulea]

The latest Flash vulnerability also affected Mac OSx as well as Linux.

I do use CS4 on Windows. I appreciate how well integrated the components of the suite are. Adobe's CS suites are amazing, wonderful, and well thought out. While I have no complaints overall, I do have concerns.

I don't open or view .pdf attachments sent to me via email from unknown sources so I can minimize that attack vector. Flash though is a different story. It's so prevalent on the web and in most cases the vulnerabilities are drive-by requiring no user interaction.

I can control Flash in web browsers by using add-ons that limit its scope. However, Flash plug-ins in CS4 are widespread and the versions vary. That's where my biggest concerns are.

When I scan my Windows system with Secunia PSI, it flags the following CS4 apps as being vulnerable due to the versions of Flash in use:

Adobe AIR Flash 10.x Plug-in

Adobe AIR Flash 9.x Plug-in

Bridge CS4 Flash 9.x Plug-in

Contribute CS4 Flash 10.x Plug-in

Device Central CS4 Flash 9.x Opera Plug-in

Dreamweaver CS4 Flash 10.x Plug-in

Extension Manager CS4 Flash 9.x Plug-in

As of this time apparently these Flash plug-ins have not yet been updated. I can only hope it's not an issue.

I can't comment on the differences between CS4 on Mac OSx versus the Windows platform as I haven't used CS4 on the Mac. However, you might find this review from Ars Technica of interest:

http://arstechnica.com/apple/news/2008/10/adobe-cs4-review.ars

[Inconnux]

Microsoft is now going to use Word to render HTML in its email applications... from what I can see this is going to be no more secure than using IE.

[BrandonLive]

You are mistaken. Outlook has been using the Word / Office engine for HTML e-mail since Outlook 2003.

It's important to note that the figures being shown here are referring to infected file types. However, getting the user to open a .DOC file is generally considered to be a trickier proposition than, for instance, getting them to open a PDF (which Adobe has set up to open inside the browser on most systems without the same level of warnings you'd get for an Office doc). Exploits in HTML e-mail are even more troublesome, because they can attack the e-mail program just by having the user click on the e-mail. Thankfully, the Outlook / Office HTML e-mail code has proven quite resiliant against attacks.

[BlackCellResearch]

The growing number of Adobe security vulnerabilities began after their major push to offshore everything including security. Does this really suprise anyone? This is one Adobe product compared to how many Microsoft products? Did we forget how many machines were exploited using Flash?

[downtowndale]

Interesting article yet there is a BLARING typo in it. In about the 10th paragraph:

"An Adobe manager said the problem stems from the fact that it's software is so broadly used. "

While the story may be well researched and written, its credibility quickly goes out the window due to the inexcusable error from both the writer and CNET editors.

"It's" ALWAYS = "it is" -- never the third-person possesive pronoun. NEVER.

[hadi96]

The problem is with the monstrous size of the current Adobe Reader - I still remember when it was less than 300K in size, with the same functionality (during the WFW days). It was fast, lean, mean and a useful tool - now, its just that big lump of s#it - why do they need it so big, so slow, so dead, what is it doing, and does it need to call home every 5 seconds.... When the size became bigger than 30MB, i thought it was time to move over to a fat free alternative, 'haihaisoft reader', it is a bit slower, but I'm sure the speed issue will be resolved soon...

[npiaseck]

It's "Security Development Lifecycle," not "Software Development Lifecycle."

[BrandonLive]

Actually it's "Secure Development Lifecycle" ;)

Arkin is incorrect. The most security-focused web browsers on Windows do NOT have write access to the file system (except for the "Low Integrity Temporary Internet Files" directory). Those would be IE and Chrome, which both run their tab processes in isolated Low IL sandboxes.

Adobe is perfectly capable of making Acrobat Reader run in Low IL the same way, they just haven't yet taken on the effort to do so.