Adobe Needs To Fix Its Hacker Vulnerabilities To Stay On Top

First they crash your system, then they take control. This is exactly how attackers are able to exploit yet another vulnerability in Adobe Flash Player and Acrobat Reader. These vulnerabilities can be found specifically in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems and the authplay.dll component of Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX.

This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

Right now, there is no patch available for these vulnerabilities but reports have stated that Adobe will be issuing a patch on Thursday June 10th for Flash Player and the security update for Adobe Reader and Acrobat will be available by June 29. Both coming well ahead of their scheduled date.

O-day Vulnerabilities

The problem with vulnerabilities like these, termed 0-day vulnerabilities because there is no fix for them, is multi-fold. First, there is usually nothing users can do about them until a patch is released aside from ceasing to use the application. These vulnerabilities come from a development problem with the software, not a problem caused by the user. Second, no one knows how long the vulnerability was used to exploit systems and software. Cyber criminals often know about a vulnerability months before the security industry finds out about them. So their attacks can go undetected reaping them millions of dollars before they are exposed, let alone stopped. Lastly, these vulnerabilities are springing up everywhere. Websites are under constant attack both as a target and a delivery system, advertising networks suffer from vulnerable applications, and consumers are affected almost daily.

Adobe’s Got Problems

Adobe has, without a doubt, made the largest impact on web development in the history of the Internet. Millions of websites are built using their programs. Even more users rely on their technologies like Flash and Acrobat to deliver and consume online content. But for all of their positive influence on the Web, Adobe still suffers from buggy software. Their vulnerabilities have earned them a reputation as having some of the most vulnerable applications on the market. In the month of May alone, the US-CERT issued 24 advisories for Adobe products. By contrast, Microsoft products were issued 16 advisories by US-CERT, Apple 5 advisories, and OpenOffice.org none. Both Apple and Microsoft include their operating system software in these results.

Now What?

As much as Steve Jobs would like us to do so, we simply can’t stop using Adobe’s products. And why would we want to? Flash is amazing, not just for video distribution but for building interactive web components as well. And Adobe is responsible for making documents readable across all operating systems when it created the PDF.

But maybe Adobe needs to slow down its development and focus on getting things right for what they have. Adobe’s Creative Suite 3 was released on April 16th 2007. CS 4 followed on October 15th 2008 and CS 5 on April 30th 2010. There were some nice interface changes, and some cool features between the versions, and these products are Adobe’s bread and butter. But unless they spend as much time to secure the massive vulnerabilities of their free consumer software, developers may be inclined to stop shelling out thousands on programs whose content only exposes their visitors to multiple vulnerabilities.

About Jeff Orloff

Jeff Orloff is a freelance technology writer and consultant with Sequoia Media, Inc. (http://www.sequoiamediaservices.com). When he is not in front of a computer, he can be found coaching little league baseball.

You can find Jeff on Twitter: @jeorl.

Comments are closed.