Tuesday, April 20, 2010

Adobe Reader and Internet Explorer: Most Attacked

One key to protecting your computer (and the data on which you depend) is to limit the attack surface. The fewer avenues for compromise you have, the better chance you stand of being passed over for a more inviting target.

If you're seeking the opposite approach - to become a flaming honeypot of vulnerability - run Microsoft's Internet Explorer and Adobe Reader. 
A hole in Microsoft's Windows SMB2 (Server Message Block) protocol was the most attacked vulnerability last year, followed by holes in Adobe Reader and Flash Player, Internet Explorer 7, and Windows MPEG2 ActiveX Control, according to a Symantec report to be released on Tuesday.
I stopped running both products ages ago, mostly due to the number of zero-day exploits that ran rampant in the wild targeting these two software gems. It's bad enough when you need to scramble to deploy patches before the bad guys reverse-engineer them to create and launch exploit code. It's a whole other nightmare when the attacks begin before the public, and often the software maker, are aware of the vulnerabilities.
Of Web-based attacks, suspicious PDF file downloads was the top method, representing nearly half of such attacks, followed by six attacks on IE, one targeting Adobe SWF (Shockwave Flash), and two targeting MPEG2 ActiveX Controls, the Symantec Global Internet Security Threat Report found.

Nearly half! And I can remember when people moved from Word documents to PDF files because they were seen as more secure. In fact, many companies explicitly blocked Word docs at the gateways but allowed PDF files to drive right inside.

Now, that's not to say that there aren't other products with more announced vulnerabilities than these two, because there are. But the perfect storm might be the combination of frequent flaws, plodding response by the software makers, and product saturation. IE and Reader are heavily used by home and enterprise users, and historically both user types have been slow as molasses to patch and/or upgrade their vulnerable Adobe installs, to the point where Adobe recently announced plans to automatically apply updates in the background without user notification or interaction.

If you don't want your car stolen, do some research into which are the most stolen vehicles and then don't buy one of those. If you want to keep your computer and data safe, look at the most frequently attacked programs and then don't install them. Pick something else that gives you a fighting chance.

No comments:

Post a Comment

Please tell me what you think.