Thursday, August 5, 2010
Critical Adobe Reader Flaw Virtually Ignored
What if a critical flaw in Adobe Reader was demonstrated before a group of security professionals at the Black Hat conference and none of them made a sound, either?
That's what Charlie Miller must be thinking. He's the security expert that presented the vulnerability at Black Hat. His lament?
"Adobe security is so bad that […] not a single person tweeted it. Sad."
Adobe has acknowledged the flaw and is said to be working on a fix. Whether the patch is released out of band or at Adobe's next scheduled quarterly security release remains to be seen. Also unclear is the list of versions impacted by the vulnerability. The only good news is that there are no reports of exploits in the wild.
Some question how many more security blows Adobe can endure before going down for the count. My response is to look at Microsoft's track record. Many years into their latest secure coding push, Redmond is scheduled to release 14 patches to close 34 vulnerabilities in their August 2010 Bulletin Release. This mandates a massive amount of testing and deployment for enterprise customers, yet Windows is still the dominant operating system and office suite. The cost of switching away is substantial due to user training, infrastructure, and application impacts that it's almost cheaper to stick with the ugliness you know.
The same holds true for Adobe. It's the PDF reader with the most saturation, and not just among corporate environments. Home users are virtually guaranteed to have Adobe Reader installed on their systems, even though fully functional alternatives exist. Many have found Reader installed as a bundled offering from another application. The home user is also more likely to have an unpatched operating system and outdated software offerings, making exploit trivial. Antivirus protection? Please.
Adobe's install base and numerous versions places the company in the same predicament as Microsoft. There's a lot of old, insecure stuff out there, and even offering an automatic update solution only partially solves the problem. If Adobe can get 80% of the vulnerable installs patched, that still leaves hundreds of thousands, perhaps millions, of ripe targets out there. And when the next critical Adobe flaw appears - and you know it's when, and not if - the hamster wheel spins again.
My advice is the same as always. Dump Adobe products for less target-rich alternatives. A simple Google search on PDF readers will return scores of options onto your screen. Be sure to completely uninstall any Adobe software currently on your machine, being wary of third-party apps that might have plunked down some version while you whistled through a boring install routine. If in doubt, use Task Manager to look for processes associated with Adobe products.
Otherwise, abandon hope all ye who enter Adobeville. Like another Scream sequel, this will not end well.