Adobe Should Be More Proactive About Security

Adobe will release an emergency patch, expected within two weeks, to plug a security flaw in Adobe Reader, the latest in a series of the program's recent vulnerabilities. The problem is, this flaw was found through a presentation at the Black Hat conference last week, and not by Adobe's security team.

Perhaps Adobe should put the presenter, Charlie Miller, an analyst with Independent Security Evaluators, on the payroll? Maybe then it can become proactive rather than reactive in meeting its clients' needs.

Miller's presentation, based on his white paper, illustrates how the bug allows a ne'er-do-well to gain control of a computer by exploiting a critical glitch in how Adobe Reader parses fonts in portable document format (PDF).

It's also known as an "integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3," according to the U.S. Department of Homeland Security's National Vulnerability Database. That means a malicious PDF with a secretly-coded TrueType font can be used to hack into your computer.

Is this latest bug merely an unfortunate incident? Maybe not. Adobe's PDF viewer had security problems last month, and Adobe's response was to tell users to wait for an update at the end of the year. (So far, Adobe has released four patches for Acrobat and Reader this year.)

Add to this the numerous bugs in Adobe's Flash Player, and you can see Steve Jobs' point that it has "one of the worst security records," and can cause businesses plenty of headaches.

At this point, I'm not sure Adobe can win the hearts and minds of managers or business owners after so many security flaws. However, at least this time Adobe seems to be working on an emergency patch rather than suggesting its users wait for the next quarterly update--making its clients a priority rather than an afterthought.

Still, perhaps Adobe should look more to security consultants like Miller who aren't entrenched in the company. While I'm sure its workers are competent and hardworking, businesses can suffer from groupthink, whereby people conform to group values and ethics, and are less willing to offer critiques or alternatives.

However, Adobe's immediate fix to this problem is to provide essential customer service. Let's hope there are fewer security flaws because of it, and that Adobe continues to show how much it values its customers, with proactive and comprehensive protection against malware.

For business owners who want to expel Adobe Reader altogether, there are several free PDF readers on the market without as many security issues, including Foxit Reader or Nuance PDF Reader.

As for the perils associated with Adobe's Flash, IT managers can block Flash on Firefox and Google Chrome browsers, and make sure the company has Web-filtering software than can block known malicious Websites.

Subscribe to the Security Watch Newsletter

Comments