Adobe has been very successful at establishing its products as cross-platform, operating system agnostic tools for delivering content. Unfortunately, those same attributes are also attractive reasons to attack Adobe products, and Adobe has been a little less successful at ensuring those products are secure. IT administrators need to exercise increased diligence to protect against Adobe software flaws and malicious PDF files.
One of the reasons cited by Steve Jobs in defending Apple’s decision not to support–or even allow–Adobe Flash on the iPhone or iPad is security concerns. Adobe Flash and Adobe Reader are virtually ubiquitous regardless of platform, which has made Adobe the low-hanging fruit with a bullseye on its back. Security vendors have already warned that Adobe is a weak link in the security chain.
Earlier this year attackers exploited a flaw in Adobe Reader with malicious PDFs playing on the upcoming FIFA World Cup 2010 soccer event this summer. The messages were spoofed to appear as if they originated from a legitimate African tourist organization, and contained mostly legitimate details and information along with a PDF attachment which took advantage of the Adobe Reader flaw to install malicious software on vulnerable systems.
Now, a new Adobe security flaw is being exploited. According to the Adobe Product Security Incident Response Team (PSIRT) blog, “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.”
While Adobe flaws could be used as the foundation of mass malware or phishing attacks, they also make particularly potent weapons in targeted attacks. Crafting a malicious PDF–especially if it’s a legitimate PDF file that is modified to include malicious content–and sending it to limited targets of specific value can enable the attack to fly under the radar of security vendors and yield a much higher degree of success than the traditional “carpet-bombing” approach.
IT administrators need to take proactive steps to protect against these attacks. Of course, the traditional best practices still apply–keep antimalware software enabled and updated, and use a personal firewall to protect endpoint systems. However, because the malware industry is based on a reactionary, signature-based model, those measures can only go so far in protecting against zero-day or emerging threats.
Unfortunately, the options are more limited when it comes to protecting against vulnerabilities in the Adobe Flash Player. As evidenced by the ongoing culture war between Apple and Adobe, much of the Web relies on Flash for content delivery, and unlike Adobe Reader there aren’t really any alternatives for viewing or working with that content.
Long term, one solution is to wean off of Flash and transition to HTML5. HTML5 is a more open, standards-based approach to delivering essentially the same sort of video and interactive content currently provided via Flash. If you’re interested, Apple created a site dedicated to showcasing the capabilities of HTML5–however, it can only be viewed with Apple’s Safari Web browser.
Adobe is a victim of its own success. It is a testament to how much we rely on Adobe products that attackers have targeted them so aggressively. IT administrators need to be aware of the security issues related to Adobe software and either put security controls in place to protect against them, or find suitable alternatives t that are more secure.