Adobe Flash To Be Top Hacker Target In 2010 180
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
WTF (Score:3, Informative)
Could someone please explain to me why I have to be worried about $#! document viewer compromising my system? WTF Adobe!? Glad I don't have to use it to read PDF's anymore. Thank you OS X for builtin support.
Acrobat and Flash (Score:5, Informative)
Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.
For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.
Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.
I really hope HTML 5 phases out the popularity of Flash.
Re:WTF (Score:3, Informative)
Don't be silly, buffer overflows can happen anywhere. Hell, IE has been compromised thanks to a b0rked JPEG decoder in GDI+, ffs.
That said, Adobe has certainly made their job harder by including a full-blown ECMAScript engine in acroread. But even without that, the ubiquity of Flash and Reader makes them ideal targets for hackers, thus further illustrating why software monoculture is a bad thing.
Re:I already see this happening (Score:3, Informative)
Tubestop [mozilla.org] is your friend (tm).
Re:This is about finding a common infection point (Score:5, Informative)
I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash [gnashdev.org].
No joke. Even if they are absolutely equally secure, Gnash provides source code. You can build that source with SSP (or equivalent) [wikipedia.org]. You can also build it as PIC [wikipedia.org] and apply many other restrictions with a PaX [wikipedia.org] and/or Grsecurity kernel [wikipedia.org]. All of these will reduce the chances that a known vulnerability will lead to a successful exploit. Specifically, a known vulnerability that would normally allow an attacker to run arbitrary code stands a good chance of merely crashing the application.
You just don't have options like this with binary blobs. I really would like to see more development of Gnash, as it seems that Adobe Flash is on a downhill course in terms of security and will continue to be a problem. Source code is about freedom and control. With such control, you can take steps to manage a risk even if you cannot perfectly mitigate it.
Re:Quick fixes won't be enough. (Score:3, Informative)
You might update, but "people" are stupid and do not.
"People" tend to minimize or close anything that pops up in between start up and opening the app that one started the computer to use. Whether it be windows update, virus scan update, or updates of nagging software. Of those three the updates of nagging software will be the most likely to just be closed without any update taking place.
Re:I already see this happening (Score:1, Informative)
No, but reader == reader. From the summary, "we anticipate Adobe software, especially Acrobat Reader and Flash"
Re:Yuh huh (Score:3, Informative)
That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...
At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...
Perhaps the OS deserves some blame (kneejerk types, note that some != all). On Windows there is no equivalent to the various centralized package managers that come with standard Linux distributions. You cannot go to one place and run one program and simultaneously update every last application installed. The biggest obstacle seems to be the copyright restrictions that prevent the redistribution of most Windows software. But for whatever reason, on Windows, every last application is on its own and must make provisions for its own updates. If it doesn't, or if the user gets tired of dialogs popping up and just wants to get rid of them, then you get the scenario you describe. On a Linux or BSD -style system, WebBoard would be a package like any other and would be regularly updated as part of your routine system maintainence.
Re:Yuh huh (Score:3, Informative)
You see, somehow this isn't an issue on other OSes. Why? Because there's an unified update mechanism that can be used by any program.
In addition, most of available software is packaged in a big repository with security support, and if you use third-party repositories, they can use the mechanism as well. On Windows, though, every program has to implement its own update -- some do, like Firefox, Thunderbird, WinAmp or Java, but the vast majority lacks it. And even those few with an auto-update function have it in an inconsistent matter, requiring user intervention as well.
So your boss was right, Bill Gates' mother does have some guilt for the intrusion into your server.
Re:Yuh huh (Score:1, Informative)
Applications? What about OSes that don't stop the applications from doing stupid things? Like running past the end of a buffer and shitting all over your executable code? The application should crash because the OS said fuck no you can't do that. The application should check it's bounds to prevent the application from crashing not to do the OS's job to prevent the entire system from being owned. If you don't think it's the OS's job to manage memory your standards are a bit low.
Seriously click ===> NX_bit [wikipedia.org] and find out what Windows has been fucking up for ages.
Don't get me wrong, there are lots of shitty applications but don't exclude the OS from blame. Microsoft has been blaming 3rd party applications since the DOS era when they actually could have made the case.
Like I said applications aren't off the hook. There are plenty of free tools out there to tell you how fucked up and stupid bad you are at coding. As a developer you should use them until you reach the conceited conclusion that you're better at it than the tools are. Oh, I'm sorry if your expensive development suite doesn't provide these tools out of the box but did I mention they're free?
Re:Yuh huh (Score:1, Informative)
Uhm... Wordpress is here [debian.org]. And the security team has to watch vulnerability disclosure lists, precisely so you don't have to. That's the advantage of using packaged software. The time gap is small enough that there is little benefit in doing that work yourself -- and the security team has way better skills than your average sysadmin.
A "vendor" that does not respond to published vulnerabilities is one no one would take seriously. If you use a distribution which does that, drop it immediately!