Adobe Flash To Be Top Hacker Target In 2010

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"

Yuh huh

[Anonymous Coward]

Let me guess, Microsoft are just ready to offer the solution in the form of Silverlight, right?

This is about finding a common infection point

[fprintf]

With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

Re:This is about finding a common infection point

[El Capitaine]

No, what will happen is that the Macs, Linux, smartphones, etc. will still be praised as incredibly secure, and it will just be Adobe's fault. Nobody likes to take the blame or admit that their favorite platform isn't what they said it was, but everyone loves to insult Flash.

There is already a solution

[jrozzi]

Developers can stop using flash and end-users should uninstall it. There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework. For the remaining 10%, HTML 5 will be able to handle most of it (canvas tag, videos, better form support, etc), and the remainder of things that javascript/html can't do that flash can do (if there is anything), is not even worth implementing in a website. Since javascript and HTML is all open and much easier to work with, I foresee flash and silverlight on the decline. This especially holds true when HTML 5 is fully supported in most people's browsers.

Re:Yuh huh

[El Lobo]

That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...

Re:This is about finding a common infection point

[Paradigm_Complex]

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

I can't speak for Macs or smartphones (who gloats over the security of smartphones? Things like the amount of iphone jailbreaking going on or the Tmobile sidekick crash make it pretty clear smartphones have issues...), but Linux is still more secure the Windows in this respect. There's numerous ways to isolate the damage that could be done from a hole in flash. MAC like SELinux or AppArmor are perfect for this, and Windows still doesn't have a competent MAC implementation (MIC is insufficient). There's ways to sandbox firefox without MAC, too, such as setting everything up to sudo to another user every time firefox is called. There's a LOT of ways to deal with this.

Now, all of these take some work on the user's part. Stupid/lazy Windows users can be pwned just as badly as stupid/lazy Linux people. But it's not as though a competent individual is just as badly off on both platforms... Linux has solutions for dealing with untrusted things like flash where Windows does not. If you actually and actively care about security, you can continue to gloat about Linux's superiority in this respect. If you're too lazy to take security seriously, you can be pwned on both counts.

Re:This is about finding a common infection point

[CodeBuster]

There are other issues which make security more than simply a technical problem in commercial closed source products like Flash. Sometimes a bug is not fixed because management feels that "nobody cares" or "users won't notice" and so they order the devs to ignore it to "cut costs" and "save money". At other times, security is thought (by managers) to make the product "user unfriendly" or "too hard" to use. I have heard of projects where the devs were deliberately ordered to remove security features because they weren't "easy to use". This is one area where open source projects like Linux consistently do better (i.e. quality and security) whereas closed source products tend to get the chrome and polish done, but fail the quality and security tests. Some rare companies, Apple being the canonical example, do both well but then it sure doesn't come cheap.