Adobe warned a few days ago that an internal server with access to its digital certificate code signing infrastructure was hacked. This resulted in at least two malicious files being distributed that were digitally signed with a valid Adobe certificate.
If you take the numbers published by Secunia, a security/patch management software vendor, Adobe ranks pretty high in the list of companies with reported vulnerabilities – especially when taking into account that it is only two core products in the case of Adobe (Adobe Reader and Adobe Flash Player), compared to the broad portfolio of either Oracle or Microsoft. When looking at “genuine vulnerabilities”, Adobe ranks 5th behind Oracle, Apple, Microsoft, and Google. The Secunia analysis also lists the Top 50 software portfolio, with Adobe Flash Player ranking 4th and Adobe Reader ranking 8th. Unfortunately, these are the two programs within the top ten of that list with the highest number of exploited critical vulnerabilities.
Another aspect when looking at Adobe from the security perspective is patch management. In Adobe’s case, this is cumbersome. Furthermore, Adobe has started (with their last patch for the Adobe Flash Player) to install Google Chrome and the Google toolbar without user consent – at least that’s what happened on my system. I had to manually uninstall both components afterwards.
So what we see is a mix of
- a massive number of vulnerabilities
- a disputable approach on patch management
- successful attacks to a critical internal security infrastructure
Did Adobe inform anyone promptly about the malicious files? No, they didn’t. The issue dates back to early July. Adobe claims that they took immediate internal actions including a clean-room implementation of the code signing infrastructure. Maybe they should have taken actions before, to avoid such attacks or to at least detect it when it happens and not after malicious code appears on the Internet.
I just recently blogged about the security issue in Microsoft Internet Explorer. The Adobe approach to security managementalso falls more obviously in the category of “security by obfuscation”. I don’t think that this is the right way to act, especially in case of a software vendor who provides software that ranks amongst the top ten within the average corporate software portfolio.
Taking all these points, then it is past the time that Adobe should start to act far more professionally in their security management and their patch management. Open and timely information, a simplified patch management methodology, and minimal patches without additional software are the minimum requirements – together with an internal IT security approach that is good enough for today’s “advanced persistent threat” types of attacks.