English   Deutsch   Русский   中文    

Adobe - your biggest security risk?

Oct 04, 2012 by Martin Kuppinger

Adobe warned a few days ago  that an internal server with access to its digital certificate code signing infrastructure was hacked. This resulted in at least two malicious files being distributed that were digitally signed with a valid Adobe certificate.

If you take the numbers published by Secunia, a security/patch management software vendor, Adobe ranks pretty high in the list of companies with reported vulnerabilities – especially when taking into account that it is only two core products in the case of Adobe (Adobe Reader and Adobe Flash Player), compared to the broad portfolio of either Oracle or Microsoft. When looking at “genuine vulnerabilities”, Adobe ranks 5th behind Oracle, Apple, Microsoft, and Google. The Secunia analysis also lists the Top 50 software portfolio, with Adobe Flash Player ranking 4th and Adobe Reader ranking 8th. Unfortunately, these are the two programs within the top ten of that list with the highest number of exploited critical vulnerabilities.

Another aspect when looking at Adobe from the security perspective  is  patch management. In Adobe’s case, this is cumbersome. Furthermore, Adobe has started (with their last patch for the Adobe Flash Player) to install Google Chrome and the Google toolbar without user consent – at least that’s what happened on my system. I had to manually uninstall both components afterwards.

So what we see is a mix of

  • a massive number of vulnerabilities
  • a disputable approach on patch management
  • successful attacks to a critical internal  security infrastructure
Does Adobe deal with that situation like customers would expect? You might say “yes” given that expectations might be very low. However, when looking at what we should expect from a professional software vendor, there are massive shortfalls.

Did Adobe inform anyone promptly about the malicious files? No, they didn’t. The issue dates back to early July. Adobe claims that they took immediate internal actions including a clean-room implementation of the code signing infrastructure. Maybe they should have taken actions before, to avoid such attacks or to at least detect it when it happens and not after malicious code appears on the Internet.

I just recently blogged about the security issue in Microsoft Internet Explorer. The Adobe approach to security managementalso  falls more obviously in the category of “security by obfuscation”. I don’t think that this is the right way to act, especially in case of a software vendor who provides software that ranks amongst the top ten within the average corporate software portfolio.

Taking all these points, then it is past the time that Adobe should start to act far more professionally in their security management and their patch management. Open and timely information, a simplified patch management methodology, and minimal patches without additional software are the minimum requirements – together with an internal IT security approach that is good enough for today’s “advanced persistent threat” types of attacks.

Google+

top
Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
By:
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Operational Technology / Industry 4.0
Industry 4.0 is the German government’s strategy to promote the computerization of the manufacturing industry. This strategy foresees that industrial production in the future will be based on highly flexible mass production processes that allow rich customization of products.
KuppingerCole Services
KuppingerCole offers clients a wide range of reports, consulting options and events enabling aimed at providing companies and organizations with a clear understanding of both technology and markets.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole