Adobe: We know we're hackers' favorite target
6/07/2010 01:09:00 AM
kenmouse
, Posted in
But it's making the right moves to shut the door on attackers, say expertsAdobe knows there's a target on its back. But it's OK with that.
"We're in the security spotlight right now," said Brad Arkin, Adobe's director for product security and privacy, in an interview this week. "There's no denying that the security community is really focused on ubiquitous third-party products like ours. We're cross-platform, on all these different kinds of devices, so yes, we're in the spotlight."
Arkin's right: Some Adobe software, especially the free Adobe Reader PDF viewer and the also-free Flash media player, are not only in the security spotlight but also in hackers' cross hairs.
According to Finnish antivirus company F-Secure, 61% of all targeted attacks -- ones purposefully aimed at specific individuals or businesses to break into company networks -- in the first two months of 2010 exploited a bug in Reader. Rival security firm McAfee, meanwhile, estimated that 28% of all exploit-carrying malware in the first quarter of this year leveraged a Reader vulnerability.
Arkin may not be happy that his company's software has become popular with the wrong crowd -- hackers, identity and information thieves, and other cybercriminals -- but he sees a silver lining.
"We're getting more bug reports than we were a year ago," Arkin said, referring to the information that security researchers submit to Adobe when they believe they've uncovered a software vulnerability. "That's a function of the fact that we have ubiquitous software and the complete attention from the security community. And that means there are a lot more eyeballs on us than on other software that does the same things [as Reader and Flash]."
And Arkin welcomes those eyeballs.
"We're thrilled when someone shares [vulnerability] information with us responsibly," he said, referring to bug reports submitted privately, thus giving a vendor time to patch the problem before news about it is released publicly. "That's one less potential vulnerability that could be used by the bad guys."
Adobe is doing more than waiting for bug reports, said Arkin, who pointed to the security moves the company has made in the past year.
Among those changes: an increased emphasis throughout the company on writing more-secure code, an improved update tool for Adobe Reader, faster response to zero-day vulnerability disclosures, and some new -- and upcoming -- security features within Reader.
Adobe now develops code under what it calls its Secure Product Lifecycle (SPLC), an approach similar to Microsoft's much-better-known Software Development Lifecycle (SDL), which involves several security-specific steps that programmers go through to make their software less likely to harbor bugs.
"The [SPLC] impact has been huge," said Arkin. "At this point, my central security team doesn't do any of the actual work. We just prod and evangelize throughout the company. Now the product [development] teams understand the motivations behind what we're asking for."
The revised updater, which Adobe switched on in April for Reader, has also had a big impact on security, Arkin contended. Although the new tool's silent updating made the most news -- currently, users must manually toggle that on -- revisions to its user interface and "update now" prompts have helped Reader's user base get the latest update much sooner than they typically would under the old update system.
"It seems to be working really well," said Arkin, who credited the revamped UI for the boost in updating speed.
"Our long-term goal is that eventually the majority of the [Reader] user base will have updating on automatic, but it's not going to happen overnight," Arkin said. At some point -- though not next month, when Adobe issues its regularly scheduled Reader security patches -- users will be prompted to switch to silent updating. Arkin declined to set a timeline for the prompting, saying Adobe is still working through the legalities associated with various countries' requirements on prompting language and default settings.
He also touted Adobe's faster response to zero-day vulnerabilities -- bugs that are disclosed and then exploited before a patch is available. "We've improved our processes so we can turn around [patches] faster," he claimed, citing three instances in 2009 when patches were issued within 15 days of a flaw going public.
If Adobe's situation sounds familiar, it should, security experts said: Adobe's essentially in the same place Microsoft was several years ago.
"It took the Code Red/Nimda damage to get Microsoft to move back then [in 2001]," said John Pescatore, a Gartner analyst who covers security for the research firm. "It has taken all the recent attacks compromising Adobe customers through Adobe software to get Adobe to move."
The Code Red and Nimda worms, which spread lightning-quick and infected millions of Windows PCs in 2001, are often given credit for making Microsoft wake up and smell the security coffee. Three years later, Microsoft delivered Windows XP Service Pack 2, a revamped version of the operating system that emphasized several major security features.
"What Adobe's experiencing now is what Microsoft went through years ago," echoed Andrew Storms, the director of security operations at nCircle Security. "From one perspective, Adobe can look at what Microsoft did and use it as a learning experience. On the other hand, so can everybody else. That's why Adobe is more susceptible to criticism, because they weren't the first to go through this. Someone else had stepped up and led the charge."
Both Pescatore and Storms agree that Adobe is taking the right steps, although the security efforts will take time to show results. "They're making major strides in security life-cycle work and in improving their response time," said Pescatore. "The company now seems to be emphasizing security and making it an important part of when they ship products. But they should be able to show results faster than did Microsoft, because they're not an operating system developer."
Even so, Adobe deserves the hammering it's gotten over security, he contends. "It's fair to criticize, because you shouldn't wait until your product causes your customers pain before you act. Every software company that doesn't practice proactive security deserves to be criticized."
0 Response to "Adobe: We know we're hackers' favorite target"
Post a Comment
Leave Your Thoughts & We Will Discuss Together