Adobe Flash To Be Top Hacker Target In 2010

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"

Acrobat and Flash

[Enderandrew]

Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.

For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.

Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.

Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.

I really hope HTML 5 phases out the popularity of Flash.

Re:This is about finding a common infection point

[causality]

What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?

I would imagine that if Flash etc. became poor enough in terms of security we'd see more attention on projects like Gnash.

No joke. Even if they are absolutely equally secure, Gnash provides source code. You can build that source with SSP (or equivalent). You can also build it as PIC and apply many other restrictions with a PaX and/or Grsecurity kernel. All of these will reduce the chances that a known vulnerability will lead to a successful exploit. Specifically, a known vulnerability that would normally allow an attacker to run arbitrary code stands a good chance of merely crashing the application.

You just don't have options like this with binary blobs. I really would like to see more development of Gnash, as it seems that Adobe Flash is on a downhill course in terms of security and will continue to be a problem. Source code is about freedom and control. With such control, you can take steps to manage a risk even if you cannot perfectly mitigate it.