Slashdot Mirror
Adobe Flash To Be Top Hacker Target In 2010
An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"
With the recent popularity of Apple products and other internet surfing enabled devices, this is all about infecting the most machines possible. Previously that was easily accomplished by targeting the most popular devices - Windows PCs. But now there are even more targets available and most of them run Adobe Reader and Flash.
What happens to all the folks (us?) who have been gloating over the security of our Macs, Linux, smartphones etc. when these apps get broken? Time to eat crow?
This post brought to you by your friendly neighborhood MBA.
Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.
For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.
Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.
Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.
For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.
I really hope HTML 5 phases out the popularity of Flash.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Does anyone else see the irony that the white paper is in Adobe PDF format and most people will be reading about Adobe Reader vulnerabilities IN Adobe Reader?
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
There is already a solution out there and it is called javascript. 90% of the things you can do in flash can easily be done using javascript, jquery, or some other javascript framework.
The problem with your statement is you assume the Flash content creators are programmers with enough free time. In reality, many of them have degrees in communications or visual arts or are just programmers who want a quick and easy tool for throwing together some quick video/UI content for the Web. From what I've seen, the decently made tools to create such content are mostly created by Adobe and focused on Flash. Unless a company steps up and creates equivalent tools for HTML5 and javascript and those tools gain a significant market share and momentum and ecosystem, I see Flash remaining dominant, with MS gobbling up a smaller share.
Besides couple of security issues which are only fixed by disabling javascript in Adobe Reader EXISTS today, scheduled to be fixed in 15 days, here are 2 examples of the culture who actually develops/packages the OS X version.
First, this is what you will see in your system.log, whatever browser you use:
[0x0-0x1f01f].com.operasoftware.Opera[157]: Debugger() was called
This is the current flash, released just weeks ago. This is a packaging issue which nobody than a complete newbie would do. They forgot the damn debugger symbol in final binary they ship to millions. I also heard if you are a unlucky developer who has XCode open at the time when you go to a site featuring Flash, that "call" may actually break your own application's tests or running "from there". Amazingly stupid eh? This has been reported to Adobe by many people, users like me, Developers getting hit, Browser vendors/developers (guess who users contact&blame when they see browser name?) and they keep that debug symbol, even ignoring the latest chance to get rid of it weeks ago.
Want to see more? Here is a bug reported for ages, years, since early OS X days. Disk permissions broken while installing Flash. This is some amazing thing which even Apple is constantly bugged about and one of the perfectly valid excuses of "permission repairer" people on OS X land. Of course, as Apple really secured the permission repair process meaning hundreds of thousands of files will be validated before "repair", it also means 20 mins of a insanely system loading process even on highest end machine. I actually had access to a opto xeon (8x xeon) machine with 16 GB of RAM and just fired up "repair permissions" just to see if it is effected by CPU/RAM specs. No, still 13 mins.
No need to paste 10s of lines mentioning very stupidly wrongly set permissions. Note that it is also Apple to blame a little, perhaps Adobe could care if they had a bug report coming from @apple.com having thousands of user feedback attached. If I know Apple enough, they must have reported it to Adobe several times since their bug reporter department even finds shareware vendors from web once they spot that their application causes the issue. So, chances are high that these pathetic idiots also ignores Apple Inc. themselves reporting issues, no matter how trivial they are.
So, Adobe needs to do debugger symbol, permissions cleanups or they must get rid of the idiots who forgets a debugger symbol in a final product used by millions and can continue living their lives as nothing happened.
PS: Intego, Symantec... Do you read these stories? MCafee, do you read your own white papers? Is the code which will check the swf files on the fly up and running? Or are you still developing sigs for imaginary threats and impossible to run Word macros? Don't blame people when they call you snake oil seller if it is the case.
At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Unless you drug the IT departments of major media sites to go back to 1990s while H264 exists and H265 is being mentioned, HTML5 can't replace Flash.
It is the codec, the stupid fanaticism about "open codecs" to a degree of inviting Apple to jump to VP3 while they spent billions for H264 and the damn MP4 is being lite version of their OWN container, Mov.
For terabyte/petabyte sized media outlets, changing the codec means millions of real World money, not some "everything should be open" dreamer's money. In real World media, you even keep U-Matic players from 1970s maintained since in one occasion, you may need that archive tape from 1970s which haven't been digitized since it is part of your millions of hours archive which may be rarely (once a month) used.
HTML5 designers should really visit a major TV studio to see how things are really done, why you must do some insanely great progress to convince the people to switch, how TV and Video guys doesn't give a heck to "patent" problem as long as multiple vendors/documented standards/EBU etc. approvals exist.