Adobe Flash To Be Top Hacker Target In 2010

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"

Acrobat and Flash

[Enderandrew]

Acrobat and Flash vulnerabilities were two of the biggest issues I saw in 2009, even more than Office vulnerabilities.

For one, Office only seems to hit the enterprise sector, and most enterprise users have at least some security. Office is more likely to be patched by users, and there were fewer vulnerabilities.

Most users don't have the latest version of Acrobat or Flash. They effect home and enterprise users.

Even more alarming, it seems that Flash vulnerabilities are one of the biggest weaknesses on Mac and Linux, where security is an after-thought.

For Windows users, I often recommend they swap Acrobat with a free reader like Sumo or Foxit, which is smaller, faster, and has less vulnerabilities. Sadly, there aren't many GOOD Flash alternatives.

I really hope HTML 5 phases out the popularity of Flash.

Oh, the irony!

[Locke2005]

"We predict that Acrobat Reader will be the top hacker target in 2010, and that is why we are distributing our report in a format that can only be viewed by using Acrobat Reader!"

Re:Yuh huh

[El+Lobo]

That would be the right time, yes. But actually, the problem with todays systems is not as much the OS as the applications that run on it. Almost every self-respecting OS has an Auto-update function that works more or less well. Unless you are a paranoid schizophrenic that update the OS manually (forgetting to do it now and then), the OS is relatively secure. The problem are the applications. Now tell me, how many of us run to download a new Java machine or a new Acrobat reader, or a new Cobian Backup, or a new WinAmp when a vulnerability is discovered on any of those products. Hell you will be lucky if you even get to know that a new vulnerability was found on your faithful uTorrent... So when you get pwned, what's the first thing the user blame? The OS of course...

At work we had a Windows Server 2008 hacked. It was killing the whole network sending spam and trying to infect other machines on our AD. Our boss was already blaming Bill Gate's mother ... On a closer inspection, the problem was discovered. The system was running a quite old version of WebBoard (a system for collaboration, which was developed originally by O'Reilly). The firewall has the port 8080 open to allow users to connect. Some people discovered the open port, found out that WebBoard was running, and took advantage of the vulnerability to upload and run malicious code on the server. Because WebBoard is a service, running as the System account, you can imagine what happened there. Did our IT manager know about this vulnerability. Not at all, even if it was fixed on a posterior build.... How many "forgotten" programs, and non-OS related services do people have running in their machines, unpatched and unattended? Think about this...