Quantcast

The Biggest Security Hole on the Web?

Security Company Points to Flash/Acrobat Reader Vulnerabilities

Get the WebProNews Newsletter:
[ Business]

Two weeks ago, Adobe released a critical patch for Flash Player and Acrobat Reader. According to online security company Trusteer, about 80% of users are still vulnerable, and perhaps more startling, the company views this as being possibly the biggest security hole on the Internet today.

That 80% figure is based on Trusteer’s installed base of over 2.5 million online banking users of the company’s security service.

"The penetration of Adobe Flash and Acrobat is unparalleled," a spokesperson for Trusteer tells WebProNews. "According to Adobe, 99% of Internet users run Flash.

Reader and FlashSo so many people on the web are running Flash, and Adobe released the patch two weeks ago, why are so many still vulnerable? Trusteer thinks Adobe just has issues with distributing patches.

"Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.  For some reason, it is not effective enough in distributing security patches to the field," says Trusteer CEO Mickey Boodaei. "Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately."

Accoreding to Trusteer, targeting products like Flash and Acrobat is attractive to wrongdoers because they reach such a huge portion of Internet users. Browser use is much more diversified with Internet Explorer reaching about 65% of users and Firefox reaching 30%. Targeting Adobe’s products just covers a lot more people.

The Biggest Security Hole on the Web?
Top Rated White Papers and Resources
  • http://www.olgalazin.net olga

    It is indeed. All mac users are vulnerable?
    Thanx

    • http://www.rso.cc Liam

      Yes, Mac, Linux, and ofcourse Linux, or basically any OS with a browser and Flash are 100% vulnerable to attacks. BUT the attacks may be more limited per OS, as Linux is hard to do anything with w/o a root pass, Mac is generally the same, and Windows is quite easy to play around with.

      • Guest

        http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

      • Guest

        A hacker has to find both a bug and the way to actually exploit it, but for both the browser and the operating system. Here is where Windows (Vista onwards) shines since it offers execution protection (not all memory is allowed to run code), randomized memory addresses, etc. This sandboxed model actually makes jumping from the browser to the OS much harder and thats why bugs on Windows nowadays cost at least 10k usd whereas similar ones for macos cost around 500 usd.

        The legacy of 10 years of unsecure Windows experience has left MS more security conscious (even though still vulnerable like any other software) that other companies that rely on obscurity or irrelevance to cover their bases.

      • Philip Daniels

        you might wanna read this Liam, a kernel bug that’s been there for 8 years, which kernel – the linux kernel

        http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

  • Guest

    Haha, unlike windows and alike, Linux (Ubuntu at least) receives patches really fast. When the XML lib exploit was found it took only 3 days to get system update.

    So yeah, no system is completely secure but at least some provide patches as fast as it is humanly possible.

    But in a sense am glad more and more bugs are being found in Linux. Means it’s gaining more attention.

    If you ask me… Adobe just makes poor quality software. Linux version of it’s popular flash player is just terrible. Often if will eat all your memory, crash browser or just take too much CPU. Am not too surprised when I see reports like this.

    • UnremittingCoward

      Linux patches come out fast huh, like the ones for this defect you mean;
      it’s a kernel vulnerability that’s been there for what, only 8 years.

      http://www.theregister.co.uk/2009/08/14/critical_linux_bug/

      • Guest

        Linux patches come out fast once the patches are released. you cant expect patches to be delivered to your system before creating them… the kernel vulnerability was there for 8 yrs without known to anyone.. it was found only now and patch will be written soon and it reaches everyone soon

        • BoardHack

          The point is, the security hole was unkown to the general public for the last 8 years. This doesn’t mean that serious hackers weren’t aware of it and eploiting it for the better part of a decade. They most likely were. The more widespread an app is, the quicker an issue will be noticed, and the more pressing the onus will be to fix it.

    • http://www.contextsolutions.net Jim Keller

      Security vulnerabilities will continue to happen on all platforms, OSes, etc. It’s just a matter of being as proactive as possible in apply patches and updates as they’re made available.

      I really think comments like “Windows sucks” or “Adobe writes poor quality software” are just alarmist nonsense. At the moment, there is no comparable alternative to Windows for deploying a multi-site, centrally managed corporate network at a fortune 500 company. Also, if you can point me to products that do what Photoshop, Acrobat, Illustrator, and Flash do as well as they do, I’m all ears. And this is coming from someone who runs FreeBSD, CentOS, and Ubuntu regularly. It’s just a matter of using the *right* tool for the job and not being biased against MS or Adobe just because they’re big, scary companies.

  • slack7639

    Much exposure because their updates are difficult.
    You have to use their un-installer first:

    Download and use the Flash un-installer:
    http://kb2.adobe.com/cps/141/tn_14157.html

    Reboot to clear out any left over ocx files.

    Reinstall the latest Flash Player:
    http://www.adobe.com/software/flash/about/

    Re-run Secunia
    http://secunia.com/vulnerability_scanning/personal/

    • Guest

      This just confirms my belief – based on many years of experience – that Adobe creates garbage. The Adobe applications in general are bug ridden bloated beyond belief, cause many more problems on local machines that any other software vendor out there , and are difficult to update. Period.

    • http://www.toysonwheelsvariety.com ToyMan

      Thank you for the information. I am sure there are more people out there using it then just myself.

  • http://Lillicotch.com Jim L

    The security for all Adobe products needs quite a bit of help. Have you tried turning off Flash cookies? What a pain.

    Long ago I disabled JavaScript in Acrobat because I couldn’t think of one good reason why I would want it on and now every time I open the reader I get a warning that I can’t turn off. It tells me that JS is off and I should turn it back on. Who are they to tell me what I want?

    This has all left a very bad taste in my mouth for Adobe.

  • http://www.stonerscolony.com FaTe

    The article is only specifying Adobe as fault and while OS does vary the impact of the weakness the OS itself is not in question here, So why the mud throwing match. It would be stupid to assume that all software realised it totally secure and while the update measures for ensuring it stays safe suck that’s just about it.

  • HW

    Adobe released a patch or something last year that botched up my computer and I had to do a system restore to undo the damage. I’ve never accepted an adobe patch since then although it seems that this new thing is serious enough to give them another go.

    How do we get the patch to fix the securitty hole?

  • http://superdealshop.com Bryan Quinn

    A useful post and a revelation that will have caught many sleeping.

  • http://www.Tribal-Sports-Wear.net Hanes Beefy-T Fan

    I get such a kick out of this security stuff that happens on the net. Now don’t get me wrong internet security is a very serious issue. It’s just the fact that people get so surprised when a company or someone exposes a security hole in a piece of software or an OS. It’s actually an amazing thing that no matter how hard we try to make something secure, someone will come along and discover something the software engineer missed and exploit it. Though, this is bad and can have some major problems associated with it. It still shows just how creative and intelligent the human species has become. So just remember that locks are made to keep honest people honest. This message brought to you by the Blank Wholesale T-Shirts Club, providing wholesale pricing to public with no minimums on 1st quality Name Brand Apparel.

    • Guest

      or the holes are built in.

      • Guest

        Yeh, right, like Adobe went:

        “Well let’s see, let’s release an update for Flash Player, for it to have security holes… Then 2 weeks later we call a hacker to say he’s hacked it, and then; we release one more update. If we do that then the people at webpronews.com have something to complain about….”

        • Guest

          Then 2 weeks later we call a hacker to say he’s hacked it ->Then 2 weeks later we call a hacker to make him say he’s hacked it

  • http://www.geeknewswire.com Technology News

    I went through stage where there were so many updates from Flash in a short period of time, it was frustrating and decided to stop updating my Flash player. I guess it’s it time for another update again.

    • http://www.controldatainc.com debt collection agency

      I did the same thing. It keeps trying to update all the time. I canceled the last few updates. Its always trying to update when Im in the middle of something important.

      • Guest

        You know, there’s an idea in that… Why isn’t Adobe just releasing an (I’m afraid to type this word) update for Adobe Updater to update when you’re away from your computer for a few minutes. Then you wouldn’t even notice it, and you wouldn’t have to complain about security holes, updates or Adobe’s site…

        Robin

    • Robbinski

      Then what do you want, leave these security holes in? Then you’ld be complainin’ about that.

      I do beleive Adobe is doing it’s best to solve problems like these and you go “Oh… There are some many updates for Flash and Reader”.

      Robin.

  • http://www.moegreen.com Moe Green

    It updates too often! My experience is that people get tired of the Adobe updater constantly popping up and bothering them… It needs to be more non-intrusive. After a few of the pop-up annoyances, people become complacent and get tired of the ‘boy that cried wolf’.

    It looks like the wolf is finally at the door…

  • http://www.howtolossweight.us claire

    It is annoying how many updates appear, wish they could sort that out!

  • http://www.NationalShowTickets.com Mary Mary

    I think sometimes some people fear doing updates and wonder if the update patch could be a security problem. We need a better way of notifying the users, I actually always feared Flash but Adobe Acrobat Reader we all trust and love.

    Mary

    • Robbinski

      “…I actually always feared Flash…”

      Yes and it’s a bad thing.
      Adobe should not release an update before they know it’s safe. Of course it’s never 100% safe, but I don’t think they’re trying to. You might be thinking that I’m disputing my other replies, but you know what? If Adobe would just release a beta in it’s nice labs, until it’s safe enough to release, we shouldn’t even have this stupid arguing.

      I’m really not seeing the end of this conversation, and I hate it.

      If everyone’ld just update and, I don’t know, send an email with a link to the update to their friends, the problem would be solved in no-time.

      Stop complaining about a problem and start solving it, people!

      Robin.

  • Guest

    When did the misconception that making punishments extremely severe makes any problem go away?

    You know what? The punishment for murder should be life in prison, or death. Oh? You mean it *is*? And there’s still murder? Wowie zowie!

    Further, the person that said “Well, being able to find security vulnerabilities in any program is a mark of the ingenuity of people.” Is it? Because the *real* show of intelligence would be to make a program that was free of vulnerabilities.

  • http://www.scriptsforyourwebsite.com/ Professor

    “Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.”

    I just spent over an hour updating the Reader and Flash Player, and I’m a so-called expert. Clicking on the banners in your article leads to Adobe’s home page, and from there it’s all an uphill battle to find out what needs to be done. No wonder the updates have not been applied by so many people — they undoubtedly gave up, like I almost did!

    • Robbinski

      Don’t you think that, just because it is so atracious, it would be a good idea to post a link to the right download??

      You’re complaining about something and you’re not even taking a chance to help others not having to complain.

      Robin.

  • Guest

    i don’t think adobe will loose market shares, but it deserves to. adobe sucks!! since it bought flash from macromedia, the whole thing (user side and also developer side) is SLOW, has more bugs, has security holes!!
    they should have left the grown-up work to macromedia!

    • Robbinski

      Adobe stuff is great and if you can’t admit that, then I think you’re just jealous to people who can afford it.

      Programs like Photoshop have always been Adobe’s and have always been the (web) standard. It will only become more populair with CS5 and futher versions, and not without a reason.

      Adobe, keep up the good work and don’t let these people get you down!

      Robin.

  • Rod

    There are serious issues with Adobe’s update/patch management.
    We have about 100 PC’s to maintain. It’s easier to manage Micorosoft’s patches than Adobe’s now.
    Here are some of the problems:

    1) Updating Acrobat by having to run the updater multiple times is ridiculous. (And downloading and applying the patches individually is just as much fun, which is what we do.)
    2) Updating Flash requires giving the user administrative rights temporarily and then demoting them afterward. Again, a real efficient use of time.
    3) Download Adobe Reader at 35M. Then you have to download a 16M patch. The others are smaller but by the time you are done you’ve downloaded 60M. What happen to a lightweight portable document format app?
    4) And what about all the crud that gets installed that you didn’t ask for? Adobe AIR, Acrobat.com, etc. Why do software companies act like they own your PC?

    If we could find a functional alternative, we’d be gone in a FLASH!!!