With the increased awareness about cybersecurity -- driven in part by the recent avalanche of high-profile hacks, break-ins, and take-downs -- it's more important than ever for vendors to keep their software patched and secure. In some cases that can be a Sisyphean task, as hackers and other bad actors are constantly trying to find vulnerabilities in existing software platforms.
It's been well-documented that weaknesses and vulnerabilities in Adobe's Flash and Acrobat products have been used by hackers as alternative entry points into computer systems that are increasingly being hardened against attack. Microsoft has been especially diligent in this area, with Windows 7 and Internet Explorer 9 both drawing recent praise from experts for improved security.
A recent report by security researchers from Kaspersky Lab underscores this trend, highlighting Microsoft’s improved security posture while pointing out less promising security performances by Adobe and Oracle. The latter two vendors were criticized for producing all the products involved in the top 10 IT security vulnerabilities Kaspersky has detected, with Adobe's Reader, Flash, and Shockwave products involved in 8 of the top 10 system vulnerabilities for the second quarter of 2011. Kaspersky researcher Yury Namestnikov elaborates on the list in his blog post:
"For the very first time in its history, this ranking includes products from two companies only: Adobe and Oracle (Java). As we inferred in a previous report, Microsoft products have disappeared from the ranking. First and foremost, this is due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs...nine of the Top 10 vulnerabilities give the attacker full system access and four also allow access to important data on vulnerable computers."
Adobe and Google security experts also recently sparred over discrepancies between what Adobe considers security fixes and what Google does, which led to claims that Adobe was underrepresenting the number of vulnerabilities that were patched in recent software updates to Adobe Flash player. Adobe publicized more than a dozen vulnerability fixes, but Adobe Senior Director of Product Security and Privacy Brad Arkin argues in a recent blog post that Adobe did the right thing by combining more than 80 code changes into just 14 separate CVEs. (A CVE is a commonly used method that security researchers use to publicly distribute information about security fixes.)
"In the final analysis, the Flash Player update we shipped earlier this week contains about 80 code changes to fix these bugs, " Arkin blogged. "So, what’s the right number of CVEs to allocate? In this particular case, some of the code changes we made were closely related within a single component, which would argue for consolidating them with a single CVE, while others were clearly distinct. At this point, we’d rather invest our time in continuing the hardening work that will make Flash Player more robust against attack than reviewing change logs.”
Have any thoughts about using Adobe products in light of these recent security reports? Add a comment to this blog post or start up a conversation on Twitter.