SAN JOSE, Calif. – Look out, world. Following the revelation that Adobe’s Flash video player and Acrobat Reader include an un-patched vulnerability, experts predict “holey” hell for users if the company doesn’t deliver a promised patch by Friday.
The vulnerability allows hackers to install malicious code on users’ computers through websites, Flash downloads and even infected PDF files. The process exists as more than just a proof of concept: Since early July, malware authors have spread their wares by emailing infected files and implanting code on hacked websites.
The most common use for the vulnerability so far has been to turn normally mild-mannered desktop and laptop units into seething bots, ready to steal data, siphon cash, spread spam and trigger pop-up ads selling fake anti-virus software.
Adobe has promised a patch by Friday, but the company’s developers admittedly are scrambling. Under a new policy, Adobe stepped up its major security update schedule to once quarterly. The next regular update is on the calendar for Sept. 8.
The company also releases minor updates about every seven days. However, many users either are not aware of updates as they become available, or they put off updating their software until the quarterly patch.Consequently, according to Purewire researcher Paul Royal, the newly discovered vulnerability could prove to be a doozy. By Monday, Purewire already had discovered a booby-trapped email sent to one of its corporate executives. Last week, another security firm discovered “several dozen legitimate Web pages carrying poisoned Flash clips,” according to USA Today.
“We may see a broad-scale explosion of attacks,” Royal told the newspaper.
Adobe products increasingly have come under fire because of their widespread adoption. During the first six months of 2009, manipulation of Adobe vulnerabilities rose 29 percent over the same period last year, according to security firm F-Secure. Adobe’s products were targeted in 43 percent of 1,500 cyberattacks F-Secure uncovered, making Adobe a more popular target than Microsoft, which bore the brunt of 40 percent of all cyberattacks so far this year.
“Adobe has become the victim of its own success,” Lumension Director of Solutions and Strategy Don Leatham told USA Today. “They’ve become a very juicy target, and they need to significantly increase their efforts to secure and stabilize their code.”
(Image: Sias van Schalkwyk)