Adobe a Target for Criminal Hackers

We all know and love Adobe products. Their PDFs have become as ubiquitous as .DOC, .TXT and .XLS. Most PCs include Adobe Reader as a bundled software. The Adobe Flash media player is the easiest most user friendly online video player on the planet and required for the most popular video site YouTube.

Brad Arkin, Adobe’s director for product security and privacy, recently commented, “We’re in the security spotlight right now. There’s no denying that the security community is really focused on ubiquitous third-party products like ours. We’re cross-platform, on all these different kinds of devices, so yes, we’re in the spotlight.”

Adobe, in response is doing everything a responsible software developer should do.

Adobe is the same boat today that Microsoft found itself in years ago. Ground zero. Hack central. Criminal hackers love it. Adobe’s software or files are used on almost every PC and across operating all systems. Every browser requires a program to open PDFs and many websites either have links with PDFs or incorporate Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged a Reader vulnerability.

While attention from the criminal hacking community has certainly been a burden to Adobe, the same attention is now being paid by the white hat hackers, the good guys. The security community is now actively involved in the reporting of bugs and vulnerabilities, which is helping Adobe tighten up. Fortunately, Adobe is learning from their current situation and is actively engaged in resolving these issues. They’ve created a better, more frequent software updating tool for each of their programs, including Flash and Adobe Reader. As difficult a situation as this may be, Adobe is handling it very well.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. Adobe’s process now includes their Secure Product Lifecycle (SPLC) to seek out and squash those issues. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them. Adobe however is beginning to turn the tide on the bad guys.

If you function in a Microsoft Windows environment, you should be aware of “Windows Update” and have it set to automatically download and update your operating system’s critical security patches. Updating Reader and Flash requires manual action, but Adobe’s built-in updater can also be set to automatic. I’d suggest that most users set this to automatic as well. If you have an older version of Reader, which may not include an automatic update option, you should head directly to Adobe.com to download the current software.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)