Almost two-million people vulnerable to flaws in Adobe software

by Steve Ragan - Aug 25 2009, 18:35

It’s been weeks since Adobe pushed patches to users addressing flaws in Flash and Reader. You would think that there would be plenty of time to install and update systems running the vulnerable software. However, a security company surveyed its own clients and found that 1,976,000 of them were still using vulnerable versions of Adobe’s software.

Adobe says that 99-percent of Internet users run Flash. Security vendor Trusteer, using measurements from 2.5 million clients in North America and Europe, can confirm Adobe’s claim, as 98.8-percent of their customers have Flash active in their browsers. Of those 98.8 percent with Flash, Trusteer says that 80-percent (1,976,000) were using an outdated version of Flash. In addition, 84-percent were using an outdated version of Adobe Reader.

“Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target 99 percent of Internet users. By comparison, targeting vulnerabilities in Internet Explorer only reaches approximately 65 percent of Internet users. While Firefox-based attacks only reach 30 percent,” commented Trusteer in a report on the Adobe problem.

Adobe is working to address the problem, but Trusteer says the difficulty is in their update mechanism, “…which lags industry standards for effectively distributing security patches to the field.”

In the Trusteer report, they point out that Adobe’s software update mechanism does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals.

This claim is supported by a test Trusteer performed. Two systems, one a Mac, the other a PC, were sent to Adobe’s website (adobe.com/software/flash/about) with outdated software. The site offered no “…notification that the system was at risk and did not strongly urge that the update be installed.”

In comparison, Trusteer reported, Google Chrome and Mozilla Firefox typically achieve an update rate close to 90-percent and 80-percent respectively within one week of releasing an update.

We’ve covered browser update methods on The Tech Herald in the past, just this past May a report from Google Switzerland and the ETH (Swiss Federal Institute of Technology) in Zurich showed that silent updates protect users by ensuring that they were constantly patched.

“Again, using the most recent version of any given browser will help address several layers of security and mitigate some levels of attack. There is no arguing against this. However, the issue of control is still something that security professionals and software vendors struggle with,” we wrote at the time, and that logic remains true.

Mickey Boodaei, CEO of Trusteer, said that Adobe is facing some major security challenges. “One of its biggest hurdles is its software update mechanism. For some reason, it is not effective enough in distributing security patches to the field,” he said.

Yet, the struggle of control over security is one that must be addressed. Adobe can address this several ways. They could force silent updates, which would risk causing issues for a minority of users, or they can develop an update system that uses information and intelligence to protect users.

Users are well aware of the threats online. Most of them know the basics and keywords associated with these threats. Why not use that to an advantage and offer explanations in simple to follow language as to why a user must update their software?

While it is easy to sit on the sidelines and make suggestions, the only ideas that matter will come from Adobe. They are working on the issue, but time is something they are quickly running out of.

Adobe has a large business base when it comes to their Adobe and Adobe Reader offerings. While it would be a long shot, it won’t be long before those business clients will get tired of hearing their IT team complain about security issues within the product.
 
One point not addressed in the Trusteer report, which can be found here, is whether Trusteer alerted their clients who were vulnerable and explained why they needed to update. One has to hope that they did.

For everyone else, take five minutes and check to see if your Adobe software is updated. You can do so by visiting Adobe.com and clicking the Get Flash Player and the Get Adobe Reader links on the right site of the page.

Around the Web