I have heard a lot of rumbling as to whether Adobe is now a worse threat to desktop security than Microsoft. Seeing the huge quantity of patches in 2009 issued by both software giants, I have to say it's not a simple call. Because there isn't a clear and obvious answer I put some time into researching this a bit, and sharing the results with you.
I counted the number of vulnerabilities in Windows XP and Vista since January 2009 (from NVD), and compared that to Adobe's security advisories for Flash player version 10 and Adobe Reader version 9. NOTE: I could not reliably get results from the NVD that matched Adobe's publication from their website.
- Microsoft Windows XP: 85
- Microsoft Windows Vista: 72
- Adobe Reader 9: 23 (or more, some internally discovered/not reported)
- Adobe Flash Player 10: 17
The tally begins with Microsoft at 85 and 72 and Adobe at 40. For two helper applications to have almost 50% of the reported vulnerabilities as a full-blown operating system that is approaching ten years old was a bit surprising to me. You might say many of the XP bugs have already been found, in which case you wouldn't expect the number of issues with Adobe's applications to be 55% as many as Vista.
In Microsoft's most recent Security Intelligence Report they made quite a large issue that the vast majority of successful exploitations of Windows Vista were via third-party utilities, plugins and other tools. This may be true when specifically considering browser-based exploits, which are a large percentage of today's threat, yet it ignores the vastness of infections like Conficker.
The risk of network worms like Conficker that are reported to have reached more than 10 million computers have a virility that is far more dangerous to our networks. Holes in listening network services present huge risks to users and businesses.
Browser exploits certainly comprise most of the drive-by infections we see in the wild. SophosLabs have blogged many times about different exploits taking advantage of Adobe Reader or presented a paper on these issues at the Queensland Hi Tech Crime Symposium in Australia.
Criminals taking advantage of applications and plugins that are not easily managed has been a trend that has increased dramatically in the last 24 months, and will likely continue to be a primary infection vector.
I deliver a seminar around the United States called Anatomy of an Attack, and one of my primary pieces of advice to IT administrators is to reduce the threat surface (less software) and patch, patch, patch.
Unfortunately for Adobe, they have been directly in the crosshairs of the enemy, and have provided fertile ground for exploitation. They are a victim of their own success, as nearly every computer attached to a network has Adobe Reader, Adobe Flash Player, or both. Adobe Flash does not include a method of managing or updating itself, and a large percentage of users are not running an up-to-date version.
It was reported this week that Firefox now checks the version of Flash player to provide a warning system if your plugin is out of date. It is great that Mozilla is raising awareness, but this only partly solves the problem.
On Windows the Flash plugin for Internet Explorer is a separate install from Non-IE browsers, which mean anything using Explorer to render Flash content will still be at risk. I am afraid this will give a false sense of being fully patched.
Adobe has agreed to their own version of patch Tuesday, made famous by Microsoft, yet only provide updates on a quarterly basis. When doing my research I noticed some Adobe patch announcements had as many as 12 CVE/vulnerabilities addressed in a single update.
This suggests the updates are infrequent, and you are vulnerable to exploitation waiting for the next quarterly update. This quarter Adobe has delayed releasing the update for 1 month, which defeats the purpose of setting a predictable schedule for administrators to plan patching into their change control process.
A perfect example of this was the recent dust up over Snow Leopard on the Macintosh platform. The version Apple included from around the April 2009 timeframe had already accumulated nine known vulnerabilities that had only just been patched before Snow Leopard was released to manufacture.
For similar reasons to giving Internet Explorer the benefit of the doubt earlier this year, I side with Microsoft on this one. By providing a centralized way to manage updating (Windows Update/WSUS), responding to threats more frequently (monthly patching), and generally increasing the security of their operating systems, I give Microsoft great marks for improvement. Adobe is a more challenging threat to the network administrator than Windows, especially as it can affect all operating systems that Adobe supports.
Creative Commons image of Adobe courtesy of flickr photostream by ben_templesmith