Adobe, The New King Of Security Holes

Microsoft gets a lot of blame for the security issues that plague Windows, but not all of it is deserved. The company has spent more than a decade improving both its approach to secure software development and its response to security exploits. As a result, Microsoft is losing the lead in security vulnerabilities and being replaced by Adobe.The most important factor in an attacker's choice of security holes is the prevalence of the issue. That's why exploits in Windows itself have historically been the favorite choice of bad guys everywhere. After all, many security bugs apply to components in the entire spectrum of Windows versions from 2000 to 7. When an exploit can be applied to most clients, it makes the attacker's job easier.

With Microsoft's improved response to security holes, the pickings in Windows itself are getting slimmer. Unfortunately, attackers don't have brand loyalty, so they've moved on to another company with lots of PC installed base: Adobe. Security holes in programs like Adobe Reader and Illustrator are being exploited.

This problem is made worse because Adobe has been bundling unwanted applications and their AIR software platform onto systems with their free applications like Adobe Reader. I wrote about this last year, when Adobe boasted about 100 million downloads. Adobe is looking to create an attractive installed base for their developers, but they are also creating an attractive attack surface for the bad guys. For comparison, I'll note that Microsoft doesn't bundle the .NET Framework with unrelated software; they don't even make it a required download.

Protecting yourself from Adobe's security holes can be difficult. PDF documents are too essential for most users to simply avoid Adobe Reader entirely. There are non-Adobe solutions such as Foxit Reader, which is much faster and lighter than Adobe Reader. They work well with simple PDFs, but in my experience it won't handle the full spectrum of PDF documents such as ones with editable fields. So inevitably you'll end up with Adobe Reader installed, even if it isn't your default PDF reader.

With that in mind, here are some specific tips that may help avoid security problems. If you have an Adobe Reader version earlier than 9, uninstall it immediately and install version 9. Then go to the Edit/Preferences menu. Make sure that Security(Enhanced) is turned on; for some bizarre reason, Adobe recommends it being on but seems to ship it turned off. Next, look at the Updater item and be sure you're checking for updates -- inevitably they are security updates and you'll want them ASAP. Then go to Trust Manager and uncheck the option for "Allow opening of non-PDF file attachments." Finally, unless you know you need Javascript in your Acrobat documents, disable Javascript.

Adobe has let Acrobat grow into a monster of a program that seems to want to do everything. As a result of that, plus its large installed base, Reader has also become a popular target for attackers. Let's hope this latest wave of security holes convinces Adobe to get serious about security, but I would expect that it may get worse before it gets better.