Patch Tuesday used to be just a Microsoft thing, but other companies have gotten involved recently, and this week Adobe released security fixes for Robohelp as well as Adobe Acrobat and Reader.
But if you’re thinking this is in response to Adobe’s recent hacking, I’m afraid it’s not. Security patches take weeks to prepare and test. In fact, these particular patches are regression fixes – which means they’re a patch for something they previously fixed, and broke again!
The real worry however, is that Adobe has no idea what kind of exploits may arise from the theft of source code for products including Acrobat, Reader and ColdFusion. What makes this situation unique is that hackers seeking to exploit these products are no longer working in the dark. They’ve got the source code – they can find vulnerabilities as easily as the code’s owners can, test and refine their exploits and then strike without warning.
The other major worry is the fact that Adobe Reader has an absolutely massive installed base. We may use different browsers and operating systems – but we all use Adobe Reader to read PDFs.
Exploit sales are lucrative, to the tune of tens of thousands of dollars for an Adobe app, for example. “The source-code is the money-making stuff — it helps you find the vulnerabilities in Adobe products. For example, a single zero-day exploit for Adobe Reader can be worth $50,000 in the black market,” says Timo Hirvonen, senior researcher at F-Secure.
Leveraging Adobe’s source code would provide the attackers with a more efficient way to steal information. “In the past, it was so easy for [cybercriminals] to do spree attacks — you could get millions of people through phishing and keyloggers,” says Dan Hubbard, CTO of OpenDNS. “But now it looks more sophisticated, and they are doing things that are more planned, so instead of going after the client and human element, they are going at some of the weaknesses in the infrastructure and pulling data back and figuring out what to do … It’s definitely an interesting change in operations.”
One of the big concerns is that Adobe still don’t know how it happened. It’s debatable whether they would have detected it, if their code had not been found in the wild. And until they figure it out, it’s impossible to say what the ultimate exposure will be.