The continuous attacks in which criminals design malicious Flash video clips, and embed them in legitimate Web pages and on PDFs, clearly illustrates Adobe has become the favourite target for cyber criminals.
So said Roel Schouwenberg, senior anti-virus researcher for Kaspersky Lab, Americas, during the Kaspersky Lab Virus Analyst Summit, in Cyprus, last week. “For the last 18 months, Adobe has been the biggest vector for attacks - 47.5% of exploits were Adobe in the first quarter of 2010.”
To put this in perspective, he said less than 15% of attacks were Microsoft-based.
There are several reasons for this, he noted. “Microsoft has implemented some big improvements; for example, XP Service Pack 2 introduced data execution prevention, which eradicates the exploitation of a certain class of vulnerabilities. It also introduced firewalls and automatic updates.”
Vista also had some improvements; for one, introducing ASLR, which puts core components of Windows in different locations, making it less vulnerable to exploitation. “A while back there was a new zero-day exploit practically every other week, but once Microsoft started investing money into trustworthy computing initiatives, the picture changed.”
However, improvements to the operating system (OS) have made cyber criminals move away from the OS to attacks against applications. “The bad guys have moved to browser plug-ins and similar elements that are essentially one with the browser and, therefore, easier to exploit. About 90% of attacks today are happening via the Web. It can be any program that is directly callable from the browser, and doesn't need to be a proper plug-in.”
Popular, but dangerous
Criminals will always look for the next target, and as Adobe says its Flash player is installed on 98% of all Internet-connected Windows PCs, and Acrobat Reader on at least 500 million Windows PCs, Adobe has become an attractive target. “In addition, in the corporate market a little less than 98% corporate of users have Flash on their machines, with less than 75% of these having the latest version.”
He said Kaspersky Lab sees many business users with Reader 7.0, a problem when considering support for this ended at the end of 2009, and with no updates, these users are hugely vulnerable.
Another interesting fact, he pointed out, is that PDF is the most popular format in targeted attacks. “It features easy automation and obfuscation through the use of exploit kits. It started with the exploit kit MPack in late 2006.”
These kits initially targeted a lot of applications - PDF, QuickTime, RealPlayer, WinAMP, and IE, he explained. “However, from 2008, there was a much clearer focus on Adobe, with many kits only focusing on PDF and Flash exploits. This is an extremely significant development. It showed that only targeting Adobe gave them enough of a success rate to make it worth their while.”
Schouwenberg said Adobe is in a similar situation to Microsoft. Both are market leaders; Adobe has no real competition or alternative. “Moreover, Reader is more flexible than PDF specifications illustrate. It means the cyber criminals can malform PDF files, and try to confuse AV engines, while they are trying to read these files.”
Update risk
Adobe is also incredibly slow to respond to the situation. “Without real competition, security in these times is not high on the priority list. The only real pressure will come from serious competition, or through enough bad PR that will force them to invest in security.”
He cited the fact that Flash can be easily updated through sites - YouTube, for example - as another problem for Adobe. “Another factor is that Acrobat Reader has a much bigger code base, with a huge amount of extra code in the reader and it exploits Java script - the favourite method of delivering exploits these days.”
Adobe has introduced automatic updates, he noted. “The problem is that there are no prompts for enabling auto-updater. It does not even ask the user to enable updates; the user has to go in and do this manually. It automatically downloads them, but doesn't install them automatically. Users are being given a false sense of security.”
Schouwenberg believes Adobe will remain the main focus of attack because there is no serious competition for Flash. For cyber criminals, it is just that much easier to exploit Adobe products, he explained.
He advised users to enable the auto-update, and disable PDF browser integration, which will disallow the automatic opening of these files. “Finally, investigate other options.”
Share