Microsoft Vs. Adobe security smack-down

 

There is a lot of rumbling as to whether Adobe is now a worse threat to desktop security than Microsoft. Seeing the huge quantity of patches in 2009 issued by both software giants, I have to say it's not a simple call. Because there isn't a clear and obvious answer I put some time into researching this a bit, and sharing the results with you.

 

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

 

I counted the number of vulnerabilities in Windows XP and Vista since January 2009 (from NVD), and compared that to Adobe's security advisories for Flash player version 10 and Adobe Reader version 9. NOTE: I could not reliably get results from the NVD that matched Adobe's publication from their website.

 

 

Microsoft Windows XP: 85

 

Microsoft Windows Vista: 72

 

 

Adobe Reader 9: 23 (or more, some internally discovered/not reported)

 

Adobe Flash Player 10: 17

The tally begins with Microsoft at 85 and 72 and Adobe at 40. For two helper applications to have almost 50% of the reported vulnerabilities as a full-blown operating system that is approaching ten years old was a bit surprising to me. You might say many of the XP bugs have already been found, in which case you wouldn't expect the number of issues with Adobe's applications to be 55% as many as Vista.

 

 

In Microsoft's most recent Security Intelligence Report they made quite a large issue that the vast majority of successful exploitations of Windows Vista were via third-party utilities, plugins and other tools. This may be true when specifically considering browser-based exploits, which are a large percentage of today's threat, yet it ignores the vastness of infections like Conficker.

 

 

The risk of network worms like Conficker that are reported to have reached more than 10 million computers have a virility that is far more dangerous to our networks. Holes in listening network services present huge risks to users and businesses.

 

 

Browser exploits certainly comprise most of the drive-by infections we see in the wild. SophosLabs have blogged many times about different exploits taking advantage of Flash Player, Adobe Reader or both throughout 2008 and 2009. Peter Szabo from our Australian lab even presented a paper on these issues at the Queensland Hi Tech Crime Symposium in Australia.

 

 

Criminals taking advantage of applications and plugins that are not easily managed has been a trend that has increased dramatically in the last 24 months, and will likely continue to be a primary infection vector.

 

 

I deliver a seminar around the United States called Anatomy of an Attack, and one of my primary pieces of advice to IT administrators is to reduce the threat surface (less software) and patch, patch, patch.

 

 

Unfortunately for Adobe, they have been directly in the crosshairs of the enemy, and have provided fertile ground for exploitation. They are a victim of their own success, as nearly every computer attached to a network has Adobe Reader, Adobe Flash Player, or both. Adobe Flash does not include a method of managing or updating itself, and a large percentage of users are not running an up-to-date version.

 

 

It was reported this week that Firefox now checks the version of Flash Player to provide a warning system if your plugin is out of date. It is great that Mozilla is raising awareness, but this only partly solves the problem.

 

 

On Windows the Flash plugin for Internet Explorer is a separate install from Non-IE browsers, which mean anything using Explorer to render Flash content will still be at risk. I am afraid this will give a false sense of being fully patched.

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

 

This article was written by Chester Wisniewski of Sophos and is published here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware protection.

Article Tags: False False , Flash Player

Source: Free Articles from ArticlesFactory.com

ABOUT THE AUTHOR