{"id":11857,"date":"2011-10-13T12:26:41","date_gmt":"2011-10-13T11:26:41","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=11857"},"modified":"2011-10-13T12:26:41","modified_gmt":"2011-10-13T11:26:41","slug":"i-hope-you-patch-adobe-products-like-all-the-others","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=11857","title":{"rendered":"I Hope You Patch Adobe Products Like All The Others"},"content":{"rendered":"

Yesterday I quoted<\/a> a Microsoft security report based on information they gather from numerous sources:<\/p>\n

\u201cDetections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 \u2026 Two vulnerabilities accounted for the bulk of zero-day exploit activity \u2026 Both vulnerabilities affect Adobe Flash Player\u201d.<\/em><\/p>\n

In other words, hackers have found a new sweet spot.  Most (not all) companies have copped on when it comes to patching Microsoft products.  But:<\/p>\n

    \n
  1. Other companies make software<\/li>\n
  2. Pretty much all software has vulnerabilities<\/li>\n
  3. Hackers aren\u2019t stupid.  I\u2019m reading a book called Kingpin and it illustrates how hackers will move from one attack vector to another to find a soft underbelly.  Adobe is that new point of attack.<\/li>\n<\/ol>\n

    And there is a high profile example of that.  The Inquirer<\/a> website reports that (and there is no evidence because RSA have not publicly documented this):<\/p>\n

    \u201cCriminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook’s spam folder\u201d.<\/em><\/p>\n

    OK, it was a zero day attack.  We know this was a very organised attack, possibly sponsored by a nation.  They found a hole in Flash (allegedly) that wasn\u2019t yet reported and crafted an email attachment to attack it, knowing that the recipient would get stung by it, thus allowing the hacker to 0wn the PC.  Unlucky.  <\/p>\n

    But even if it wasn\u2019t a zero day attack would they have patched Adobe?  (we learned that less than 1% of attacks are zero day) I bet the answer is no.  Most companies focus just on Microsoft software.  Adobe products do automatically prompt for upgrades, but they are seriously click heavy and frequent, so most people probably disable the auto-check for upgrades, and the PCs probably go years without updating.  And that leaves those PCs vulnerable to:<\/p>\n