Byron Acohido
USA Today
Cybercriminals may have a clear path to spread mayhem on computers this week by taking advantage of a newly discovered vulnerability in Adobe’s (ADBE) ubiquitous Flash video player and Acrobat Reader, the widely used tool for opening PDF documents.
Since early July, troublemakers have been e-mailing PDF files with corrupted Flash video clips and hacking into websites to implant them. These clips, when activated, enable attackers to quickly install malicious programs on the user’s computer.
Criminals typically take control of PCs, turning them into obedient “bots.” They can use bot networks to steal data, siphon cash from online financial accounts, spread spam and trigger promotions to sell fake anti-virus programs.
The number of attacks could soar this week as Adobe scrambles to develop an emergency patch by Friday. The company recently began issuing security patches once a quarter, with the next update scheduled on Sept. 8.
“The volume of cybercrime has been increasing, so we’ve stepped up our efforts to supply best-in-class security,” says Rob Tarkoff, Adobe’s senior vice president and general manager of business productivity.
But even that might not solve the problem. Adobe alerts computer users every seven days about software updates that can include security patches, but users often defer installing such updates.
As a result, “We may see a broad-scale explosion of attacks,” says Paul Royal, a senior researcher at Purewire.
The security firm has already found a booby-trapped e-mail sent to a corporate executive.
Last week, another security firm, Finjan Software, found several dozen legitimate Web pages carrying poisoned Flash clips.
Tarkoff says Adobe is doing all it can.
“Every software product is a target,” he says. The challenge is to find a way to keep offering new features without creating new security problems. “That’s (the balance that) we’re focused on striking.”
That balancing act may grow more difficult as cybercriminals probe for more weaknesses in Adobe programs.
Some 43% of the 1,500 cyberattacks identified by security firm F-Secure in the first six months of 2009 were directed at Acrobat Reader, up from nearly 29% last year.
That puts Acrobat Reader ahead of Microsoft Word, targeted in 40% of this year’s attacks.
“Adobe has become the victim of its own success,” says Don Leatham, director of solutions and strategy at security firm Lumension.
“They’ve become a very juicy target, and they need to significantly increase their efforts to secure and stabilize their code.”