Science

The year's most-hacked software

Move over, Microsoft. This year Adobe took center stage for cybercriminals.

At the beginning of this decade, Microsoft represented a cybercriminal's dream target: universally-used software, brimming with bugs ready to be exploited to hijack users' PCs. But as the software giant has slowly cleaned up its security flaws, hackers are looking toward another vendor whose products are nearly as ubiquitous and whose bounty of vulnerabilities are just being discovered: Adobe.

According to Verisign's bug tracking division iDefense, 45 bugs in Adobe's Reader software were found by either cybersecurity researchers or malicious hackers this year and patched. In 2008, iDefense found 14 Reader bugs, double the number in 2007.

Meanwhile, the number of bugs found in commonly-used Microsoft programs like Internet Explorer, Windows Media Player and Microsoft Office remained flat or dropped. Just 30 bugs were exposed in Internet Explorer compared with the same number last year, and 41 bugs were found in all of Microsoft's Office programs like PowerPoint, Word and Excel, down from 44 in 2008.



When Forbes asked a group of cybersecurity researchers from security firms TippingPoint, iDefense and Qualys to name software programs with vulnerabilities most often used by hackers to victimize users' PCs this year, every one included Adobe Reader on their list.

"It's a huge focus for attacks now, around 10 times more than Microsoft Office," says Wolfgang Kandek, chief technology officer at Qualys, a vulnerability scanning firm.

Until recently, Adobe Reader software has received less scrutiny than browsers like Internet Explorer and Firefox. But it shares the characteristics that made those browsers powerful attack avenues. Nearly every Web user has installed Reader. Its complex code base offers a high risk of flaws. And it accesses enough of a user's machine to give hackers a powerful foothold.

"It's a very good playground for exploitation," says Pedram Amini, a researcher at 3Com-owned security firm TippingPoint.

'A rich target'

Part of Adobe Reader's vulnerability stems from its unexpected functions, Amini says. Aside from merely reading static PDFs, it can also run Javascript to enable PDFs with animation or that pull dynamic information from databases. Those abilities mean the program can allocate memory for a document's use, a trick that, combined with the right bug, can allow a hacker to execute code on a user's machine and install programs.

"It's a rich target for both bug hunters and exploit writers," Amini says.

Adobe recognizes that it's in the crosshairs. In May, the company instituted a quarterly patching cycle for Reader, following Microsoft's model of regular software updates. Adobe Chief Technology Officer Kevin Lynch says the company has revamped its internal security teams with a focus on more secure development and faster response to bug discoveries.

"We used to debate whether we should take a detour from product development to do a security fix," says Lynch. "Now we address any zero day immediately."

Even as Adobe becomes a major focus for hackers, older targets like Internet Explorer and Firefox are still far from secure. In fact, most exploits are sold on underground cybercriminal forums with packages of several vulnerabilities they're prepared to exploit, says Qualys's Kandek.

Kits that go by names like "T-IFramer," "Liberty Exploit Systems" and "Elenore" all turned up on underground markets selling for $300 to $500, Kandek says, and allow the attacker to install a Trojan program ready to download whatever malicious software a cybercriminal wishes, from spyware to click-fraud software. All three of those kits exploit three unique Adobe Reader bugs, along with a smaller number of bugs in Internet Explorer, Microsoft Office, Firefox and even Quicktime.

In fact, even as plugins like Adobe Reader take the spotlight, browser bugs still allowed scores of "drive-by downloads" this year, malicious software that infects a user's computer when he or she merely visits a Web site. Firefox, which has been relatively safe compared with Internet Explorer, showed an uptick in vulnerabilities: Verisign's iDefense tracked 102 bugs found and fixed in Firefox this year, up from 90 last year. (That high number, researchers say, shouldn't be compared directly with programs like Adobe Reader or Internet Explorer given that open source programs' bugs are more often made public.)

Hackers focus on applications

More generally, researchers say hackers are turning away from bugs in operating systems to focus on applications. That's partly because, after years of high-profile Windows and Linux viruses, operating systems today are more securely coded and systematically patched than the applications that run on them, says Qualys's Kandek.

Application patches, he says, are also implemented far less strictly by users, even after they're issued by a vendor. The time it takes half of all unpatched versions of an operating system to be patched has been cut from 45 days in 2004 to 15 days this year, according to a study that was published in September by the security focused SANS Institute. Meanwhile, four of the vulnerabilties in Sun Microsystems' Java programming language are still listed among the 30 most common unpatched bugs, despite patches being issued as early as 2007.

That doesn't mean operating systems aren't still an opportunity for hackers. Although their vulnerabilties aren't as easy to turn up, they don't require a user to do anything in particular to be infected. The Conficker worm, for instance, had spread to 7 million computers by using a Windows flaw, according to the last count of cybersecurity researchers at the Shadowserver Foundation in October.

That means even Adobe's increasingly targeted bugs shouldn't take the focus off Windows. "It's still my top priority," says Qualys' Kandek. "Operating system bugs aren't as frequent, but when they do come up, they can be much more interesting."