To get security news and tips delivered to your inbox, click here to
Adobe's inability to efficiently push out critical security patches is leaving millions of users at risk, according to new data provided by Web security vendor Trusteer Inc.
A review of about 2.5 million Trusteer customers found that a critical update to Adobe Flash Player, Adobe Reader and Acrobat pushed out July 30 still hasn't been deployed by a vast majority of Adobe users. Trusteer said 79% of Flash users were using a flawed version of the browser component. About 83% of Adobe Acrobat users are also using vulnerable versions of the PDF reader.
Trusteer counts about 1.5 million users of its Rapport security browser plug-in in North America and approximately 1 million users in Europe. The security vendor issued an advisory Wednesday warning users of Adobe products to upgrade their programs and browser components to the latest version. The advisory is critical of Adobe's software update mechanism, failing to effectively distribute critical patches to its user base.
"The fact that they released a patch doesn't mean anything, because users are still vulnerable," said Trusteer CEO Mickey Boodaei. "It indicates a failure of their update mechanisms to ensure users promptly address the security issues."
Vendors have various methods of patching their user base. By default, Adobe set its Flash component to check for a new version every 30 days, resulting in a patching delay when a security update is issued. Even after the software identifies a new version, user interaction is required to install the patch. Boodaei said security patches should either be deployed silently -- as Google does with its Chrome browser -- or automatically after a user closes and restarts their browser.
Related patching news:
When should a virtual patch be used? Learn how virtual patches can help administrators review, test and schedule official patch updates and find out about the benefits a virtual patch provides.
What is an ideal patch management process for small businesses? Patch management and testing can be a time-consuming and resource-hungry task. In this expert response, Michael Cobb demonstrates how to streamline the process.
"The first default should be a silent update and [an] enterprise should have tools to change that and apply different processes to test and verify the updates before being applied to the entire organization," he said.
In its security bulletin, Adobe urges users to verify the Adobe Flash Player version by accessing the Adobe Flash Player page. Users with multiple browsers must perform the check with each browser installed on their system.
Adobe's Flash Player vulnerability was the result of using vulnerable versions of Microsoft's Active Template Library (ATL) discovered by several IBM researchers to affect thousands of browser components. Attacks against a second flaw in the Flash Player library within Reader were also fixed.
Boodaei said the Flash vulnerability is potentially very serious, allowing a malicious website to compromise the Adobe component inside a browser and execute code, which can lead to a full compromise of a victim's computer. The drive-by downloads are becoming more common with malicious websites dropping Trojans on machines that aren't fully patched. Even legitimate websites are at risk of passing on malicious code to visitors if an attacker can find a website flaw to exploit.
In an email message, Brad Arkin, director of security and privacy at Adobe, said the software vendor was doing all it could to communicate the availability of updates for Flash Player and Adobe Reader. In addition to posting update information to the Adobe Product Security Incident Response Team (PSIRT) blog and various mailing lists, Adobe configures its servers to notify Flash Player users of an update and users of its Adobe Update Manager to push the latest update to Adobe Reader and Acrobat users.
"Flash Player and Adobe Reader are among the most widely distributed pieces of software in the world. We treat any potential security threat against them, and all our products, as a top priority," Brad Arkin, director of security and privacy at Adobe, said in an email message. "Delivering product updates to users in a timely manner is only part of an effective security response – users also need to install the updates to be protected."
A recent study by security vendor Qualys Inc. backs up the issue identified by Trusteer. Companies focus on core software such as Microsoft's Windows and Internet Explorer, said Wolfgang Kandek, chief technology officer of Qualys, in a recent interview with SearchSecurity.com. Kandek, who presented his research at the Black Hat USA 2009 briefings in Las Vegas, said most firms take about a month to patch half of all vulnerable systems. Desktop applications such as Microsoft Office software, Adobe Reader, Apple QuickTime and many browser plug-ins take much longer to patch.
"It almost looks as if they are off the radar of our customers in terms of patching," Kandek said of the desktop applications.
The automatic updating can be very helpful, Kandek said. Google is most aggressive by setting silent updates for its Chrome browser. A Google study found a 97% share of active Google Chrome users on the latest Google Chrome 1.x version, three weeks after a new release. By comparison, Mozilla's Firefox browser pushed out an update to users faster, but its user base never reached more than an 85% usage share for its latest version within 21 days of the release. Mozilla's update process requires more user interaction. "Most corporate customers would like to control the update process much more; they don't like applications updating themselves," Kandek said, adding that silent updates and automatic updates requiring little user interaction work better in the consumer space.
Boodaei said businesses should update every single desktop and pay closer attention to the various browser plug-ins and add-ons that become part of their corporate environment.
"I'm sure that once [they] start to look for it, they'll find out that they have thousands of different plug-ins," he said. "They need to pay attention to each one of them starting with setting policy for what's allowed and what's not and then monitoring for vulnerabilities and updates of each one of them."