Security fails of 2009 – Adobe Takes the Exploit Crown from Microsoft

This is the fourth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

For years, Microsoft sat comfortably atop its throne as the world’s number one source for exploits.  Malware writers around the globe fattened themselves at the Microsoft trough, turning these exploits into a vast array of attacks, including the media darling of 2009, Conficker.  For years, Microsoft sat uncontested on this Mount Olympus, issuing Patch Tuesday thunderbolts to the masses and continuing to churn out code with new exploits to replace those gaps just closed with the newest patch.

In 2009 a new contender eagerly stepped into the ring, and countered with products that were equally ubiquitous and, most importantly, full of exploits.  As we entered 2009, the list of attacks that leverage exploits in Adobe products continued to steadily rise.  Eventually stories began to break claiming that Adobe had passed Microsoft as the new top dog in regards to providing exploits to the malware community.

The problem eventually prompted Adobe to announce in May that they were initiating their own Patch Tuesday process.  Even after this announcement, Adobe continued to get heat about their questionable patching policies that allowed users to download unsecure versions of the product with the assumption that they would then apply patches in a timely manner. 

I can’t imagine that this newfound notoriety was viewed with enthusiasm by the folks at Adobe.  On a positive side, you could only knock Microsoft of its perch if you were very widely deployed.  But I somewhat doubt the Adobe exec team were having “We’re Number 1” balloons distributed. 

Microsoft on the other hand was likely very ready to give up their crown.  Seizing the opportunity, Microsoft began to note that many of the browser based exploits were not an IE problem but were instead could be attributed to third party utilities and other tools.  Of course Microsoft was able to create the exploit used by Conficker so they did not retire from the game. 

So the ascension of Adobe to the leading supplier of exploits is one of my security fails for 2009.  And Lord knows the world needs more regular patches to deploy because we all know how well the patching process performs.  It is also instructive to see that the bad guys are always looking for the road of least resistance and will happily use someone other than Microsoft as their supplier of exploits.