SANS instructor: “Avoid Adobe… security appears out of control”

Stephen Northcutt, an instructor for SANS and President of SANS Technology Institute, cautions users against using Adobe products due to an increasing number of Adobe security vulnerabilities that have been reported this year.  In the SANS NewsBites Vol 11 #61 (8/4/2009), Stephen says:

“I think organizations should avoid Adobe if possible.  Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can.”  (link may not be live yet)

There have been four patches (year to date) in 2009 for Adobe Reader\Acrobat, compared to 3 security patches for Adobe Reader\Acrobat in all of 2008.

Other common desktop applications and their security patch counts since Jan 1, 2009:

8 9 patches for Mozilla Firefox
4 patches for Microsoft Internet Explorer
4 patches for Apple Safari
4 patches for Adobe Reader\Acrobat
3 patches for Adobe Flash
2 patches for Adobe Shockwave
2 patches for Apple Quicktime
2 patches for Apple iTunes


4 Responses so far »

  1. 1

    FtMdSysOp said,

    Kudos to Adobe so far for tightening up their game, but I do wonder aloud how many of the 15 known private vulns mentioned at remain to be patched? I think we can expect to be patching Adobe’s stuff frequently for at least several more months.

  2. 2

    Is Adobe security shoddy or are its products being targeted, not unlike MS Office applications in recent times? I don’t think one can reasonably draw any conclusions from half a years’ worth of patch statistics. Any such conclusions are dubious at best. Should Adobe products be ditched? It depends.

    How much time and expense is required to switch out Adobe for something else and is that cost proportional to the risk faced by the company? And is this just a costly long term fix for a short term problem?

    It all comes back to making good business decisions informed by understanding of information security risks.

    Maybe there’s a case for swapping out Adobe products, but my guess is there are more effective, cheaper controls available.

    I seems like only yesterday when Gartner told the world to abandon IIS.


    • 3

      ericschu said,

      I think you’re right on, Michael. It’s not the number of patches for a given product that point to the security or insecurity of that product.

      With Adobe, they’re fixing the ATL issue from Microsoft – being proactive, kinda. But wait… they’re also fixing a large handful of other security issues – it’s a scary list (

      Mozilla has released 9 security bulletins\patches this year – far more than Microsoft has for IE. Does that mean they’re any more secure or less secure? It could mean that Mozilla is more responsive than Microsoft – that they release new versions the moment they identify and fix a security issue. Or it could mean that they’re code really is that bad. (I don’t know, nor will I hasten a guess)

      You can track the frequency or releases of one vendor over time for a selected product – that might point to things getting better (fewer releases), or it could mean the vendor is putting a closer eye on things and fixing more items. Either way, I like patches – it means the product is getting better (and hopefully more secure).

      As I mentioned in a previous post ( the larger the number of patches for a given product means more effort must be expended to keep that product updated. It doesn’t speak to the security of the product, only the hassle that the administrator must put up with. (one could argue the relative merits or lack thereof of the auto-update features of many of these products – that’s a blog for a different day).

      And finally, “I know John Pescatore and Stephen Northcutt is no John Pescatore!” I don’t believe it’s reasonable to expect an organization to stop using Adobe – recommending abandonment is only moving your eggs into the basket that you don’t know.

  3. 4

    Lars Nelson said,

    Surely the task at hand to switch out Adobe products — even just Acrobat would be difficult. And, how can you take away Flash when jillions of websites look like dogfood without it?

    But I will say this.

    Adobe is the most irresponsible company I have seen yet when it comes to updating their products.

    Presently (test this yourself):

    – Adobe still installs the flawed original release of the product from their website.

    – If you try to patch versions right now from inside the adobe reader product, the updater will show a successful patch, the software help/about will show that it patched to current version — but if you run a Secunia scan it will show it as flawed. If you check the version of .exe it shows it as the older version.

    – This also occurs with the Standard and Pro 7 versions.

    – The Flash updater will leave old versions of the software around in a cute little rename of the older version. One has to manually remove the old flash versions.

    – The automatic update feature in Acrobat only will check for updates if the software is started. Not a real great deal if the file that is opened is malware!!

    – The Flash auto updater is so terribly inept that it could be weeks before an update is presented to a user. And the process of changing preferences on this updater is not practical.

    – Countless other adobe products imbed older (flawed) versions of Flash etc that are never updated through the updater of that software.

    All of the above is simply a joke.

    So, yea the products are entrenched and hard to replace. But, what Adobe is doing regarding security is one of the most irresponsible things I have ever seen.

    – Lars

Comment RSS · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: