Microsoft,Vs.,Adobe,security,s computer Microsoft Vs. Adobe security smack-down
Gone are those times when the companies and the organisations didn't need a hi-tech system to handle them. Owing to the considerable increase in the business sector and thus, an enormous increase in the complexity of the organisational struc ----------------------------------------------------------Permission is granted for the below article to forward,reprint, distribute, use for ezine, newsletter, website,offer as free bonus or part of a product for sale as longas no changes a
I counted the number of vulnerabilities in Windows XP andVista since January 2009 (from NVD), and compared that to Adobes securityadvisories for Flash player version 10 and Adobe Reader version 9.NOTE: I couldnot reliably get results from the NVD that matched Adobes publication fromtheir website. Microsoft Windows XP: 85 Microsoft Windows Vista: 72 Adobe Reader 9: 23 (or more, some internallydiscovered/not reported) Adobe Flash Player 10: 17The tally begins withMicrosoft at 85 and 72 and Adobe at 40.For two helper applications to havealmost 50% of the reported vulnerabilities as a full-blown operating systemthat is approaching ten years old was a bit surprising to me.You might say manyof the XP bugs have already been found, in which case you wouldnt expect thenumber of issues with Adobes applications to be 55% as many as Vista. InMicrosofts most recent Security Intelligence Report they made quite a largeissue that the vast majority of successful exploitations of Windows Vista werevia third-party utilities, plugins and other tools.This may be true whenspecifically considering browser-based exploits, which are a large percentageof todays threat, yet it ignores the vastness of infections like Conficker. Therisk of network worms like Conficker that are reported to have reached morethan 10 million computers have a virility that is far more dangerous to ournetworks.Holes in listening network services present huge risks to users andbusinesses. Browser exploits certainly comprise most of the drive-by infectionswe see in the wild.SophosLabs have blogged many times about different exploitstaking advantage of Flash Player, Adobe Reader or both throughout 2008 and 2009.PeterSzabo from our Australian lab even presented a paper on these issues at theQueensland Hi Tech Crime Symposium in Australia. Criminals taking advantage ofapplications and plugins that are not easily managed has been a trend that hasincreased dramatically in the last 24 months, and will likely continue to be aprimary infection vector. I deliver a seminar around the United States calledAnatomy of an Attack, and one of my primary pieces of advice to ITadministrators is to reduce the threat surface (less software) and patch,patch, patch. Unfortunately for Adobe, they have been directly in thecrosshairs of the enemy, and have provided fertile ground for exploitation.Theyare a victim of their own success, as nearly every computer attached to anetwork has Adobe Reader, Adobe Flash Player, or both.Adobe Flash does notinclude a method of managing or updating itself, and a large percentage ofusers are not running an up-to-date version. It was reported this week thatFirefox now checks the version of Flash Player to provide a warning system ifyour plugin is out of date.It is great that Mozilla is raising awareness, butthis only partly solves the problem. On Windows the Flash plugin for InternetExplorer is a separate install from Non-IE browsers, which mean anything usingExplorer to render Flash content will still be at risk.I am afraid this willgive a false sense of being fully patched.
Microsoft,Vs.,Adobe,security,s