RealTime IT News

Is Adobe Leaving the Web Open to Attack?

Tens of millions of people around the world use Adobe's Flash and PDF reader technologies. How many of them update regularly?

The issue of updated Flash and Adobe Acrobat PDF clients is an important one, as Adobe recently patched both technologies for security vulnerabilities that could expose users to risk.

Yet security vendor Trusteer recently examined its own users and found that at least 80 percent were running unpatched versions of Flash and Adobe Acrobat.

It's not clear how representative Trusteer's numbers are of the Internet as a whole or of Adobe's total user base. But the large number of unprotected users would seem to signal a problem for Adobe, which does not publicly disclose how many of its users are running the latest update.

Brad Arkin, director of product security and privacy at Adobe, said in an e-mail to InternetNews.com that the company takes the security of its products and technologies very seriously, and protecting customers and users is a top priority.

But that's not enough for Trusteer, which claims a user base of 2.5 million users for its Rapport browser security service. Of those, 98.8 percent run Flash -- with 80 percent of those users still running outdated and unpatched versions of Flash. At the same time, it found that 84 percent were running unpatched version of Adobe's Acrobat PDF.

"Adobe's software update mechanism does not meet the requirements of a system that is used by 99 percent of users on the Internet and is highly targeted by criminals," Trusteer CEO Mickey Boodaei told InternetNews.com. "Although Adobe does a good job pushing software upgrades, their security patching process needs to be improved."

Boodaei noted that Flash has a 30-day default setting for receiving updates, which he said could be complex for users to change. He added that, as a result, users are getting caught in the 30-day cycle, which leaves them vulnerable.

For its part, Adobe noted that it has taken multiple steps in addition to issuing patched versions of Flash and Adobe Reader, to help get users to update.

Arkin noted that Adobe communicated the availability of the updates via the Adobe Product Security Incident Response Team (PSIRT) blog, the PSIRT mailing list, an update to the Adobe Security Advisory, and the publication of an Adobe Security Bulletin.

Adobe also published information pointing to the update via other company blogs and through communication channels targeted at Flash Player and Adobe Reader users and developers.

Additionally, Adobe said it worked with third-party security vendors to provide information about the updates to integrate into their patching and security scanning products.

How does Adobe stack up?

Adobe's update performance relative to other applications vendors is also a difficult thing to measure. Trusteer's Boodaei pointed to a recent Google-sponsored study that showed Google Chrome users were the fastest to update among browser users.

According to those figures, 97 percent of Chrome users were updated to the latest version, while Mozilla Firefox had 85 percent of users updated within 21 days. Part of the reason may stem from Google's use of an automatic update mechanism to keep Chrome users updated. On the other hand, Mozilla Firefox offers an automatic notification but not an automatic update to new versions.

Adobe hasn't said that it's planning any tweaks to its approach to updating to improve the speed of user patching. But the company did say that it views safeguarding users as a continuing process -- potentially leaving the door open to changes.

"We evaluate all aspects of our technologies and processes related to security on an ongoing basis in order to ensure we're providing the best protection for customers and users, and that includes our updater mechanisms," Adobe's Arkin said.