F-Secure: Adobe Still Unpatched as Attacks Rise

In its quarterly threat update, security company F-Secure warned that many known vulnerabilities remain unpatched, and flaws in popular Adobe software are at the top of that list.

Despite the availability of patches to fix security holes, “statistics from our Health Check application show that during the month of May, one in three computers scanned were vulnerable to an Adobe Reader flaw reported in the month of February,” F-Secure said.

The findings mark the latest example of how large numbers of users and system administrators fail to properly update their systems with the latest — and most secure — software. In April, a Microsoft study concluded that much of users’ problems with infected files stems from not being diligent in updating their software.

“It takes time for consumers to security update their systems,” F-Secure said.

Adobe, like Microsoft (NASDAQ: MSFT) and other major software vendors, is working on the problem. The company recently began following Microsoft’s example by introducing a regular update cycle for its Adobe Reader and Acrobat products. The thinking behind such efforts is that users and IT admins are more likely to install patches and updates if they’re bundled into a single release that comes as part of a regular schedule for which they can plan ahead.

“Adobe’s new quarterly schedule should help to raise attention to the issue,” F-Secure said.

Still, Adobe (NASDAQ: ADBE) reiterated the fact that user inactivity remains one of the key challenges when it comes to securing software.

“We take the security of our products and technologies very seriously, and protecting our customers is a top priority,” Brad Arkin, Adobe’s director of product security and privacy, said in an e-mail to InternetNews.com. “As always, we urge users to be sure they are current with our latest product updates, and to exercise security best practices.”

“Users can sign up for our security notification service, as well as the RSS feed of our Product Security Incident Response System blog, to be notified of the latest product security information from Adobe,” Arkin added.


Conficker is another threat perpetuated by unpatched systems. In a video commentary embedded in the report, Mikko Hyppönen, chief research officer at F-Secure, pointed to the recent success of the Conficker Working Group, founded in January, as a positive sign.

“The Conficker Working Group is a bunch of organizations working together to fight Conficker, including security companies, search companies,” he said. The group initially blocked the six top-level domains that Conficker was using to semi-randomly assign command and control URLs.

“Of course, the people behind Conficker were watching, so with version C, it used 160 different top-level domains and although they assumed we would not, the Working Group contacted people in 160 countries around the world to build an infrastructure to work together against Conficker,” Hyppönen said.


Yet, while industry groups may be having some success in curtailing Conficker, F-Secure highlighted a new and growing problem: spam delivered through Twitter.

“As social networking tends to include a level of trust, consumers will increasingly need new technologies to protect them against an abuse of trust,” the report said.

Twitter, meanwhile, is aiming to curb the threat. It’s introduced efforts like http://www.twitter.com/spam and @spam, an official account to which users can report spam, and has at least one support staffer dedicated to antispam efforts.

“Twitter spam has become a challenging issue for the site,” F-Secure said in its report.

Spammers are also using search engines, the company noted. “Malicious search results based on trending news stories are becoming commonplace. Knowing the reputation of sites yielded by search is becoming increasingly important,” the report said.

In one case, spammers took advantage of people searching for news about a Twitter worm written by Michael Mooney, whose Twitter username was mikeyy.

“While the mikeyy Twitter worms were largely an annoyance, the rapid outbreak and subsequent interest in ‘mikeyy’ did not go unnoticed by cyber criminals,” the report said. “They quickly seized the opportunity and search engine results for ‘twitter worm’ or ‘mikeyy’ soon led people to sites hosting malware.”

Twitter had not replied to an inquiry from InternetNews.com by press time.

Government and security

The report also examined the role of government in Internet security. Some of the news was positive. The report noted that President Obama had made cybersecurity an important issue and created an office for it in the White House.

On the negative side, there was China’s flawed Green Dam filter, whose final implementation has been delayed — but remains closely watched by security experts, human rights advocates and PC industry players.

The report noted that the disputed Iranian election brought politics into social networking — and the U.S. government, too.

“Twitter.com has been used to such an extent that the site was asked by the United States State Department to delay any network maintenance that might take the site offline,” the report noted.

“Technology does not discriminate between just and unjust causes. Hopefully the move to create a unified defense of the American cyber infrastructure will help generate the tools and organizations to maintain a global virtual world were information can flow freely and yet people will be defended against cyber attacks,” the report noted. “As President Obama stated, cyberspace has become ‘woven into every aspect of our lives.’ It must be protected.”

News Around the Web