Adobe beats Microsoft in rubbish security challenge

Davey Winder
Saturday, 17 October 2009 16:23

Business IT - Security

Can anyone beat Microsoft when it comes to churning out insecure products? Ladies and gentleman, may I introduce you to Adobe.

This month has either been great for those people concerned with the security of Microsoft and Adobe products, or really, really dire. I will always applaud the timely issuing of security patches, but will never ignore the shameful fact that they are necessary in the first place. Which is why I reckon it's been a dire month.

For its part, Microsoft pushed out no less than 13 update packs on Patch Tuesday this week. There was a little of something for everyone, with no less than 34 security vulnerabilities being fixed across every supported version of Windows right through to Windows 7. Users of Office, Internet Explorer, Windows Media Player, SQL Server, Visual Studio, Visual FoxPro and Silverlight didn't miss out either.

Part of me wants to congratulate Microsoft for patching so many holes, after all whenever security is improved that's a real good thing. Part of me, however, wants to run up Microsoft and give it a bit of a slapping.

I mean, why did it take 10 weeks to fix the CryptoAPI flaw for example? C'mon Microsoft, surely a company the size of you guys could have remedied what turned out to be a really rather nasty vulnerability exposing Internet Explorer users to man-in-the-middle attacks a little bit sooner than 10 weeks!

If Microsoft deserve a hug and slap this month, I am afraid that Adobe must be due a damn good kicking. The company almost, but not quite, got to beat Microsoft on the vulnerabilities patched front with an astonishing 29 in a single update. Of those, some 13 were described as having the potential for arbitrary code execution. Nice.

I say astonishing, by the way, because Adobe doesn't have anywhere near the same volume of software to look after as Microsoft. Yet, to paraphrase Shakespeare, how much do you suck at security Adobe? let me count the zero-days.

OK, I have counted, and this year alone by my reckoning there have been four zero-day attacks on the Adobe product line. Four times that hackers have managed to exploit security flaws in Adobe Acrobat and Reader via malicious PDF documents in order to compromise or crash Windows PCs. In March, in May and again in July , Adobe issued zero-day fixes. Now it is October and here we go again.

Sure, these are both big companies with hugely popular products that will inevitably be the target of attack. Everyone in the security business understands that, including myself. But what I just don't get is how month after month, quarter after quarter, year after year, the vulnerabilities just keep piling up.

It leaves me questioning just what investment is being made in security at both the coding and testing level? It's almost as if these companies are adopting a reactive approach to security whereby the real testing is being done by hackers in the field. And that, in my opinion, is simply not good enough.

I've said it before , and I will say it again: maybe it is time to leave insecure Microsoft and insecure Adobe behind? Hopefully Windows 7 will prove me wrong, but history (and the patch for Windows 7 that was released this last week) suggest otherwise.

<slap> <kick>