he revelation that Adobe had been attacked with source code hacked could lead to a raft of new zero-day vulnerabilities.
Speaking to IT Security Guru, Dana Tamir, director of enterprise security at Trusteer, said that a concern about the source code is that it will give whoever has it chance to search and study it for new unknown vulnerabilities, that Adobe would not be aware of.
She said: “This is a real concern as we are all using Adobe products and they will not know what is affected. What is another concern is exploits as this is a main route for malware to get on to a user’s machine as you can put malicious code into a PDF document and send that to someone, and that vulnerability is exploited when they open it. If the vulnerability is in Reader then it can download malware and if Adobe are not aware of the issue then it is not patched, that is the business we are in.
“Also Adobe needs to release a patch and users need to apply it; but this is a problem that will take time to resolve.”
Tamir said in a blog that she expects zero-day vulnerabilities in the Adobe applications to be highly successful and therefore a favoured way to compromise user endpoints if the code related to popular applications. Adobe said in astatement that it was “investigating the illegal access to source code of numerous Adobe products” and “based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident”.
Brad Arkin, chief security officer at Adobe, said later that it was investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorised third party, but it was not aware of any zero-day exploits targeting any Adobe products.
Chris Petersen, CTO and co-founder of LogRhythm, also raised concern that malicious code was inserted into Adobe product source code and then distributed to customers in a compiled form, as well as evaluation of zero-day vulnerabilities.
“Both risks could result in a treasure trove of zero-day exploits against Adobe software. If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of web servers open to at-will compromise and make it easier to compromise end-user systems,” he said.
“This breach is a chilling reminder that all software companies should be on guard, as they too could be a stepping stone to other targets.”
Paul Ayers, VP EMEA at enterprise data security firm Vormetric, said: “There is a good chance that this attack has been in the works for many months. If Adobe had the appropriate security intelligence there was a much better chance that we would have never read these reports about their breach.”
Adobe is planning to release security updates tomorrow and recommend users deploy these updates as soon as possible.
