Security firm ScanSafe announced on Tuesday (PDF) that Adobe’s PDF document format was the target of 80% of all exploits in 2009.
According to the California company, vulnerabilities in Adobe Reader and Adobe Acrobat were the most-exploited software in 2009, growing from 56% in 1Q09, to 80% in 4Q09.
“When malicious exploit code was encountered in 2009, vulnerabilities involving malformed PDF files (Adobe Reader / Adobe Acrobat) were the most frequently targeted, followed by vulnerabilities in Adobe Flash,” the report reads. “Interestingly, as the rate of malicious PDF files increased in 2009, the rate of malicious Flash files decreased throughout the year.”
“The problem of recent surges in Adobe vulnerabilities has become of concern to many officials, prompting an unprecedented warning from Stephen Northcutt, president of the SANS Technology Institute, In the August 4, 2009 issue of SANS Newsbytes, Northcutt warned: ‘I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products where you can.'”
Adobe’s security issues are further highlighted by the Common Vulnerabilities and Exposures (CVE) database, which shows a dramatic rise in reported flaws. In 2009, 107 Abode vulnerabilities were logged into CVE. That figure is nearly double the 58 added in 2008 and almost triple the 35 reported in 2006.
The surge in vulnerabilities, the report suggests, is owed to the continued widespread use and acceptance of PDFs at home and in the workplace.
Nevertheless, ScanSafe has tempered its report by noting that malware authors exploit the path of least resistance. With malware a growing, multi-billion dollar industry in 2009, and Adobe products and documents on the rise, it was a practical inevitability that the firm would be pulled into the crossfire.