Adobe is the New Microsoft: Maintaining Multi-Platform Security in 2012
By: Bill Mathews

I distinctly remember writing an article for a local journal back in the 90’s. In it, I discussed Microsoft’s special responsibilities concerning software security. If I recall correctly, my point was that since they were the dominant player in the operating system space, they had a duty to make their ecosystem resilient to attacks and compromise. Look, no company is ever going to be perfect at it, but some handle it a lot better than others. Fast-forwarding roughly 13 years after that article and Microsoft has gotten quite a bit better. Not necessarily for locking down their ecosystem, but for making it more resilient. Maybe even more importantly, for having an efficient response plan in place when bad things do happen. Are they perfect? Of course not! But they’re putting in the effort and it is showing some considerable gains.

Enter Adobe. I could fill a book with all the severe Adobe vulnerabilities that have valid exploits out there. And yet they simply don’t seem to take it all that seriously. More recently, their code signing infrastructure was compromised. If you’re unfamiliar, it’s basically the stuff that makes your computer trust Adobe’s software. They’ve found some pretty nasty utilities out there signed by their valid keys. Now nevermind that they’re blaming a build server compromise for this (which strains credulity) – nevermind that they claim they’ve now revoked all the keys involved – how does something like this happen and go undetected until active attacks start occurring?

The answer, sadly, is a simplistic one. They simply don’t take the security of their software, or apparently infrastructure, seriously. Code signing is a really important thing these days (Do I think it’s useful? Let’s save that for another post.) So why can, even a compromised build server, just randomly sign some piece of code not actually found in your ecosystem without detection? Simple: You weren’t paying attention to it. All systems can be compromised, the trick is knowing when it happens (monitoring) and dealing with the aftermath (response). Knowing about it and responding to it after it’s out in the wild is probably too late.

You might ask why I’m comparing Microsoft of the 90’s to Adobe of today, a fair question. Adobe has the same special responsibility today that Microsoft had (and still has) and one that Apple needs to wake up to in the mobile space. When you are ubiquitous and on pretty much every device, as Adobe is, you have a duty to your customers and yourself to focus on security and pay attention to those little details. It is no coincidence that once Microsoft started really paying attention to security that their code started getting a bit better and a little more stable. One man’s random crashing is another man’s buffer overflow waiting to happen.