Attacks/Breaches
10/4/2013
09:04 AM
Connect Directly
RSS
E-Mail
50%
50%

Adobe Customer Security Compromised: 7 Facts

Could stolen ColdFusion and Acrobat source code spawn a new generation of zero-day attacks?

4. Criminals Could Find New, Exploitable Vulnerabilities

Beyond the customer data theft worries, the theft of source code is also cause for concern, because code-savvy attackers -- or anyone else who subsequently obtains a copy of the code -- might be able to study the code and find previously undetected flaws.

"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data," said Hold Security's Holden. "Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits."

"It should go without saying that no software company ever wants to have criminals steal its source code -- it is, after all, the technology company equivalent of losing the Crown Jewels," said Graham Cluley, an independent security researcher, in a blog post.

5. Adobe To Enterprises: Lock Down Acrobat, ColdFusion

To date, Adobe said that it's seen no new attacks against products for which the source code was stolen. "We are not aware of any zero-day exploits targeting any Adobe products," said Adobe CSO Arkin. Regardless, he recommended that all businesses only run supported versions of the software, apply all security updates, and follow in full the security advice detailed in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. "These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products," he said.

6. Attackers Didn't Hack Into Adobe Using ColdFusion

After Adobe detailed the breach, questions quickly centered on ColdFusion, a rapid Web application development platform that was originally developed by Allaire -- as a way to connect HTML pages to databases -- and subsequently purchased by Adobe in 2005.

Did hackers exploit ColdFusion to gain access to Adobe? If so, that wouldn't be unusual. For example, the July 2013 breach at the Department of Energy that resulted in the theft of information relating to 53,000 past and current federal employees -- including dependents and contractors -- was traced to the agency using an outdated and unpatched version of ColdFusion.

But an Adobe official Friday dismissed that possibility. "The breach did not involve a CF vulnerability. Investigations are still happening to figure out the attack vector," tweeted Rakshith Naresh, Adobe's ColdFusion product manager.

7. Bug Hunters Downplay Source Code Value

What might the stolen source code be worth? "Adobe Acrobat source code valued at $500k to $30M on black market," tweeted attorney Jim Denaro at CipherLaw.

But some security experts have disputed at least the high end of that estimate, noting that the potential payoff to be gained from studying the source code to find new bugs that could be turned into working exploits -- aka "weaponized" and sold for a profit -- wouldn't be worth the initial investment.

"You can fuzz bugs cheaper, and you can audit cheaper. It's not so valuable," tweeted the Bangkok-based vulnerability broker known as the Grugq. "It is [definitely] worth more to Adobe than it is to anyone else."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/7/2013 | 11:26:45 PM
re: Adobe Customer Security Compromised: 7 Facts
Fair to say it's not a best practice to retain CC data any longer than necessary?
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
10/6/2013 | 2:38:11 PM
re: Adobe Customer Security Compromised: 7 Facts
This is exactly why we have a huge amount of regulations on the books. We basically have to force people/companies to do the right thing. Sad, really.
macker490
50%
50%
macker490,
User Rank: Ninja
10/6/2013 | 11:39:05 AM
re: Adobe Customer Security Compromised: 7 Facts
you would, --eh?
when you use your credit card you are authorizing the merchant unrestricted access to your account -- to the expiration date on your card.

everyplace you use it

PCI is based on pen and paper. proper authntication of digital transactions has never been incorporated into the system .
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
10/5/2013 | 1:17:09 PM
re: Adobe Customer Security Compromised: 7 Facts
I wonder why Adobe even held on to CC information. Throw it away once the transaction is done. Yes, the customer needs to key it in again the next time, but I rather type a few dozen characters than have my info stolen.
Do we really need to lobby lawmakers every single time to craft a law that enforces common sense?
WKash
50%
50%
WKash,
User Rank: Apprentice
10/5/2013 | 12:02:27 AM
re: Adobe Customer Security Compromised: 7 Facts
Scary that Adobe didn't spot this. And one more reason why never to reuse passwords .
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
10/4/2013 | 6:12:06 PM
re: Adobe Customer Security Compromised: 7 Facts
"But two different customers who received that email notification -- sent late Thursday, Pacific Time -- separately told InformationWeek that they'd initially dismissed the "important customer security alert" as spam."

The phishers are winning.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/4/2013 | 5:28:17 PM
re: Adobe Customer Security Compromised: 7 Facts
Would the customer credit cards of past customers be at risk, or just people with some ongoing relationship like the newer subscription software options? I purchased a perpetual license to Creative Suite, but that was a couple of years ago, so I'd hope my credit card wouldn't still be stored anywhere.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.