09:04 AM
Connect Directly

Adobe Customer Security Compromised: 7 Facts

Could stolen ColdFusion and Acrobat source code spawn a new generation of zero-day attacks?

4. Criminals Could Find New, Exploitable Vulnerabilities

Beyond the customer data theft worries, the theft of source code is also cause for concern, because code-savvy attackers -- or anyone else who subsequently obtains a copy of the code -- might be able to study the code and find previously undetected flaws.

"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data," said Hold Security's Holden. "Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits."

"It should go without saying that no software company ever wants to have criminals steal its source code -- it is, after all, the technology company equivalent of losing the Crown Jewels," said Graham Cluley, an independent security researcher, in a blog post.

5. Adobe To Enterprises: Lock Down Acrobat, ColdFusion

To date, Adobe said that it's seen no new attacks against products for which the source code was stolen. "We are not aware of any zero-day exploits targeting any Adobe products," said Adobe CSO Arkin. Regardless, he recommended that all businesses only run supported versions of the software, apply all security updates, and follow in full the security advice detailed in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. "These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products," he said.

6. Attackers Didn't Hack Into Adobe Using ColdFusion

After Adobe detailed the breach, questions quickly centered on ColdFusion, a rapid Web application development platform that was originally developed by Allaire -- as a way to connect HTML pages to databases -- and subsequently purchased by Adobe in 2005.

Did hackers exploit ColdFusion to gain access to Adobe? If so, that wouldn't be unusual. For example, the July 2013 breach at the Department of Energy that resulted in the theft of information relating to 53,000 past and current federal employees -- including dependents and contractors -- was traced to the agency using an outdated and unpatched version of ColdFusion.

But an Adobe official Friday dismissed that possibility. "The breach did not involve a CF vulnerability. Investigations are still happening to figure out the attack vector," tweeted Rakshith Naresh, Adobe's ColdFusion product manager.

7. Bug Hunters Downplay Source Code Value

What might the stolen source code be worth? "Adobe Acrobat source code valued at $500k to $30M on black market," tweeted attorney Jim Denaro at CipherLaw.

But some security experts have disputed at least the high end of that estimate, noting that the potential payoff to be gained from studying the source code to find new bugs that could be turned into working exploits -- aka "weaponized" and sold for a profit -- wouldn't be worth the initial investment.

"You can fuzz bugs cheaper, and you can audit cheaper. It's not so valuable," tweeted the Bangkok-based vulnerability broker known as the Grugq. "It is [definitely] worth more to Adobe than it is to anyone else."

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Apprentice
10/7/2013 | 11:26:45 PM
re: Adobe Customer Security Compromised: 7 Facts
Fair to say it's not a best practice to retain CC data any longer than necessary?
User Rank: Apprentice
10/6/2013 | 2:38:11 PM
re: Adobe Customer Security Compromised: 7 Facts
This is exactly why we have a huge amount of regulations on the books. We basically have to force people/companies to do the right thing. Sad, really.
User Rank: Ninja
10/6/2013 | 11:39:05 AM
re: Adobe Customer Security Compromised: 7 Facts
you would, --eh?
when you use your credit card you are authorizing the merchant unrestricted access to your account -- to the expiration date on your card.

everyplace you use it

PCI is based on pen and paper. proper authntication of digital transactions has never been incorporated into the system .
User Rank: Apprentice
10/5/2013 | 1:17:09 PM
re: Adobe Customer Security Compromised: 7 Facts
I wonder why Adobe even held on to CC information. Throw it away once the transaction is done. Yes, the customer needs to key it in again the next time, but I rather type a few dozen characters than have my info stolen.
Do we really need to lobby lawmakers every single time to craft a law that enforces common sense?
User Rank: Apprentice
10/5/2013 | 12:02:27 AM
re: Adobe Customer Security Compromised: 7 Facts
Scary that Adobe didn't spot this. And one more reason why never to reuse passwords .
User Rank: Apprentice
10/4/2013 | 6:12:06 PM
re: Adobe Customer Security Compromised: 7 Facts
"But two different customers who received that email notification -- sent late Thursday, Pacific Time -- separately told InformationWeek that they'd initially dismissed the "important customer security alert" as spam."

The phishers are winning.
David F. Carr
David F. Carr,
User Rank: Apprentice
10/4/2013 | 5:28:17 PM
re: Adobe Customer Security Compromised: 7 Facts
Would the customer credit cards of past customers be at risk, or just people with some ongoing relationship like the newer subscription software options? I purchased a perpetual license to Creative Suite, but that was a couple of years ago, so I'd hope my credit card wouldn't still be stored anywhere.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.