Adobe Customer Security Compromised: 7 Facts

Could stolen ColdFusion and Acrobat source code spawn a new generation of zero-day attacks?
4. Criminals Could Find New, Exploitable Vulnerabilities

Beyond the customer data theft worries, the theft of source code is also cause for concern, because code-savvy attackers -- or anyone else who subsequently obtains a copy of the code -- might be able to study the code and find previously undetected flaws.

"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data," said Hold Security's Holden. "Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits."

"It should go without saying that no software company ever wants to have criminals steal its source code -- it is, after all, the technology company equivalent of losing the Crown Jewels," said Graham Cluley, an independent security researcher, in a blog post.

5. Adobe To Enterprises: Lock Down Acrobat, ColdFusion

To date, Adobe said that it's seen no new attacks against products for which the source code was stolen. "We are not aware of any zero-day exploits targeting any Adobe products," said Adobe CSO Arkin. Regardless, he recommended that all businesses only run supported versions of the software, apply all security updates, and follow in full the security advice detailed in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. "These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products," he said.

6. Attackers Didn't Hack Into Adobe Using ColdFusion

After Adobe detailed the breach, questions quickly centered on ColdFusion, a rapid Web application development platform that was originally developed by Allaire -- as a way to connect HTML pages to databases -- and subsequently purchased by Adobe in 2005.

Did hackers exploit ColdFusion to gain access to Adobe? If so, that wouldn't be unusual. For example, the July 2013 breach at the Department of Energy that resulted in the theft of information relating to 53,000 past and current federal employees -- including dependents and contractors -- was traced to the agency using an outdated and unpatched version of ColdFusion.

But an Adobe official Friday dismissed that possibility. "The breach did not involve a CF vulnerability. Investigations are still happening to figure out the attack vector," tweeted Rakshith Naresh, Adobe's ColdFusion product manager.

7. Bug Hunters Downplay Source Code Value

What might the stolen source code be worth? "Adobe Acrobat source code valued at $500k to $30M on black market," tweeted attorney Jim Denaro at CipherLaw.

But some security experts have disputed at least the high end of that estimate, noting that the potential payoff to be gained from studying the source code to find new bugs that could be turned into working exploits -- aka "weaponized" and sold for a profit -- wouldn't be worth the initial investment.

"You can fuzz bugs cheaper, and you can audit cheaper. It's not so valuable," tweeted the Bangkok-based vulnerability broker known as the Grugq. "It is [definitely] worth more to Adobe than it is to anyone else."

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading