Adobe has an epically abysmal security record

October 8, 2013: 10:58 AM ET
adobe crash
No, your plug-in hasn't crashed. But be on the lookout when downloading your next Adobe software patch.
NEW YORK (CNNMoney)

Adobe's massive security breach last week is just the latest in its long, troubled history with hackers. But cybersecurity experts warn the company's security record is only going to get worse in the near future.

Nearly everyone with a computer has used Adobe (ADBE) software at some point, whether opening PDF files with Adobe Acrobat or watching a video on YouTube with Adobe's Flash Player. But consumers likely aren't fully aware how riddled with security flaws Adobe's software is.

Former Apple (AAPL) CEO Steve Jobs in 2010 addressed the issue in an open letter rant about Adobe's security, blaming the company's Flash player for being "the number one reason Macs crash" and citing Flash for having "one of the worst security records in 2009."

But Jobs didn't go nearly far enough: Adobe's security problems aren't limited to Flash, and go far beyond just one bad year.

  • In 2007, an Adobe Reader bug allowed hackers access to all the files on people's computers.
  • In 2008, more than 1,000 hacked websites infected computers by delivering fake Flash Player updates that posed as CNN news notifications.
  • In 2009, another vulnerability in Reader let hackers open back doors into people's computers.
  • In 2010, attackers created malicious PDF attachments to hack into several companies, including Adobe, Google (GOOG) and Rackspace.
  • In 2011, yet another bug gave hackers remote access to people's computers -- this time in Flash Player.
  • In 2012, hackers gained access to Adobe's security verification system by tapping into its internal servers.

Adobe's Flash Player topped the Symantec's (SYMC) annual list of vulnerable plug-in programs in 2012. Adobe's Acrobat Reader took that spot in 2010. And in 2009, both programs tied for second place. Fixing those giant holes with security patches is part of the reason why Adobe constantly bugs consumers about updating their software.

Related story: Hackers have data on 3 million Adobe customers

So last week's attack on 2.9 million Adobe customers' names, encrypted passwords and bank account information perhaps shouldn't have come as a surprise. But it could ultimately be remembered as the worst in Adobe's history.

Adobe's chief security officer Brad Arkin revealed that, as part of the attack, hackers managed to steal source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products. That essentially gives the hackers blueprints to find further weaknesses -- and exploit them, several security experts noted. It heightens the danger for anyone using Adobe products.

In a blog post, Adobe's Arkin refuted that notion, saying the company is "not aware of any specific increased risk to customers as a result of this incident."

Part of Adobe's security problem is an inevitable byproduct of its success: Adobe's products are widely used and therefore have become an enormous target for bad guys looking to cast as wide a net as possible to infect computers with their malicious software.

But Adobe's long history of major security screwups suggests that the company needs to take a long, hard look in the mirror.

Adobe's software is a prime target, cyber security experts say, because its core code is old and weak by today's standards. Updates and patches that are built on top of that code can't make up for its inherent flaws. It's akin to making repairs to a house with a sinking foundation.

Adobe declined to comment on the cause of its flawed security record.

Related: BlackBerry buyout rumors include Google and Samsung

"When you have very primitive infrastructure, it's extremely hard to put modern tools into it," said Dipto Chakravarty, executive vice president of engineering and products at the security firm ThreatTrack Security.

Kevin Rogers, CEO of security firm Cypherpath, said Adobe's customers will remain at risk of attack until the company completely revamps its software.

Steve Jobs' open letter effectively killed Adobe's mobile aspirations. More epic screwups like last week's security breach could hurt Adobe where it is still dominant.


Search for Jobs