From their long and growing list of products and services, Adobe appears to be attempting to dominate the rich, user-centric application, communications, and information-delivery environments.
(see: http://www.adobe.com/products/ and http://labs.adobe.com/)
They have been pumping out new functionality, new development environments, new languages, etc. at a pace that is difficult to imagine. How do they manage the pool of energy and creativity required to initiate and maintain their current (accellerating) trajectory?
In financial services, “cool” and “new” are not unknown, but we need to manage them into business environments that must constantly demonstrate a threshold level of due care and due diligence.
Adobe products, new and old, keep getting hacked. On the consumer/customer as well as corporate fronts, the latest include critical vulnerabilities in Flash/AIR/Flex and Adobe Reader/Acrobat. Both involve remote exploit and potential for executing arbitrary code on an end-user’s PC. Because Flash and PDF files are found “everywhere” throughout the Internet, this set of vulnerabilities presents a particilarly difficult risk equation for PC users — and for the information security personnel who serve them.
There have been at least 8 publically-disclosed vulnerabilities in Adobe Flash, and at least 6 in Adobe Reader/Acrobat in the last year. That extended a well-established tradition of vulnerabilities another year.
Because these Adobe products are found on virtually all Windows PCs, the culture at Adobe that generates and accepts this tradition of regularly-vulnerable software must be modified. We need to raise the volume of our input to Adobe on this topic, and consider going broader with this campaign, maybe even to investors.
What do you think? What would work most effectively?
Adobe Flash Player (Flex/Air as well) Multiple Vulnerabilities (Feb 25, 2009 http://secunia.com/advisories/34012/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773)
Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability (Feb 2, 2009 http://www.kb.cert.org/vuls/id/905281 and http://secunia.com/advisories/33901/)