Adobe will overtake Microsoft as the primary target for hackers and virus writers in 2010, net-security firm McAfee predicts. Attacks targeting vulnerabilities in Acrobat Reader and Flash are already commonplace, driven in part by that software's widespread use. The often-tricky update process and lack of user awareness that …
This is not surprising in the slightest. Both Adobe and Google applications install constantly running background services on our computers that occasionally phone home. These potential backdoors should be considered bad practise industry-wide for both security and resource hogging reasons. Windows certainly shouldn't allow them to be installed without a very specific warning. Ie. Not just an admin privileges prompt, but a "Do you want to block this potential vulnerability" prompt.
Don't hold your breath
Perhaps the most astonishing aspect of the Windows Installer service (MSI-based setups) is that *despite* the fact that a trusted system component now gets to see (and implement) every last tweak that a third-party vendor's setup wants to make to the end-user's system, MS have never taken the opportunity to produce a service that gives said end-user the power of veto.
There could be warnings for the installation of services, for writes to existing registry keys or files (especially if those fall within the domain of software from a different vendor), for configuring apps to run at startup.
But no, whatever the app vendor wants, the installer is happy to do for them. In terms of trust, we're no further forward than "Insert CD-ROM and run <setup-prog> as an Administrator.".
In other news, flu vaccine manufacturer predicts pandemic - recommends to vaccinate now.
Seriously, does anyone expect them to look into their crystal balls and predict that there will be less virii and trojans around and that virus writers will become dumber and less sophisticated.
Blatant scare mongering to try and ensure a renewed yearly subscription.
Really must be a slow news week.
As I don't see the fucking point. Should stop a lot of this malware.
Oddly enough, Windows firewall does not list any Adobe product as an exception, yet it is able to contact the internet to look for updates (for an updater that usually fails, piece of crap...). Well, I've just added AcroRd32, reader_sl and LogTransport2 to Windows firewall exceptions permitting it to access the IP address 127.0.0.1 :-) Let's see if that makes it a little less Internet friendly.
Line between the browser and desktop
Is it just me
Or should El Reg have a captain bloody obvious Icon?
@using a PDF to warn people off Adobe...
Got rid of Acrobat reader for other pdf reader that is tiny in comparison and doesn't keep trying to upgrade or update all the time (though I tend to use CCleaner to turn off all the invasive things in start-up)
Is there a need for the huge Acrobat reader anyway - apart from the attempt for Adobe to turn pdf in to another version of Powerpoint .
Whilst I agree with you that McAfee or any other AV vendor for that matter would never play down the potential for malware to hijack a PC and steal souls, <sarcasm> and although AV vendors would never exaggerate the threat, </sarcasm>, the fact is malware is becoming more sophisticated.
All McAffee have done is predict, according to current trends, the methods that cybercriminals and malware writers are likely to employ during 2010. As a novice malware researcher, I have to have come to the same conclusions. So imho this is far from BS, but yes McAfee want to sell product.
PC's are now consumer devices, and thanks to MS a total ignoramus can use one, which would be a good thing if Windows and the applications it runs were secure. Consumers need to be made aware of malware threats and educated in how to spot and avoid them, not misinformed to the point that an AV suite will protect them. No AV solution is 100% and McAffee suggesting that their product will protect them *IS* BS.
I would suggest using a software firewall, not the MS bundled one, that will detect and prevent egress as well as ingress, but your average computer user is unlikely to be able to configure such software, or will just click yes to any prompts thrown up.
Expect things to get worse as more and more devices become network/Internet aware, code becomes more platform independent thanks to VM's and frameworks and more and more non technical minded consumers use such devices in ignorance of the threats.
In blissful ignorance, the biggest threat to computer security is the user.
Third party firewalls.
It'd be nice if more of these actually bloody asked if you wanted to allow Adobe products access to the 'net rather than just seeing that they're on their vendor-supplied list of trusted things, dropping their kecks and bending over without so much as a by your leave.
Apart from that caveat, good idea.
Seriously, who didn't see this coming. As of this point last year 95% of all security vulnerabilities are the result of some form of client-side scripting from the web and 70% of those are aimed at some form of application memory corruption, such as buffer overflows. The only solution for that 70% is to uninstall the software and the only known mitigation is to patch as often as possible. There is no solution for the remaining 25% of client-side scripting vulnerabilities except to abandon use of client-side script execution entirely from the browser. People generally do not seem to want to accept that mitigations are not solutions and the degree of the problem.
HTML5 fits the very demands the of the current attack vectors. As an emerging technology that is both incompetent and irresponsible. People should seriously consider migrating towards another platform for an application environment since, in this regard, the web is a failure and HTML5 does everything possible to stroke that failure.
McAfee spawning Microsoft FUD
Well, it probably pays better than being #4 in the Antivirus market, behind several FREE competitors ....
Theoretical Conversation at Microsoft between an unknown person and someone who likes to throw chairs ....
Gee, now, how do we promote SILVERLIGHT ... man, that's a TOUGH ONE, maybe we could get a "SECURITY FIRM" to declare that ADOBE FLASH (our only real competitor) is going to be a real pain in the butt soon because it is SO EASY TO HACK ... I mean our BING frontal attack on GOOGLE failed miserably ... we need something to sell before LINUX and OPEN OFFICE eat our lunch ... yeah, if we can't be a search company and serve up content, let's be a pipeline provider .... YEAH ... I feel like celebrating ... where's a chair ...
Do they have a "create a paragraph of random words" button at Macafee
"Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich Internet experience, but also offline applications. Another motivation for attackers is HTML5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers."
This is meaningless. If Google Chrome is an insecure OS it is an insecure OS whether or not it was designed with the web in mind; HTML 1 could be used for offline applications, CSS2 enables a "rich web experience", cross-platform support in HTML5 is a bad thing how? it's HTML5 support in the platforms that will be difficult to achieve, there are mainstream browsers that attackers haven't reached?
If this is the standard of thinking in Macafee I am glad I don't use any of their products.
The problem with security and networks (public facing or not) is the constant prioritising of ease of access over security. And anyone who allows Flash to run in a browser that they also use for any secure activity is a webmugging waiting to happen.
as most of the sheep, deer and bovine run MS software.