Weaponization of software vulnerabilities in Adobe products more than doubled in 2018 compared to the previous year, according to a RiskSense report published Tuesday. While the total number of vulnerabilities discovered in 2018 grew only modestly–374 in 2018, compared to 359 in 2017–use of vulnerabilities by cybercriminals increased 139% year-over-year, with an all-time high of 177 vulnerabilities being weaponized by criminals in 2018.
Troublingly, 2018 saw the highest number of exploits in the wild before patches were made available, with 50 vulnerabilities leveraged by cybercriminals before patches were published, the report found.
News of Adobe products posing security risks likely comes as no surprise to seasoned IT professionals. Even counting only Adobe-related issues in 2019, it’s difficult to overstate the frequency of patching necessary to stay secure.
SEE: How technology is impacting and supporting the public sector (free PDF) (TechRepublic)
Common wisdom, however, holds that Adobe Flash Player is the overwhelming source of these security challenges. While there are still active exploit kits for Flash, the primary source of new vulnerabilities in 2017 and 2018 was Adobe Reader. Given that Flash Player will reach end-of-life at the end of 2020–and Flash Player becoming disabled by default in Firefox 69 and Chrome 76, due for release later this year–the browser plugin is likely becoming less attractive for hackers to exploit.
The report also indicates that over the last 20 years, buffer overflow was the most common vulnerability, representing 1,094 of 2,891 analyzed vulnerabilities, followed by read out-of-bounds (195) and use-after-free (160).
To keep your organization secure, consider these free alternatives to Adobe PDF Reader, and learn about how permission bloat on iOS can lead to theft of sensitive data.