Can Adobe Beat Back the Hackers?
For years, Adobe Systems (ADBE) has occupied a quiet corner of the personal-computer industry. Photographers and designers use its software to clean up photos and set up Web sites. Workers everywhere trade electronic documents formatted with Adobe's programs, often without knowing the company behind the software.
Now Adobe is attracting the unwanted attention of hackers—and security experts are concerned the company isn't doing enough to repel assaults. So far this year, Adobe has released nine security updates for the current version of its Acrobat Reader software, up from four in 2008, says Moscow security firm Kaspersky Lab. Adobe appears to have replaced Microsoft (MSFT) as the primary means by which hackers try to infect or take control of PCs. "Adobe at the moment is the main target," says Roel Schouwenberg, a Kasperky senior antivirus researcher in Woburn, Mass.
Historically, Adobe hasn't had to contend with attacks, so it hasn't been focused on potential weaknesses. But as Microsoft has toughened up its security, Adobe has become a more tempting prey. Its software, particularly Flash for Web video and Reader for documents, is loaded on virtually every personal computer.
Vulnerabilities in such widely used software can cause myriad problems. More than a dozen sites, including those of The New York Times, USA Today, and Nature, have been infected with fake ads that exploit Adobe software. In the case of the Times, if Web surfers clicked on an ad for antivirus software, malicious code would take control of their computers through Flash and direct them to a site infested with malware. Other attacks circulate via e-mail, with virus-laden PDF files that open in Acrobat Reader.
SCRAMBLING TO RESPONDSecurity specialists fret Adobe lacks the firepower to stop the attacks. With an estimated $2.9 billion in sales this year, the company is one-twentieth the size of Microsoft, with a much smaller engineering staff. Microsoft issues monthly security patches for Windows and gives away antivirus software. Adobe said in May it would begin releasing regular quarterly security fixes for Reader in September and then missed that deadline by a month. A second update will be delayed until January. "So far there's been no consistency at all," says Chet Wisniewski, a security analyst at antivirus software maker Sophos.
Adobe concedes its popularity with hackers is growing but says it is gaining the upper hand. It has five times as many engineers working on security as two years ago and has trained its entire Reader team on safe programming practices. "We're over the hump of being reactive," says Chief Technology Officer Kevin M. Lynch. Adobe has sought security advice from Microsoft and Google (GOOG).
If it gets a handle on its security problems, hackers will turn their attention elsewhere. Yahoo!'s (YHOO) instant messenger and Apple's (AAPL) iPhone, for example, are starting to see attacks.
The case of Adobe illustrates a conundrum for tech companies: They need to balance spending on new products, which brings in revenue, with spending on security, which doesn't. Adobe, though solidly profitable, laid off 680 people, 9% of its workforce, on Nov. 10. The need to step up security spending is "not an uncommon problem, but Adobe's going to have to get their arms around it," says Rob Enderle, president of consultant Enderle Group.