Just a quick mention of new Adobe 0days that are making the rounds. I may not have bothered since details are so few at this time, but the media is all over these two, particularly the Flash issue. Neither are patched, and Adobe has provided scant mitigation details. Probably because most of the suggestions involve crippling their software or using additional/replacement software that essentially says, “don’t use our tech.”
A week ago, Adobe Acrobat/Reader were hit with a 0day being exploited in the wild.
Yesterday, Adobe Flash had a 0day advisory announcement.
I’m pretty tolerant when it comes to security vulnerabilities in software. While I side with those who say we need to build things secure, I just don’t think that is ultimately realistic. I also have at least some proximity to business and software/web development, so I know what often does or does not go into those processes. I can tolerate security vulns if the business plays response really well.
I can even tolerate security being a new thing to a business and them playing catch-up for a while, kinda like Microsoft has done with Windows and Office products. But Adobe doesn’t appear to be improving, in my observations.
The lesson that gets lost in all of this, though, especially with the general computer-using public and media is the problem of feature bloat trumping security concerns. Adobe may take the lumps from the vulnerabilities, but all of this is probably enabled directly by user demand and use of those features. So, thanks for needing/wanting those features and making the rest of us less secure. (The same argument I make about HTML in email. Thanks for that, Marketing…)