Cyber attacks often start out small, with an attacker finding and exploiting a vulnerability in software. The widespread popularity of Adobe software has made it a consistent target of nation-state supported attackers for years. For example, exploits targeting Adobe’s Flash Player have allowed attackers to compromise a user when visiting an infected web site. Likewise, malicious PDF files and vulnerabilities in Adobe Acrobat Reader have been one of the most popular vectors for phishing campaigns. Chinese-backed attackers have used such vulnerabilities in some of the most widespread attacks in the past such as the attack on Google and others.
This means that it is critically important to find and patch any vulnerabilities before the attackers can get to them. Unfortunately, in the real world, this often easier said than done. There are vast numbers of vulnerabilities and limited hours in the day to address them. For security teams it is critical to know not only about all the vulnerabilities present in their environment, but to also know which ones have been weaponized – i.e., those where exploit code has been developed by attackers and is circulating in the wild.
Security firm RiskSense recently performed a long-scale analysis of Adobe vulnerabilities from 1996 to the present. One of the study’s most surprising findings was that in terms of weaponization, 2018 was the most dangerous year in Adobe’s history.
Vulnerabilities Are Down, But Threats Are Up
At first glance, the overall trends in terms of vulnerabilities looked promising. The research showed that the high-water mark came 2016 when Adobe had 538 total CVEs. However, Adobe seemed to get things under control in 2017 and 2018 with 359 and 374 CVEs, respectively.
However, things get a lot darker when analyzing weaponization rates. The overall number of threats and weaponization rates (the percentage of vulnerabilities with associated threats) had been steadily decreasing from 2015 through 2017. And then 2018 came along and broke every record of weaponization in Adobe’s history. 2018 had the highest total number of weaponized vulnerabilities (177) and, by far, the highest percentage of vulnerabilities that were weaponized (47%) within any given year. This means that in the real world things remained very dangerous for Adobe products even though the overall vulnerability rates were down.
Windows of Attacker Opportunity
Once we know that there are vulnerabilities and attackers have the code to exploit them, it then becomes a race against the clock to make sure teams can patch the issues before attackers can exploit them. Unfortunately, 2018 once again stood out in a bad way.
The analysis compared when a vulnerability was first reported, when exploit code was first reported, when a vendor patch became available, and when the vulnerability was added to the National Vulnerability Database (NVD). Obviously, it is a serious concern anytime exploit code is available in the wild before a patch. Of the total 177 Adobe threats observed in 2018, 50 were weaponized before a patch was available. This was, once again, by far the most of any year in Adobe’s history.
Massive Time Lag Between Adobe and NVD
The report also analyzed the latency between when a vulnerability was first reported and when it was added to the NVD. Given that many organizations rely on the NVD for tracking vulnerabilities, any lag between the vendor and NVD can further expand an attacker’s window of opportunity.
While 2018 was not the worst year in terms of NVD latency, it still left much to be desired. 2012 had the distinction of having the worst overall latency with an average of 24 days, but 2018 came in second with an average of 21 days.
However, the lag was the most pronounced for those 50 vulnerabilities that were weaponized before a patch was available. For those specific vulnerabilities, the lag between Adobe and NVD publication was a staggering 54 days. This once again highlights why it is important for organizations to not rely solely on the NVD for tracking vulnerabilities – monitoring vendor sites is crucial.
Adobe vulnerabilities remain a very active area for attackers and adversaries, and will likely continue to be a critical part of most organizations’ attack surface for years to come. These findings illustrate why it is so important for agencies to have insight into which vulnerabilities, not just those affecting Adobe products, in their environments have been weaponized so that they can be prioritized and fast-tracked for remediation. This visibility makes a security program more effective and efficient beyond just the scope of any one vendor’s software.