In the past 6 months Adobe has released 16 Security Bulletins addressing 116 vulnerabilities. Of the 16 Adobe Security Bulletins released 81% had vulnerabilities that could be used to exploit the rights of the logged on user. However, if you don’t count the bulletins related to ColdFusion then 100% of the Security Bulletins had vulnerabilities that could be used to exploit user rights. Here’s a breakdown of the Adobe Security Bulletins:
|% of Bulletins with privilege exploits||81.25%|
|% of Vulnerabilities with privilege exploits||67.24%|
Adobe classifies the bulletins as critical, important, moderate, and low. Similar to Microsoft, critical vulnerabilities can run attacker code and install software without users knowing. Important vulnerabilities also happen without users knowing but can only disclose information to attackers. In most cases, exploit of critical and high vulnerabilities would come in the form of visiting a malicious website or legitimate website serving up malicious content via Flash or an e-mail containing a PDF exploit. Moderate vulnerabilities can only occur if a user has a non-default configuration, and Low vulnerabilities pose no major threat to users. With that classification in mind here’s a breakdown of Adobe Software and Critical and Important Vulnerabilities with Privilege Exploits (there were no Moderate or Low):
|Software||Critical Vulnerabilities with Privilege Exploits||Important Vulnerabilities with Privilege Exploits|
|Adobe Flash Player||42 of 45||0 of 0|
|Adobe Reader\Acrobat||31 of 57||0 of 0|
|Adobe Shockwave||5 of 6||0 of 0|
|Adobe ColdFusion||0 of 6||0 of 2|
With 93% of Adobe Flash, 83% of Adobe Shockwave, and 54% of Adobe Reader critical vulnerabilities having privilege exploitation, any user who has Adobe Flash or Reader installed, has an administrator account, and does not use privilege management software should be concerned. The majority of vulnerabilities, especially for Flash, have dangerous repercussions for user privilege exploitations including complete control over a user’s computer. Privilege management software is the only proven way to limit privilege vulnerability exploits. Privilege management, unlike patching, limits both existing and unknown vulnerabilities from being exploited by always limiting the privileges of the application regardless of the user’s account type.
Software vulnerabilities will be most dangerous to users and businesses if least privilege management best practices aren’t followed. Those best practices include removing administrative rights from end-users, running applications with restricted privileges, and securing administrator accounts. Privilege management software such as Arellia Application Control Solution and Local Security Solution can reduce the impact of vulnerabilities by securing the rights of applications and users.