For years, fixing the software flaws that left Adobe Systems’ customers prey to hackers simply wasn’t a top company priority.
At Adobe, whose Acrobat and Reader programs for creating and viewing PDF documents sit on most of the planet’s personal computers, security never made the list, says Brad Arkin, senior director of product security and privacy at the company in San Jose, Calif.
Then, in 2009, what became known as the JBIG2 flaw created an existential crisis for the company. For the first time, hackers were found to be using a crack in the armor of Acrobat and Reader to infiltrate major corporations and Adobe had no available fix.
That was the big wake-up call, Arkin says. We needed to make some big changes to protect our users.
The company realized it had to defend itself against a new, sophisticated type of hacker-spy targeting the software’s corporate users and their secrets, Arkin says.
In one instance, attackers used the JBIG2 defect to get access to the computer of a Coca-Cola Co. executive in China through an infected Adobe PDF they emailed to her, according to an internal Coca-Cola document obtained by Bloomberg. The beverage maker was involved in what would have been the largest foreign takeover of a Chinese company at the time.
After finding there were too many imperfections to fix, Arkin says he instead erected a virtual wall around the programs, and focused on keeping that defense intact.
It might not be enough.
Imagine a castle wall as long as the Great Wall of China, says Kyle Randolph, a former senior manager of product security at Adobe, who worked there from 2008 until this year. All you need is one hole, and the whole thing is compromised.
Flaws in the ubiquitous software on PCs, tablets and smartphones have empowered cyber intruders and plagued businesses, governments and political dissidents with sabotage, theft and physical attacks, a year-long series by Bloomberg News shows. In part, it is the legacy of companies that eschewed vigilance, putting profit before safety.
Products used on virtually all computers, from Adobe, Apple, Microsoft and Oracle, consistently dominate industry rankings of programs most vulnerable to attack. The resulting Swiss cheese of imperfections has made every citizen a potential crack in the security walls meant to protect their governments, employers and anyone with whom they do business.
Across the industry, software makers say they are taking security seriously and making improvements to address the increasingly sophisticated hacker threat. For instance, Microsoft and Adobe have made it easier for users to get updates that patch defects, and Google fends off attacks by encrypting traffic on its Gmail service.
Adobe’s Arkin says the company’s strategy makes the software easier to defend by requiring it to safeguard about 8,000 lines of code that hackers could use to breach the protective wall, instead of tens of millions of lines in the underlying programs. While the programs won’t be perfect forever, Adobe is working to keep ahead of the hackers by making their jobs harder and more expensive, Arkin says.
The flaws have nevertheless flourished in the absence of industry standards or product liability.
Attempts to force the architects of the Internet to improve the safety of users have so far failed, in part because the U.S. Chamber of Commerce has pushed back on behalf of its business members. It helped defeat a bill backed by the White House this year that included regulation of the small fraction of corporate computer systems that, if hacked, could cause mass casualties or economic damage.
In response to questions about its opposition to the bill, the Chamber provided a letter it sent last month to the U.S. Senate, favoring a workable bill focused on information sharing.
In America and Britain, about one in three computer users had contact with malicious software, just between July and September this year, according to data Moscow-based anti-virus software maker Kaspersky Lab collected from its customers.
The implications of lagging security go beyond PCs to critical infrastructure and industry, such as power grids and railroads.
Sooner or later, the people who are exploiting these security flaws will go from stealing information to breaking systems – because they can – and then it’s going to be obvious to everybody how bad things are, says Stewart Baker, former general counsel for the National Security Agency, the U.S. spy agency, which monitors foreign communications.
Behind closed doors, software-makers consistently argue that while consumers may appreciate more security, there is little evidence they’d sacrifice functionality, time-to-market or cost to get it, according to policy makers who meet with software company chief executive officers.