Friday, August 13, 2010

Adobe Flash, AIR, PDF, Acrobat and Reader:
Security Statistics Sources

Earlier today, I was helping out a reader at who had the following question:
'BSOD' asks: "Does anyone have statistics on exactly how many security holes have been opened up by Flash, Air, and PDF? I think that we need to see that stat."
My answer is of general interest. Therefore, I am posting it here for your reading pleasure:
You can dig around at the CVE site for each of them. CVE stands for Common Vulnerabilities and Exposures. It keeps track of each reported software security problem: also covers each of them and gives a general description of their security:

Adobe Flash: "As of May 17, 2010, The Flash Player has 77 CVE entries, 34 of which have been ranked with a high severity (leading to arbitrary code execution), and 40 ranked medium."

Adobe PDF: "On March 30, 2010 security researcher Didier Stevens reported an "exploit" that causes an arbitrary executable to be run when a PDF file is opened, after the user accepts a warning prompt. The exploit works in several different PDF viewers including Adobe Reader and Foxit Reader."

And, earlier this year Adobe were embarrassed into creating the Adobe Product Security Incident Response Tearm (PSIRT). You can keep up with their blog here:

Adobe maintain their Security Bulletins and Advisories page, going back to 2005, here:

• There are approximately 88 Adobe Flash security bulletins.
• There are 6 Adobe PDF security bulletins.
• There are over 100 Adobe Acrobat security bulletins.
• There are over 100 Adobe Reader security bulletins.
• The only Adobe AIR related bulletin is the Adobe Flash bulletin from June 10, 2010.

No comments:

Post a Comment