The security-hole baton passes from Microsoft to Adobe

And Apple increasingly looks like the next major vendor whose products could give hackers a way to wreak havoc

It's a cliché that Microsoft's Windows, Outlook, and Office are prime venues for malware and hackers to get into your PCs and networks. But in recent years, Microsoft has tightened up its security issues -- and Adobe Systems has increasingly become the sloppy vendor whose products such as Acrobat and Flash increasingly pose the security holes that bedevil IT. And Apple could be next.

As co-founder and CTO of eEye Digital Security, Marc Maiffret spent much of his time immersed in the world of Microsoft insecurity. When there was a large zero-day vulnerability to be attacked, eEye was usually among the first to find it. He left that job three years ago. In that time, Microsoft has gained newfound respect for its security efforts while other popular software vendors are fingered for making the same mistakes. In an interview with CSO Tuesday, two names came to mind for Maiffret, now chief security architect at FireEye: Adobe, which faces growing criticism for widely exploited flaws in its software, and Apple, which is increasingly the focus of malware writers even though it hasn't seen the level of attacks Microsoft and Adobe have.

[ Researchers say exploits of Adobe's PDF exploded in 2009 and will continue to climb in 2010. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Q: What's your take on the security vendor community today?

Maiffret: When you look at the industry and the mainstay players, they'll even tell you that their [malware] signature technology doesn't work anymore but that "hey, we have this great behavior-anomaly technology." What they don't tell you, and what the IT community can see, is that with those technologies you are either at one end of the spectrum or the other. If you tune the technology up you may catch a lot of things, but that includes a lot of false positives. At the other end, the admins tune it down to reduce the false positives but then they end up missing stuff. At the end of the day, you really can't have either of these scenarios, but everyone knows we can't have a utopia, either. The reality is that we're at the point where it's not even the sophisticated attacks that cause all the problems. We're seeing it with everyday spyware. It's very hard to tell the two apart from a threat perspective. In the process, we've seen a massive failure of the vendor community to grasp these things.

Q: We used to talk a lot about Microsoft's security problems. How are they doing now?

Maiffret: I think a lot of people are surprised that I've become one of the big advocates of saying Microsoft is getting a lot of things right. They're not perfect, but their approach to secure code has really come along. A few years ago I gave a talk called "More than a Microsoft World" where I tried to wake people to the fact that they weren't always going to be worrying about just Microsoft and Patch Tuesday in the years to come, but also Adobe, Apple, and so on. There are so many third-party applications on the desktop to worry about now.

Q: A lot of security practitioners compare the Adobe of today to the Microsoft of yesterday.

Maiffret: I think the first articles saying Adobe is a bigger threat than Microsoft was something we only started seeing six months ago. The code security isn't there. The IT controls aren't there. The bad guys are in full swing taking advantage of these kinds of weaknesses, and the security vendors are playing catch-up.

Q: Adobe does have a visible security division. Do you think they are doing the best they can and that this is really about a changing landscape everyone's struggling with?

Maiffret: It's funny, but you can almost see a pattern among companies when the security spotlight is first thrust upon them. They suddenly find themselves in the crosshairs and the first thing they do is deny, passing it off as a marketing problem. Luckily, in the case of Apple and Adobe, they seem to have moved past that stage, and they've been staffing up on the security side. But Adobe is still in their infancy in terms of having a solid security process in place. But it took many black eyes and many years for Microsoft to get it.

Q: Many of the security admins I talk to regularly complain more about Adobe having a messy patch process than about the flaws themselves.

Maiffret: Oh, yeah. It's the perfect example of third-party applications that are a weird hybrid of things meant for consumers and businesses. There's a vast difference in how my mom will handle security on her computer and what an IT person might do. Their patching right now is really consumer-centric and it's only just starting to focus more on the tools IT needs to get the jobs done.

Q: Let's get back to Apple. Many people see that company as more secure than someone like Microsoft. What's your view?

Maiffret: Most people in the Apple world have a false sense of security and an elitism. I took some heat recently for saying Apple was way behind Microsoft on security. Look who they just hired for security -- Window Snyder, who played a lead role in helping Microsoft turn around their security. That shows the company starting to move past the denial part. It'll be interesting to see where they go from here.

Read more about application security in CSOonline's Application Security section.

This story, "The security-hole baton passes from Microsoft to Adobe" was originally published by CSO.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform