Last week’s highly publicized theft of source code from a number of Adobe products, including its popular Acrobat and Cold Fusion tools, poses a serious threat to the thousands of enterprises around the world that have the company’s products installed on their computers.

Adobe’s Chief Security Officer Brad Arkin wrote a detailed blog post admitting the security breach last week, describing the attacks against Adobe’s network as “sophisticated,” adding that they involved “the illegal access of customer information, as well as source code for numerous Adobe products”.

As well as the source code, the credit card records of some 2.9 million customers were compromised, whilst login details from an unknown number of Adobe users were also stolen. The good news is that all of the affected credit card numbers were encrypted, and so the hackers are unlikely to be able to use these. Nevertheless, Adobe has sent a notification to all affected customers asking them to change their user passwords.

Arkin stated that the breach is just “one of the unfortunate realities of doing business today,” adding that Adobe’s popularity has made it a big target for cybercriminals.

Just How Bad Is It Really?

 
We know that the breach is an extremely serious one, but according to Lance Wolrab, CISSP and Regional Sales Director for IT security intelligence firm Promisec, it’s likely be some time before we know the full extent of the damage.

“Only Adobe knows the extent of the breach, and they may not know the full extent of what happened for several months to come,” explained Wolrab.

“There is a great deal of forensic work they need to perform across a very large enterprise which will take a team to complete in a timely fashion. It is safe to say, if the attackers gained access to live product source code, they have breached the company’s most valuable intellectual property.”

Unfortunately, time is a luxury that Adobe and its customers can ill afford, although much will depend on what the hackers intend to do with the source code. The biggest danger is if it’s sold to a third-party – there’s always a buyer out there for this kind of software source code, and most definitely for the databases that were compromised during this breach. If the source code has already been sold off to the highest bidder, we could see zero-day attacks on Adobe products begin within days.

Wolrab relates the story of a previous breach at Microsoft, when hackers stole a small piece of source code for Windows 2000.

“When Microsoft was breached and a small piece of source code for Windows 2000 was compromised, zero day attacks on the section of code stolen started only a few days after the breach was made public,” says Wolrab. “If it is true the entire source code for Adobe Acrobat and Reader have been disclosed, it is possible attacks will start quickly.”

Mitigation Impossible

 
In a second blog posting Adobe’s Arkin said that the company is unaware of any zero-day exploits targeting its products so far, although that could change. To mitigate, Arkin advises that customers only run supported versions of its software, and that users apply all available security updates and to follow the advice in the Acrobat Enterprise Tookit and ColdFusion Lockdown Guide. Additionally, Arkin recommends that users change their passwords on ny websites where they might be using the same logins and password.

“These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,” noted Arkin.

But what Adobe isn’t saying is that there’s nothing that can really be done to mitigate any new zero-day exploits resulting from this breach, at least not until after they’ve been unleashed into the wild. According to Wolrab, what this means is that any enterprises using Adobe’s have two options – either stop using Adobe altogether, or else stay on their toes and be prepared for the worst:

“Companies using Adobe products are now in a difficult position – changing to an alternate tool for an enterprise is a difficult task on short notice, but is the only way to ensure Adobe’s misfortunes don’t come to roost in someone’s enterprise,” Wolrab warns. “The only other option is to ensure the organization stays abreast of the latest patches for Reader and Acrobat and deploys them as soon as they are available and ensures the entire organization is in lock step with the upgrades as they are released.”

See our full collection of Security Trends stories over on Springpad.