How Many Monocultures Make Up a Polyculture?

Opinion: Windows isn't the only software almost everyone uses. Look for some others to attract attack soon, with Adobe's PDF files at the top of the list.

Probably the best intellectual argument against the dominance of Windows in the market is the "monoculture" argument. This idea states when a high percentage of users are using the same platform, the population of users is too vulnerable to attacks on that platform.

Windows is basically as dominant as ever, but a number of other monocultures have sprung up with their own vulnerability issues. Like Windows, they are attracting extra attention from vulnerability research and even exploit development. In a way, its a sign of maturity.

The obvious leader for a new monoculture is PDF, the document format of Adobe Acrobat. Security vulnerabilities in Acrobat are nothing new (heres one from 1997), but there has been a lot of action lately in this space, and Adobes record on handling the problems is less than stellar.

/zimages/3/28571.gifLow-cost alternatives to Acrobat could give you some security cover and have you PDFing cheap. Click here to read more.

The most recent stink was raised by a researcher named Gnucitizen. I generally dont like hysteria-raising, but his claim of another serious vulnerability in Acrobat is worthy of attention, even if he hasnt backed up any of his claims yet. Hes found several vulnerabilities in the past along these same lines, and there have been many PDF vulnerabilities over the last few years. Heres Gnucitizens recent demonstration of code execution by opening a PDF.

PDF is perhaps the perfect next step for targeted attackers looking for an edge as Microsoft Office gets harder to attack. PDF files are highly trusted and the format of choice for important documents. Its strong support for digital signatures gives it business in fields such as digital notarization.

After years of abuse, users are perhaps leery of e-mailed Microsoft Office documents, and everyones security software scans these files. Support for PDF scanning is not as widespread, although there are products, such as Secure Computings WebWasher, that scan PDFs at the gateway with an eye for exploits.

What Adobe has in common with Microsoft is a piling on of features into PDF in recent years without sufficient consideration of security issues. Consider Javascript, which can be embedded in PDFs to add functionality such as popup windows and form validation and is on by default. I imagine there are legitimate applications of Javascript out there, but Im sure theyre rare. In the meantime, it is the focus of many of the recent PDF vulnerabilities. If theres a way to turn off Javascript in Acrobat Reader as a matter of network policy, I havent found it. Please let me know if its possible.

On the other hand, there are many third-party PDF readers, and its reasonable to assume that many, if not most, PDF vulnerabilities are actually vulnerabilities in Acrobat and Acrobat Reader rather than generic to all programs that support the format.

PDF, of course, is not alone in forming its own monoculture. Adobes Flash is another good candidate, and there has been no shortage of Flash vulnerabilities over the years. I have heard of real exploits, but they are rare.

Another platform that is universal enough to qualify for a monocultural attack is Java. Theyre not very high profile, but Ive seen trojaned Web sites that try, among many other vulnerabilities, to exploit Java holes to compromise the system. Just yesterday Sun announced a series of measures to strengthen its security response for Java.

The last great monoculture setting up for attacks is Google. Numerous vulnerabilites in Google software have been reported recently.

I get the sense that the velocity of vulnerability development on Windows has flattened out. All the real innovation seems to be in social engineering, although at the cost of some complex development there are good opportunities for targeted attacks through device drivers. The alternative monocultures present an inviting opportunity for attackers. Look for them to be more in the news soon.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack