Adobe source code breach; it’s bad, real bad

The theft of source code for Adobe(s adbe) Acrobat, Cold Fusion and other products poses a wide-spread threat given the installed base of these products, particularly Acrobat, security specialists said. Adobe disclosed the issue in a blog post on Thursday.

In the post, Adobe Chief Security Officer Brad Arkin wrote:

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.”

Not good at all. This may be the biggest compromise of a software vendor’s security since the RSA Security(s emc) stolen token meltdown two years ago.  While that was extremely embarrassing because RSA is explicitly in the software security business and big customers were dinged in the process, Adobe’s products are more widely used by more sorts of customers. Acrobat and Flash are nearly ubiquitous.

Update: In a statement, Hold Security, credited along with Brian Krebs with discovering the breach, said:

“Over 40 Gigabytes in encrypted archives have been discovered on a hackers’ server that appear to contain source code of such products as Adobe Acrobat Reader,Adobe Acrobat Publisher, and the Adobe ColdFusion line of products.  It appears that the breach of Adobe’s data occurred in early August of this year but it is possible that the breach was ongoing earlier.  While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals.”

Security experts said  this is serious business. “This is a source code breach not just a data breach,” said Dan Hubbard, CTO of web security vendor OpenDNS. “Having source code is a huge advantage because they can more easily hunt for and find weaknesses in the code. Before they’d have to run lots of black-box testing to do that.”

Another security specialist who could not speak on the record because he works with many of these vendors, agreed. “The issue here is that these guys will be able to find vulnerabilities and develop custom malware and use it privately before it ever goes public,” he said.

And, they could also outright sell the source code to China or other parties that could then develop counterfeit versions of the programs, he said.

Indeed, because Adobe products like Flash and Acrobat are so widely used, they’ve been prime targets in the past. One unstated motivation for Adobe moving to an all-cloud distribution model for its desktop software — or as critics called it “forced upgrades” — may have been to get a lot of old and unpatched software off the market.

As of now, Adobe is unaware of any zero-day exploits or specific increased risk to customers, but that may not make anyone feel any better. After all, Acrobat Acrobat Reader is installed on millions and millions of PC and Mac(s appl) devices.

This story was updated at 6:30 p.m. PDT with additional information on Hold Security’s role in uncovering this breach.