Page 2 of 2
Having the source code is akin to having the keys to the kingdom, said Rob Kraus, director of research on the security engineering research team at managed security services provider Solutionary. Potentially all malicious actors can either buy a zero-day exploit or, if they're sophisticated enough, create an exploit and use it in targeted attacks.
"If you have a car with the hood welded shut, it's hard for you to mess with the carburetor or anything else, but when you are able to open the hood of the car, you can get in there and tinker and find things that you don't normally see," Kraus said. "Having the source code allows the good guys as well as bad guys find dangerous programming functions that might be used in an attack."
Software developers and malware writers are very likely going to review the source code to determine if there are any workarounds or other coding weaknesses that can be taken advantage of, said Richard Henderson, security strategist at Fortinet's FortiGuard Threat Research and Response Labs. Common vulnerabilities could end up in an automated exploit kit, while more novel flaws will be kept tight, Henderson said.
"There are people who keep zero-days close to their chest and only sell them to a small amount of folks who want to maintain them such as nation-state actors," Henderson said. "Most people developing exploits take a big deep-dive, reading modules within the source code to look for fudges and workarounds; things that aren't working the way they expected them to."
A great deal of zero-day threats will use email as the main attack vector, according to security experts. The 2013 Verizon Data Breach Investigation's report found that phishing and social engineering were used in nearly all the hundreds of data breaches the firm analyzed. Experts say it is likely that security researchers will be monitoring for suspicious activity associated with Adobe threats. Researchers, said Adam Wosotowsky, a senior antispam research analyst at McAfee, monitor suspicious domains attached to certain IP addresses for changes that signal a potential threat.
"Probably 99.9 percent of malware is generic, high mutation-rate stuff," Wosotowsky said. "The advanced persistent threat, or someone who does a lot of research into their target, takes a certain amount of time and money, but it can be much more damaging because it's that much more difficult to recognize that you've got an infection like that."
The fact that Adobe's source code has been leaked increases the risk that it could be used by an attacker, but it may not necessarily be likely. Open source software is open and available for review, and, while it is open for debate, some experts believe that more eyes on the code results in it potentially being more secure, Henderson said. For example, disassembler tools are already available and actively being used by hackers to take apart proprietary software and scan it for vulnerabilities to create exploits.
Some vendors maintain open source projects to attract more eyes to review and experiment with the source code. Google has released over 20 million lines of code and over 900 open source projects. It maintains an open source repository for its Android mobile platform and Chormium, the software behind the Google Chrome browser and operating system. The company recently released the source code to its Google Glass software.