At the beginning of this decade, Microsoft represented a cybercriminal's dream target: universally-used software, brimming with bugs ready to be exploited to hijack users' PCs. But as the software giant has slowly cleaned up its security flaws, hackers are looking toward another vendor whose products are nearly as ubiquitous and whose bounty of vulnerabilities are just being discovered: Adobe.
According to Verisign's bug tracking division iDefense, 45 bugs in Adobe's ( ADBE - news - people ) Reader software were found by either cybersecurity researchers or malicious hackers this year and patched. In 2008, iDefense found 14 Reader bugs, double the number in 2007.
Meanwhile, the number of bugs found in commonly-used Microsoft ( MSFT - news - people ) programs like Internet Explorer, Windows Media Player and Microsoft Office remained flat or dropped. Just 30 bugs were exposed in Internet Explorer compared with the same number last year, and 41 bugs were found in all of Microsoft's Office programs like PowerPoint, Word and Excel, down from 44 in 2008.
In Pictures: The Year's Most-Hacked Software
In Pictures: Five Tips For Protecting Your Online Bank Accounts
In Pictures: 10 Tips For Safer Browsing
In Pictures: The Year's Most Notorious Cyberbusts
In Pictures: What To Remember About Calling In Sick
When Forbes asked a group of cybersecurity researchers from security firms TippingPoint, iDefense and Qualys to name software programs with vulnerabilities most often used by hackers to victimize users' PCs this year, every one included Adobe Reader on their list. ''It's a huge focus for attacks now, around 10 times more than Microsoft Office,'' says Wolfgang Kandek, chief technology officer at Qualys, a vulnerability scanning firm.
Until recently, Adobe Reader software has received less scrutiny than browsers like Internet Explorer and Firefox. But it shares the characteristics that made those browsers powerful attack avenues. Nearly every Web user has installed Reader. Its complex code base offers a high risk of flaws. And it accesses enough of a user's machine to give hackers a powerful foothold. ''It's a very good playground for exploitation,'' says Pedram Amini, a researcher at 3Com ( COMS - news - people )-owned security firm TippingPoint.
Part of Adobe Reader's vulnerability stems from its unexpected functions, Amini says. Aside from merely reading static PDFs, it can also run Javascript to enable PDFs with animation or that pull dynamic information from databases. Those abilities mean the program can allocate memory for a document's use, a trick that, combined with the right bug, can allow a hacker to execute code on a user's machine and install programs. ''It's a rich target for both bug hunters and exploit writers,'' Amini says.
Image: Mozilla Firefox
Text and images: Copyright Forbes.com Any unauthorised reproducton is prohibited.
