One Monster Attack Surface

By Larry Seltzer  |  Posted 2008-06-06 Print this article Print

Now Adobe is completing the circle by bundling Flash into Acrobat. This will create one monster attack surface. I'm not sure if it makes the problem worse or not to have it all in one program. One would hope they would keep unbundled versions of Acrobat and Reader on the one hand and the Flash Player on the other. But I suspect that's not what they're planning. As I heard it put once in a different context: You'll have to take the whole gorilla-even if you only wanted the banana.

At least there are a lot of competitors in the PDF space, but it's hard to see this as not leading to more attacks and more exploits and more compromised PCs through the Acrobat and Flash vectors. Adobe clearly tries, as one can tell from this overview of their security practices or this extensive paper on security in the Flash Player.

Acrobat opts into DEP (Data Execution Prevention) support on XP and Vista, and Adobe claims that Flash does (I know back in March it didn't, so perhaps this is brand new). But neither opts into ASLR (Address Space Layout Randomization) on Vista. (It's possible to force Flash to support ASLR). The new Acrobat Reader 9, available in July, will take advantage of both DEP and ASLR according to Adobe, as will Adobe Flash Player 10, now available as beta on Adobe Labs and expected to be generally available later this year, according to a company spokesperson.

These defense-in-depth measures can reasonably be expected to make practical compromise of clients far more difficult. Perhaps then, the real challenge to the company, as with Microsoft, is to get users off of old, defenseless versions and onto the new ones. This is, doubtless, the plan anyway.

I asked Adobe about these issues and got this response from Erick Lee, manager of secure software engineering: "Adobe takes the security of our products seriously, mindful of their wide use. We have a team dedicated solely to making sure our products are designed, engineered, and validated using security best practices. The Adobe Secure Software Engineering team, which I manage, has industry-leading experience in building secure applications and is a core service provided to all Adobe product teams, independent of any specific business or product line. Our secure software engineering practices include threat modeling, automated code audits, in-house fuzzing, bringing in third parties for external security reviews and more. "

As vendor quotes go, that's pretty encouraging. Here's to success in their efforts because insecure Adobe products are now officially bad for everyone.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel