IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security

The Big Bullseye On Adobe


By: Larry Seltzer
2008-06-06
Article Rating:starstarstarstarstar / 11


There are  user comments on this IT Security & Network Security News & Reviews story.



  Table of Contents:
  1. The Big Bullseye On Adobe
  2. One Monster Attack Surface

As the company's software becomes more important to many companies, the attack surface of their products grows.

The Big Bullseye On Adobe - One Monster Attack Surface
( Page 2 of 2 )

Now Adobe is completing the circle by bundling Flash into Acrobat. This will create one monster attack surface. I'm not sure if it makes the problem worse or not to have it all in one program. One would hope they would keep unbundled versions of Acrobat and Reader on the one hand and the Flash Player on the other. But I suspect that's not what they're planning. As I heard it put once in a different context: You'll have to take the whole gorilla—even if you only wanted the banana.

At least there are a lot of competitors in the PDF space, but it's hard to see this as not leading to more attacks and more exploits and more compromised PCs through the Acrobat and Flash vectors. Adobe clearly tries, as one can tell from this overview of their security practices or this extensive paper on security in the Flash Player.

Acrobat opts into DEP (Data Execution Prevention) support on XP and Vista, and Adobe claims that Flash does (I know back in March it didn't, so perhaps this is brand new). But neither opts into ASLR (Address Space Layout Randomization) on Vista. (It's possible to force Flash to support ASLR). The new Acrobat Reader 9, available in July, will take advantage of both DEP and ASLR according to Adobe, as will Adobe Flash Player 10, now available as beta on Adobe Labs and expected to be generally available later this year, according to a company spokesperson.

These defense-in-depth measures can reasonably be expected to make practical compromise of clients far more difficult. Perhaps then, the real challenge to the company, as with Microsoft, is to get users off of old, defenseless versions and onto the new ones. This is, doubtless, the plan anyway.

I asked Adobe about these issues and got this response from Erick Lee, manager of secure software engineering: "Adobe takes the security of our products seriously, mindful of their wide use. We have a team dedicated solely to making sure our products are designed, engineered, and validated using security best practices. The Adobe Secure Software Engineering team, which I manage, has industry-leading experience in building secure applications and is a core service provided to all Adobe product teams, independent of any specific business or product line. Our secure software engineering practices include threat modeling, automated code audits, in-house fuzzing, bringing in third parties for external security reviews and more. "

As vendor quotes go, that's pretty encouraging. Here's to success in their efforts because insecure Adobe products are now officially bad for everyone.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.








 
 
>>> More IT Security & Network Security News & Reviews Articles          >>> More By Larry Seltzer
 


FEATURED SPONSOR VIDEOS

Benefits of Workload Optimization

What Smart Companies MUST Learn from Gaming

Advances in Authentication

Vertical Markets Benefit from Workload Optimization

View More Videos

Brought to you by
Advertisement

FEATURED SPONSOR MESSAGE

Microsoft Sponsored Resource Center

Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

Watch the video >>

Brought to you by

Suggested Related Content:

Articles Labs/How-To Multimedia


Advertisement
Contact Us | About | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Networking
Network Security
Infrastructure Security
How To: Data
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows 7
Managed Print Services
Computer Reviews
Microsoft Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Apps & Development:
Application Development
Enterprise Apps
Search Engines
Database Software
Web 2.0
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Videos
Magazine Subscriptions
Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Web Buyers Guide
Developer Websites:
DevSource C# and .Net
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Windows Migration
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
ZDE Cluster 11
 
Close this advertisement