Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Closing the holes in a popular attack vector

21-Aug-2012 - In October 2011 Mikko Hyponnen stood in front of hundreds of SecTor

attendees and offered advice on protecting from malicious threats. His first point was, “Patch, patch, patch,” and his second was, “Remove all traces of Adobe Reader. It is by far the most common attack vector.”

While the conference organizers cringed and later lamented they’d never get Adobe as a sponsor, Hypponen’s statement reminds us of the late 1990s when everybody was piling on Microsoft for not building security into its products.

“I got in touch with Mikko and said, ‘Hey if you’re talking about Reader version 9, I agree with you’,” said Brad Arkin, senior director of product security and privacy at Adobe. “Upgrade to Reader 10, because it’s a lot different from a security perspective. Reader 10 is so much better. And he agreed.”

When Arkin joined the Adobe security team, the firm wanted a fresh look at what it was doing in software security. About that time the threat landscape was changing.

In early 2009 the bad guys began with what we call today APTs – using an exploit that targeted Adobe Reader to access information or systems with no immediate financial reward... leaning instead towards corporate espionage. Bad guys attack software that’s widely deployed – MS Office and Windows, and Adobe Reader and Flash player.  

“We learned we needed a lot of changes to better protect our customers,” Arkin said. “We identified a three-pronged set of priorities...

1. Move to a regular update schedule – instead of as needed or ad hoc.
2. Change our ability to respond to urgent problems.
3. Hardening our code – making the product harder and less attractive to the bad guys, so they stop attacking our users through Adobe software.”  

So Adobe began releasing updates on a quarterly basis. After a while the security team saw the need to decrease the updates. So in June of this year they announced a move to ship as needed, and also added a regularly scheduled “patch Tuesday”. The new update method is better for enterprise customers and users.

Before 2009 they hadn’t had to patch unknown vulnerabilities, so it took about 10 calendar weeks to get the patch out, even with everyone on the team working.

“We needed to improve, so we set a target of 15 days from the time we get the sample to the time we send the patch,” said Arkin. “We managed, but it took about 6,000 man hours. Over time we’ve automated some things and done others so we can complete many tasks in advance. As a team we’ve gotten smarter at what we need to do to get updates out quicker. The average time is now five calendar days, and our record is 48 hours.”

The code hardening has been an ongoing exercise. For example, the java script blacklist framework lets you disable individual java script API calls, while allowing all other java scripts to continue working.

“Once we put it out there bad guys stopped using that vector, because our customers had the ability to turn off APIs,” Arkin said.

Yellow Message Bar is a little message bar that descends from the top. It let’s you interact with the PDF without exposure to a disabled feature’s security risk... if you don’t need that functionality. Previously you’d see a pop-up asking you to make a security decision.

"There’s no dialog box asking what to do,” said Arkin. “That helps users by not forcing them to make a decision. We use that framework now, calling it ‘putting it behind the message bar’. It’s harder for attackers to exploit.”

One of the earliest and biggest changes the team made was re-writing the update mechanism. They put so much effort into getting out the updates, and then discovered users weren’t updating. From a user design perspective the interface wasn’t as good as it could have been. So they rewrote it from top to bottom.

The most important change is the silent automatic updater. Updates happen in the background, making a huge improvement in updating patches quickly.

“Those are what we did to Reader 9. The biggest changes had to wait for version 10.”

In November 2010 the team introduced Adobe Reader Protected Mode.  It takes the code that renders a PDF and puts it on a no-write process, so bad guys can’t get into the Registry or install malware.

“We’ve observed that to our knowledge no Adobe Reader 10 user anywhere has been attacked with a malicious file,” Arkin said. “It may not last forever, but right now it’s proven effective and it’s almost two years old.”

Reader version 9 reaches end of life next year. Because of the security benefits of version 10 Adobe recommends upgrading as soon as possible.

Acrobat Protected View for the authoring pool came with version 10.1, which shipped in the spring of 2011.

“We also enable java script white listing, which is the opposite of blacklisting. It lets you turn on individual java scripts, while leaving all others off by default.”  

Reader version 9 saw bad guys attacking 3D content. So Adobe security team turned off 3D rendering by default, because it’s not a popular feature. If you have a default configuration 3D malware can’t hurt your system.

“We also changed Flash, so instead of using the internal Flash player that ships with Reader, it calls the operating system Flash Player,” Akin said. “Now people can uninstall Flash Player whenever they want, or update Flash player. These are subtle things that probably won’t get noticed by end users, that make attacks harder to create. Because bad guys are improving all the time, so are we. We get those improvements to users as soon as we can.”

Reader and Flash are possibly the most installed software in the world. It’s difficult to know what the install base looks like, because Adobe respects users’ privacy. Reader only asks what the latest version of Reader is – it takes no system information.

As for what version you’re running, Akin suggests, “Move to Reader 10 right away, or plan to migrate. The security benefits are very steep. And we hope nobody is running unsupported versions – 8 or older. Those are far riskier.”

Akin has posted a video in which he outlines some updates to Adobe Reader.