"The cliché is that bad guys rob banks because that's where the money is," Brad Arkin, senior director of Product Security and Privacy at Adobe told InternetNews.com. "Well, bad guys go after our software because that's where the users are; that's part of the success of having our software everywhere is that it paints a bullseye on us."
While Adobe has had more than its' fair share of zero-day flaws that they have needed to patch in recent years, Arkin notes that Adobe takes a measured approach to releasing patches.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i"Anytime a bug comes in we triage it to evaluate the impact and the characteristics of what has been impacted, and then we determine what the right response is," Arkin said. "We found that our customers need protection against attacks that are in the wild."
That said, Arkin noted that patches are expensive to deploy across large environments so Adobe has to be careful not to do them very often. Whenever possible, Adobe tries to keep to scheduled releases for patch releases."It's only in real emergencies that we ship something out of cycle," Arkin said.
Arkin stressed that the Reader 10 update has significantly improved security by way of a sandbox. The Reader 10 sandbox provides protection against different types of attacks including rootkit installation. In general, the Reader 10 sandbox has made it much harder for attackers to succeed. "We haven't seen anything in the real world in terms of attacks, that work against the Reader 10 sandbox," Arkin said. "So we're very happy with that so far."
The Reader 10 sandbox however was the subject of a talk at the recent Black Hat security conference in Las Vegas. Adobe has been working with the Black Hat researchers and though the researchers found a flaw, it's not a system architecture issue. Arkin noted that Adobe will have a patch for the sandbox bug as part of the next Reader update, likely in September.
Adobe is also improving security for the Flash Player which is also under regular attack. Arkin said that the attackers used automated fuzzing tools against Flash to see if they can make it crash. Then when a crash occurs, they examine the crash to see if it is exploitable. From Adobe's perspective, they're working on making Flash Player more robust to withstand that type of scrutiny.
"We have a verifier that looks at the swf (flash file) content before it gets passed deeper into the Flash Player," Arkin said. "The verifier makes sure the content is compliant with the specification."
A lot of times the actual bug that might get triggered is something that is outside of the swf specification. As such, a better verifier is a form of input validation that helps to mitigate the risk of a crash and exploitation.
"There has been a verifier in Flash for several releases and we keep figuring out ways to tighten that up," Arkin said. "It's getting better with every release."