position

Flash Player 11: Adobe's great security hope

But we can still blame the lazy users for successful PDF attacks

Stilgherrian (CSO Online (Australia))
— 04 October, 2011 08:59

Flash Player 11 should fix plenty of security holes, just like Adobe Reader X did a year ago. But Adobe's products will continue to be a target as long as people insist on running obsolete software.

Adobe must be getting used to this by now. Their PDF document format has been the tool of choice for hackers wanting to deliver malicious payloads into organisations large and small for more than a year -- certainly since last year's Operation Aurora attacks against Google, Juniper Networks, Rackspace, Adobe themselves and the other, unnamed, victims.

Yet the software flaw that allowed this to happen was fixed in Adobe Reader and Acrobat version X, released in November 2010.

"In 2011, we haven't seen any malicious PDFs that go after Reader proper," said Brad Arkin, Adobe's head of product security and privacy. "We have seen two examples of malicious PDFs which encapsulated malicious SWF [Flash] content."

"Thus far, no bad guys have successfully deployed any malware that's effective against version X," he told CSO Online.

But these attacks continue to succeed because most people are still using out-of-date versions of Adobe Reader.

"It's exclusively a situation where users of older versions are being targeted," Arkin said. "We've studied this problem quite a bit because it is the biggest obstacle for us to help our users stay safe."

In April 2010, Adobe introduced a silent automatic mode for updating Reader and Acrobat without the user having to interrupt their work. Even though it wasn't the default setting, Arkin said that enough users adopted it to reduce the time to roll updates out to the user base by about 70 percent.

In June this year, the silent automatic mode became the default. Adobe's 13 September update was the first to be distributed under this new regime. While the numbers aren't in yet, Adobe's goal is that "most of the users in that consumer environment will get the updates within maybe 72 hours of when we ship it, and it'll be effortless from the user perspective."

The bad guys had originally started attacking Adobe Reader because Microsoft had been gradually improving the security of Windows. And now, as Adobe fixes Reader and Acrobat, the bad guys move again.

"The threat landscape out there has shifted, where instead of going after Adobe Reader X, we have seen people go after other Adobe products, and so things that are very widely deployed," Arkin said.

Things like Flash Player.

A zero-day exploit against the widely-deployed browser plugin forced Adobe to issue an urgent fix last month. Just like another one did in April. Twice. More attacks will doubtless follow.

The Flashback Mac Trojan posed as a Flash updater, trading off Adobe's good name while it installed a back door in OS X.

Adobe hopes that this month's release of Flash Player 11 will help.

Flash Player 11's security improvements include:

* Random numbers now come from the host operating system's random number generator, which might include cryptographic-quality hardware random number generators, rather than Flash's built-in game-quality code.

* Encrypted SSL/TLS connections now go directly from Flash Player to the remote server, rather than using SSL over HTTP in the browser, cutting down on the processing overhead.

Flash Player 11 also provides access to the computer's graphics processing unit (GPU) for gaming and other computationally-intensive applications, but Adobe downplays the risk of this direct hardware acces allowing a malicious Flash application to write to the screen.

"Security guys are taught to worry, so you're never worrying about nothing," Arkin said, "[but] there's a lot in between the ActionScript the developer writes and the actual GPU hardware access."

"We don't see that really changing the attack vectors that bad guys and going to use, because the access to the hardware is abstracted so much," he said. "We've spent a lot of effort to make sure the bad guys can't do anything interesting with it."

-----------------------------------------------------------------------------------------------------

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Tags: Adobe, adobe flash, Adobe Reader X, Flash Player 11, malicious PDFs, Operation Aurora attacks, OS X, trojan, zero-day exploit

Comments

Post new comment

CSO Corporate Partners

Get exclusive access to CSO, invitation only events, reports & analysis.

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

Submit your training courses

Media Releases

More Media Releases »

Latest Jobs

CCIT Project Co-ordinatorNSW
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
FTSenior Citrix EngineerNSW
CCSystem Engineer - Exchange - CONTRACTSWA
FTiPhone App DeveloperNSW
FTChange Management ProfessionalsNSW
FTiPhone Developer DeveloperNSW
FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
FTiPhone App DeveloperNSW
FTSenior Citrix EngineerNSW
CCAvaya Engineer - ERS 8600 4.1NSW
FTASP.NET Developer (Digital)NSW
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
CCSystem Engineer - Lync and Exchange - CONTRACTSWA
FTTechnical Consultant (VB.NET Developer)NSW
FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
FTTechnical Services Engineer - ShoreTel/MitelVIC

Solution Centers

Security Awareness Tip

Clearswift tips: Guidelines for introducing and policing an effective IT Policy

1. Make it clear that the policy is not about playing ‘Big Brother’ but to ensure the security of employees, company information and data and to safeguard the company’s reputation.
2. Invest time to get buy-in from managers and their teams.
3. Convey the message of flexibility – with regard to social media, it is not about blocking staff usage but working in everyone’s interests to ensure that threats are contained.
4. Introduce a regular company-wide training programme that everyone attends at regular intervals throughout the year, not merely as part of an induction programme.
5. Within the training programme make sure that there are specific examples to demonstrate each rule or regulation, and that there is a clear explanation of the dangers of casual or careless talk on social networking sites. Again use examples, employees need to understand the consequences of raising a throwaway comment that has negative connotations for the business, as much as they need to be aware of dangers of making a more direct but ill-considered attack on a competitor, regulator or even a fellow colleague. They need to be clearly advised on any impact on the company and/or legal action or inquires that may be raised as a result.
6. Alert employees to any changes in policy through regular clear communication.
7. Reinforce the operational policy guidelines regularly, cover everything from blogging to Facebook, LinkedIn and Twitter.
8. Ensure that the rules are fair and that they apply throughout the business.
9. Enforce the rules – if there is a deliberate or malicious contravening, disciplinary action needs to be taken. A policy isn’t worth having if it is seen to be lax and unenforced.
10. Review the policy regularly to ensure you keep up to date with new systems and technology.

Phil Vasic is Regional Director, APAC, at Clearswift, the software security company www.clearswift.com

Security ABC Guides

7 Ways to Protect Your Business Printers

Can a hacker burn down your business by remotely setting one of your printers on fire? Researchers at Columbia University have recently proposed such a scenario, although HP quickly denied that it's possible. However, even if your printers can't be used as remote firestarters, there are many risks involved in networking a printer.

Read More

Market Place