Adobe has been in the security spotlight for some time now, and in an effort to give our readers a better perspective on the company’s efforts to improve the security of its products, Threatpost had a live chat with Brad Arkin, director of product security and privacy at Adobe, on Feb. 24.
This is a transcript of the chat. Arkin also will be posting answers to questions that he didn’t have time to answer during the chat on the Adobe ASSET blog this week.
Tom: What is Adobe’s stance on security updates on Acrobat 8.x?
Brad Arkin: Adobe currently supports version 8 and 9 of Adobe Reader and Acrobat. We will continue to provide security updates for v8 of Reader and Acrobat until that version reaches end of life.
Jonathan James _Atea_ Sweden: Adobe has been through some challenges responding to recent PDF-vulnerabilities – patch-development time cycle etc. What has changed at Adobe and how will Adobe respond to similar incidents in the future? Will there be more resources allocated to deal with security vulnerabilities?
Brad Arkin: We put a lot of effort into improving our ability to respond to urgent incidents for Adobe Reader and Acrobat. We described some of that work in a blog post I published last May here. We performed a complete review of all the steps involved in getting a patch out the door. In 2009 we were able to ship 3 urgent updates within 15 days of when the first malicious sample first arrived in our psirt@adobe.com inbox. Our goal is to respond as quickly as possible for each urgent incident and we are constantly looking for ways that we can further improve our process.
Chris: What is the average turnaround time for patching security threats/holes?
Brad Arkin: The turnaround time depends on the type of vulnerability and the urgency of the threat. For 0-days with attacks in the wild we try to get fixes out within days. The majority of this time is spent on verifying the updater/installers will work correctly. For bugs that are responsibly disclosed to Adobe we try to get them patched and into the next scheduled security update. Last time I checked the average age of open security bugs was ~90 days.
Pmhesse: Since it is often an attack vector, why isn’t Acrobat’s JavaScript capability usually disabled, requiring permission from the document opener to run? I could see situations where you say “always allow for this document” or “always allow on digitally signed or certified”, but I don’t understand why it always needs to be enabled.
Brad Arkin: Reader today supports a configuration option to disable JavaScript. Starting in October we changed the UI so this appears as a yellow bar across the top of the viewing pane rather than a modal dialog box. We don’t disable JavaScript by default because it is an integral part of the Adobe Reader experience when working with documents. Similar to how web browsers don’t disable JavaScript by default in their configurations.
TomC: What is the status of Flash on SmartPhones? Anytime soon?
Brad Arkin: Not a security question, but I can answer this anyway. Flash Player v10.1 will be supported on 19 of the top 20 smart phones. 10.1 is scheduled to release later this year.
St0rmz: Why didn’t Adobe release something similar to a 1-click fix for APSB10-08 to uninstall the download manager? Manual removal for most consumers is not going to happen.
Brad Arkin: Our primary goal was to get an updated DLM on the site. The intended behavior for DLM is to remove itself after the machine restarts. We also mitigated some problems on the server side that were also required for Aviv’s attack to work as described. Even though most users will not perform manual removal, the risk is rapidly diminishing as users continue to restart their machines as part of their normal use.
Scott Cooper_ KL Support: Would you allow security vendors such as Kaspersky to distribute security patches on Adobe Systems’ behalf?
Brad Arkin: We are eager to work with any partner that can help get our security updates installed quickly and efficiently on end users machines.
Curious_George: Why is McAfee now a default download with your Adobe Reader and other product? We now have users accidentally installing it which is causing chaos since we currently have Kaspersky already installed. I don’t see why you would install an anti-virus as part of an adobe utility download.
Brad Arkin: The user is presented with a choice during the download process regarding bundled software. Unticking the box will allow users to get just the Reader installer.
Avivra: Do you actively look for vulnerabilities in your own products, like many other big players in the market (Microsoft, Google, etc.)?
Brad Arkin: YES! I manage the Adobe Secure Software Engineering Team (ASSET). These guys proactively work with the product teams to develop security test plans to evaluate all of our products for potential security vulnerabilities before we ship. This includes steps like threat modeling, spec reviews, code reviews, fuzzing, and hands-on pen testing. We also work extensively with 3rd party security consultants to perform additional security testing of our products.
Tim_A: Why does Adobe choose to use a DLM in the first place? Why not build the updater separately into each product? Doesn’t this add a point of attack/failure?
Brad Arkin: This link describes some information about why we use a DLM: http://kb2.adobe.com/cps/520/cpsid_52001.html. The DLM is just used to download the initial installer. The update process for an installed product is separate.
Larryseltzer: Will Adobe continue to add features, and attack surface, to Acrobat and Flash, or are you going to have some time to catch up?
Brad Arkin: Acrobat and Flash Player are living products with a vast user base and development community. We are doing our best to address the feature requests while doing everything we can to keep our products as secure as possible.
Terminator_51: I have Kaspersky on my computer and a lot of time Adobe Reader kicks out, because of a threat, that never seems to develop, what will Adobe do to prevent this in the future
Brad Arkin: I’m not exactly clear on what is causing the behavior you’re describing. We work with our anti-malware partners to limit any potential false positives where an installer or product might get flagged as a trojan. We also work with our partners in the security community to provide info to improve the rate of detection for malicious content in the form of file formats like SWF and PDF.
Ryan_Naraine: Do you think we’ll get to a point where Adobe’s security patches are a part of Windows automatic updates? Is this a discussion you have started with Microsoft? If not, why not?
Brad Arkin: Adobe security updates are distributed today via the Software Update mechanism on Mac OS X. We are eager for any channel including OS update mechanisms to help get security updates installed faster/easier.
Bo: As we all know Adobe is one of the most exploited applications. Is there any chance we can see adobe digitally sign their files? if so when might we see this? if not why?
Brad Arkin: Adobe product installers are digitally signed today. On Windows you can verify the publisher signature. We also sign the updates so the client-side updater can verify they are genuine before applying the update.
CharlesL: Can you give an example of an Attack of an Adobe product and the timeliness of the response to that attack?
Brad Arkin: A couple incidents that I remember off the top of my head: – July 16, 2009 – We received our first malicious sample of a PDF exploiting a previously unknown vulnerability. We triaged the sample, developed a fix, and shipped updates for Flash Player on July 30 and Adobe Reader & Acrobat on July 31. – July 10, 2009 – We were contacted by MSFT regarding the ATL Header vulnerability. We triaged over 200 Adobe products and determined that the vulnerable MSFT code was included in two Adobe products: Shockwave Player and Flash Player. We applied the MSFT patch and included the fix in the July 30 Flash Player release and July 28 for Shockwave Player.
Nick: Does Adobe publish information about its secure development process, similar to how Microsoft publishes information at http://www.microsoft.com/sdl? If not, is there a plan to do this in the future?
Brad Arkin: Our ASSET blog is one information resource: blogs.adobe.com/asset We are also revamping our adobe.com/security page to provide more information about our software security practices. That will go live in a few weeks with new information in addition to what is hosted there today. Adobe joined SAFECode in 2009 to help share our internally developed best practices with the broader community. Peleus Uhley from my team also supports the Flash Player secure development portal in OWASP. We’re always looking for new ways to share what we’re doing and learn from other folks in the security community.
Jerome: Is there an option for end users to disable the automatic opening of a PDF from their browser, and always ask to save them instead?
Brad Arkin: This is a supported option today.
dennis_fisher: Hey Brad, this came in via Twitter this week: When should we expect a fix for Javascript exploits in Reader rather than just turning JS support off?
Brad Arkin: In the May 20, 2009 blog post I linked to earlier I described some of the work that the team is doing to harden the Reader code base. In regards to JavaScript specifically we have been going through the code, tightening input validation, performing code reviews, performing extensive fuzzing, and evaluating other design-level changes to make the JavaScript engine as secure as possible. We also shipped in October 2009 the JavaScript BlackList Framework which allows users/admins to disable individual JavaScript APIs as an additional mitigation feature.
Bradysee: I AM CONFUSED; IF THE DLM IS USED JUST ONCE, WHY NOT DELETE IT AFTER USE?
Brad Arkin: The DLM is removed after the machine restarts. We can’t remove it any earlier because the DLM is an ActiveX plugin that resides in the IE process memory. The resources are locked while IE is still in use.
Jerome: How about digitally signing the PDF files themselves?
Brad Arkin: There are a lot of dig sig features for PDF supported by Reader & Acrobat today.
dennis_fisher: Another one via Twitter: As I see it one of the big problems for Adobe is that a lot of its users are running (vastly) outdated software. Assuming that upcoming releases of Adobe products feature better updaters, how is Adobe planning to get the vast majority of its user base to actually upgrade to such a version?
Brad Arkin: The new updater for Adobe Reader and Acrobat is present in all versions downloaded from our site since October 13, 2009. Once the pilot is complete we can activate the new updater on our server side. This gives us a head start on rolling the user base over to the new updater. We are also using media outreach, marketing, and other approaches to get the word out that users should stay up to date.
Tom_Zucker: Adobe products were numbers 1, 2, and 3 of Kaspersky’s top ten most vulnerable apps of 2009. What specifically do you attribute this to and what specific plans are in place to prevent this from happening again?
Brad Arkin: The ubiquity of Adobe’s client-side runtimes make them an attractive target for bad guys to go after. The bad guys are always looking for new ways to exploit their targets. That’s why we have such extensive resources dedicated to the challenge.
JonathanJames: Can you tell us something about the security roadmap for Adobe? Do you have any new features planned or new technologies which will improve security over Adobes different platforms?
Brad Arkin: We have a lot of exciting things planned. The new updater for Reader & Acrobat is one thing we’ve discussed publicly. We will use the ASSET blog to publish additional details once we’re ready to talk publicly. I’m sure Ryan & Dennis will also put a blurb on Threatpost about it. 😉
dennis_fisher: We have time for one more question.
Jerome: Didier Stevens has done a lot of research on PDF security. In his blog he described how to give Reader/Acrobat less privileges on the system. Is it something you would recommend users do? Or are such ‘hacks’ something you are thinking of implementing yourself?
Brad Arkin: v9.x of Adobe Reader and Acrobat run in low rights IE mode by default for Windows Vist and 7. We also support ASLR, DEP, and other Windows platform security features by default depending on your system configuration. We are working with our platform partners to evaluate any new OS-level features that can help make the product more robust against attacks.
Brad Arkin: Wow. This has been a lot of fun. Thanks very much to everyone who joined today. I’m also on twitter at @bradarkin if you want to send me questions or thoughts to continue the conversation. Thanks again to Ryan and Dennis for the invitation to talk with everyone today. Brad
dennis_fisher: Great. Thanks very much Brad.