Adobe: More secure version of Reader out by year end
IDG News Service - Adobe Systems plans to release a major security upgrade by year's end to its Reader product, which has been under siege from attackers.
Reader 10 will have a sandbox feature that will seal off the application from attacks intended to tamper with, for example, a computer's registry or file system, said Brad Arkin, Adobe's director for product security and privacy, during an interview on Tuesday at the RSA security conference in London.
Reader 10 will mark a major upgrade to the application, capping off more than 18 months of development. Like many other Windows applications, Reader has been increasingly probed in order to infect computers with malware. Adobe has had much trouble with attackers finding vulnerabilities in its products. Often, those flaws are exploited by manipulating PDF (Portable Document Format) documents.
The sandbox will be on by default. If an exploit -- which is a mechanism developed by an attacker in order to deliver malicious software to a computer -- attacks the application, it won't be able to get out of the sandbox, Arkin said.
"The amount of attack surface is very, very small," Arkin said.
The sandbox, however, also has to allow regular functions such as saving a file. In that scenario, the sandbox can talk to the file system, but that communication goes through a broker. The broker uses a set of very restrictive policies to see if the particular action is allowed.
Essentially, Adobe has created a two-stage attack requirement, where an attacker would also have to bypass the policy restrictions. Arkin said Reader 10 represents a dramatic increase in defense such that none of the attacks against Reader known up until now will work in the same way against the application.
But "bad guys and researchers won't give up because this is an exciting challenge," Arkin said. "The reward for finding out a flaw is quite high. We think there is going to be lots of attention here."
Although Adobe has subjected it to rigorous testing "it is still possible that someone may be able to find something," he said.
Send news tips and comments to firstname.lastname@example.org
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts