Adobe: More secure version of Reader out by year end
IDG News Service - Adobe Systems plans to release a major security upgrade by year's end to its Reader product, which has been under siege from attackers.
Reader 10 will have a sandbox feature that will seal off the application from attacks intended to tamper with, for example, a computer's registry or file system, said Brad Arkin, Adobe's director for product security and privacy, during an interview on Tuesday at the RSA security conference in London.
Reader 10 will mark a major upgrade to the application, capping off more than 18 months of development. Like many other Windows applications, Reader has been increasingly probed in order to infect computers with malware. Adobe has had much trouble with attackers finding vulnerabilities in its products. Often, those flaws are exploited by manipulating PDF (Portable Document Format) documents.
The sandbox will be on by default. If an exploit -- which is a mechanism developed by an attacker in order to deliver malicious software to a computer -- attacks the application, it won't be able to get out of the sandbox, Arkin said.
"The amount of attack surface is very, very small," Arkin said.
The sandbox, however, also has to allow regular functions such as saving a file. In that scenario, the sandbox can talk to the file system, but that communication goes through a broker. The broker uses a set of very restrictive policies to see if the particular action is allowed.
Essentially, Adobe has created a two-stage attack requirement, where an attacker would also have to bypass the policy restrictions. Arkin said Reader 10 represents a dramatic increase in defense such that none of the attacks against Reader known up until now will work in the same way against the application.
But "bad guys and researchers won't give up because this is an exciting challenge," Arkin said. "The reward for finding out a flaw is quite high. We think there is going to be lots of attention here."
Although Adobe has subjected it to rigorous testing "it is still possible that someone may be able to find something," he said.
Send news tips and comments to firstname.lastname@example.org
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts