Adobe: More secure version of Reader out by year end
IDG News Service - Adobe Systems plans to release a major security upgrade by year's end to its Reader product, which has been under siege from attackers.
Reader 10 will have a sandbox feature that will seal off the application from attacks intended to tamper with, for example, a computer's registry or file system, said Brad Arkin, Adobe's director for product security and privacy, during an interview on Tuesday at the RSA security conference in London.
Reader 10 will mark a major upgrade to the application, capping off more than 18 months of development. Like many other Windows applications, Reader has been increasingly probed in order to infect computers with malware. Adobe has had much trouble with attackers finding vulnerabilities in its products. Often, those flaws are exploited by manipulating PDF (Portable Document Format) documents.
The sandbox will be on by default. If an exploit -- which is a mechanism developed by an attacker in order to deliver malicious software to a computer -- attacks the application, it won't be able to get out of the sandbox, Arkin said.
"The amount of attack surface is very, very small," Arkin said.
The sandbox, however, also has to allow regular functions such as saving a file. In that scenario, the sandbox can talk to the file system, but that communication goes through a broker. The broker uses a set of very restrictive policies to see if the particular action is allowed.
Essentially, Adobe has created a two-stage attack requirement, where an attacker would also have to bypass the policy restrictions. Arkin said Reader 10 represents a dramatic increase in defense such that none of the attacks against Reader known up until now will work in the same way against the application.
But "bad guys and researchers won't give up because this is an exciting challenge," Arkin said. "The reward for finding out a flaw is quite high. We think there is going to be lots of attention here."
Although Adobe has subjected it to rigorous testing "it is still possible that someone may be able to find something," he said.
Send news tips and comments to email@example.com
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts