Archive for January, 2010

Further Details Regarding Attack Against Adobe Corporate Network

Posted on January 14, 2010 by Brad Arkin | Comments (0)

A running theme on this blog is that ASSET and Adobe care a great deal about keeping our products secure and our customers safe. On Tuesday Adobe announced a corporate network security issue and since then we’ve seen media coverage and headlines indicating that vulnerabilities in Adobe Reader may have been the attack vector in this incident.
Just like we always do in the case of reports of security vulnerabilities in an Adobe product, we have been actively tracking down samples or other information regarding potential vulnerabilities in Adobe products related to this incident. The most definitive public description of the incident that we’ve seen thus far is the McAfee post here.
Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010.
This is a complex incident, the investigation is ongoing, and we will continue to work our partners in the security community and the other firms affected. We will continue to use the Adobe PSIRT blog as the first line of communication to our customer base regarding any product security vulnerabilities. Even though we don’t have any information regarding a zero day vulnerability in an Adobe product the sophistication of this incident also serves as a reminder to all of us the importance of layers of security to provide the best possible defense against those with malicious intent.
Since the vast majority of successful attacks against all software products are using known, already-patched vulnerabilities we strongly encourage all of our users to update to the latest version of Adobe Reader and Acrobat by visiting get.adobe.com/reader or selecting “Check for updates” from the Help menu.

A Few Words on the January 2010 Security Update for Adobe Reader and Acrobat

Posted on January 12, 2010 by Kyle Randolph | Comments (0)

Kyle Randolph here. I work closely with the Adobe Reader and Acrobat engineering team as we continue to work hard on the security initiative first announced back in May 2009. Today, the team announced new security improvements in Adobe Reader and Acrobat 9.3 and 8.2. This is the third quarterly security update for Adobe Reader and Acrobat and we are starting to roll out to users the configuration options and features that we began designing last summer to mitigate the evolving security threats we were seeing. Let me explain the security geek coolness factor of the improvements in this release as well as the improvements in the October quarterly security update.
New Adobe Reader Updater / Acrobat Updater
We introduced the new updater in the October Adobe Reader and Acrobat 9.2 and 8.1.7 update as beta technology, and today, we are testing the new technology with a real-world security update to users participating in the beta program. (Since we are still conducting the pilot, only users who are participating in the beta program are receiving today’s update via the new updater.) The new updater improves the user experience and helps users stay up to date with the new option of receiving security updates automatically, via background updates, which have been shown to have better patch adoption. Some customers, such as corporate IT administrators, need to know and manage which updates are installed and when. But a lot of customers, particularly consumers and individuals who don’t have the autopilot luxury of a managed desktop environment, just want to have the most secure and up-to-date version, and don’t want to be interrupted when it is time to install an update. By allowing customers to select an update process that automatically runs in the background, we can help protect more users from attacks against known, patched vulnerabilities.
JavaScript Blacklist Framework
Over the past two years, a significant number of external vulnerabilities found in Adobe Reader and Acrobat have been in JavaScript. The Adobe Reader and Acrobat engineering team has been busy creating new ways to help protect against this attack vector. The new Adobe Reader and Acrobat JavaScript Blacklist Framework, which was added with the October update, is great for security because it provides a method to disable a specific vulnerable API instead of disabling JavaScript completely. This allows Adobe Reader to be configured in a way that is not vulnerable if a 0-day vulnerability that exploits a JavaScript API is identified. Better still, the new blacklist is stored in the registry and can be configured centrally in enterprise environments using Group Policy Objects (GPO) to prevent end users from overriding it. As an example, the recent vulnerability CVE-2009-4324 could be mitigated by blocking the DocMedia.newPlayer API.
For more info on the JavaScript Blacklist Framework, check out http://kb2.adobe.com/cps/504/cpsid_50431.html.
Yellow Message Bar
The Yellow Message Bar was added in the October security update for Adobe Reader and Acrobat (9.2 and 8.1.7), but it is cool enough to mention here. This makes the user experience much more pleasant when a dangerous API is selectively blocked by the JavaScript Blacklist Framework or due to the Enhanced Security configuration. Previously, you’d get a modal dialog box asking users if they would like to re-enable some unsafe behavior, as shown in the screen shot below:
js_modal_warning.jpeg
Now the Yellow Message Bar appears at the top of the document as shown below:
js_yellowbar.png
Since the Yellow Message Bar stays out of the way, it enables users to interact with the PDF without exposure to a disabled feature’s security risk, if you don’t need that functionality. Additionally, the choices are more granular in that the Yellow Message Bar decision is to trust a document one time or always, as opposed to a decision to turn the entire feature back on for all documents. These changes should reduce the frequency and impact of accidental click-throughs or users getting into the habit of clicking through warnings without reading them, which can lead to social engineering and phishing attacks. This same type of change in security notification has been adopted in other vendors’ desktop products, such as Microsoft Office, as a security best practice. The Yellow Message Bar will appear when an action is blocked by Enhanced Security in Adobe Reader or Acrobat or by the JavaScript Blacklist Framework.
For more info on the Yellow Message Bar, see http://kb2.adobe.com/cps/504/cpsid_50432.html.
Multimedia (Legacy) off by Default
Another effective technique to reduce security risk for our customers is to reduce the attack surface of the product. Legacy multimedia is a set of rarely used features which have a broad attack surface. The Multimedia (Legacy) features are no longer trusted by default. Users that open PDFs that contain legacy multimedia will see a Yellow Message Bar at the top of the document.
Conclusion
This January update for Adobe Reader and Acrobat builds on the good work put into the October release to continue increasing the security protection for our customers with each quarterly security release in addition to fixing externally reported vulnerabilities. We’re excited to evaluate the results for the pilot of the new Adobe Reader Updater with its automatic mode for background updates. The Yellow Message Bar notifications provide an improved user interface to help protect users. And we’re providing more fine-grained control for any future JavaScript API vulnerabilities with the JavaScript Blacklist Framework. Finally, disabling Legacy Multimedia by default protects users against any potential security vulnerabilities identified in these rarely used features.