Author Archive: David Lenoe

Background on Security Bulletin APSB12-08

Posted on April 10, 2012 by David Lenoe | Comments (0)

Today we released Security Bulletin APSB12-08 along with corresponding updates for Adobe Reader and Acrobat. We’d like to highlight a few changes we are making with today’s releases.

Rendering Flash (SWF) Content in Adobe Reader and Acrobat 9.5.1

First off, starting with the Adobe Reader and Acrobat 9.5.1 updates, Adobe Reader and Acrobat 9.x on Windows and Macintosh will use the Adobe Flash Player plugin version installed on the user’s system (rather than the Authplay component that ships with Adobe Reader and Acrobat) to render any Flash (SWF) content contained in PDF files. We added an Application Programming Interface (API) to both Adobe Reader/Acrobat and Flash Player to allow Adobe Reader/Acrobat to communicate directly with a Netscape Plugin Application Programming Interface (NPAPI) version of Flash Player installed on the user’s system. From a security perspective, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we make available an update for Flash Player. This will be particularly beneficial to customers in managed environments because fewer updates help reduce the overhead for IT administration.

If Adobe Reader or Acrobat 9.5.1 is installed on a system that does not have the NPAPI version of Flash Player installed and the user opens a PDF file that includes Flash (SWF) content, a dialog will prompt the user to download and install the latest Flash Player. (Browsers such as Firefox, Opera and Safari use the NPAPI version of Flash Player as opposed to the ActiveX version of Flash Player used by Internet Explorer. Chrome uses a bundled version of Flash Player, even if there is an NPAPI version of Flash Player installed on the system.)

We are currently working on integrating the same API into Adobe Reader and Acrobat X, and will follow up with another blog post once this functionality is available in version X.

Rendering 3D Content in PDF Files

We also changed the default behavior in Adobe Reader and Acrobat 9.5.1 to disable the rendering of 3D content. Since the majority of consumers do not typically open PDF files that include 3D content and 3D content in untrusted documents has been a previous vector of attack we have disabled this functionality by default starting with version 9.5.1. Users have the option to enable 3D content, but a Yellow Message Bar will flag potentially harmful documents in the event that untrusted documents attempt to render 3D content. IT administrators in managed environments will also have the option of turning this behavior off for trusted documents.

More information on the two changes to content rendering described above is available in the Adobe Reader and Acrobat 9.5.1 release notes.

Further Alignment of the Adobe Reader/Acrobat Update Cycle with Microsoft’s Model

In June 2009, we shipped our first quarterly security update for Adobe Reader and Acrobat. Since then, we have come a long way in putting mitigations into place that make Adobe Reader and Acrobat a less attractive attack target. Sandboxing Adobe Reader and Acrobat X, in particular, has led to greater than expected results. Attackers have indicated through their target selection thus far that the extra effort required to attack version X is not currently worth it. Additionally, we have seen a lower volume of vulnerability reports overall against Adobe Reader and Adobe Acrobat. Given the shift in the threat landscape and the lower volume of vulnerability reports, we have revisited the decision to follow a strict quarterly release cycle.

After three years of shipping a security update once a quarter and announcing the date of the next update the same day we ship the current update, we are making a change. We are shifting to a model that more closely aligns with the familiar “Microsoft Patch Tuesday” cadence. We will continue to publish a prenotification three business days before we release a security update to Adobe Reader and Acrobat. We will continue to publish security updates on the second Tuesday of the month. We will continue to be flexible and respond “out of cycle” to urgent needs such as a zero-day attack. What we are discontinuing is the quarterly cadence and the pre-announcement of the next scheduled release date in the security bulletin for the previous release. We will publish updates to Adobe Reader and Acrobat as needed throughout the year to best address customer requirements and keep all of our users safe.

A Note on the Update Priority Ratings in APSB12-08

Finally, in today’s Security Bulletin, we rated Adobe Reader and Acrobat 9.5.1 for Windows as a “Priority 1″ update, while Adobe Reader and Acrobat X (10.1.2) was rated a “Priority 2″ update. This was an interesting decision, and we thought we would provide some background information: Although there are no exploits in the wild targeting any of the vulnerabilities addressed in Adobe Reader 9.5.1, Adobe Reader 9.x continues to be a target for attackers, so, for users who can not update to Adobe Reader X, we feel that urgently updating Adobe Reader 9.x remains a must to stay ahead of potential attacks.

Since the release of Adobe Reader X, Protected Mode mitigations (or the Protected View mitigations in Adobe Acrobat X version 10.1 and later) continue to be the best way to block potentially malicious behavior in PDF files. Therefore, a “Priority 2″ designation is appropriate for the Adobe Reader X and Acrobat X 10.1.2 updates. Adobe Reader and Acrobat for Macintosh and Linux have not historically been a target of attacks, and therefore are also assigned a “Priority 2.”

When Do I Need to Apply This Update – Adding Priority Ratings to Adobe Security Bulletins

Posted on February 28, 2012 by David Lenoe | Comments (0)

How urgently do I need to apply this update? That’s the most common question we get from customers in managed environments when we release a security bulletin. Our current severity ratings do a good job of objectively describing the worst-case scenario involved with a security issue, but they do not necessarily tell a customer all they need to know about the risk and priority of a particular security update. All critical security updates are not created equal. For example, if a Flash Player issue is being exploited in the wild, the update to resolve the vulnerability deserves a much higher priority than, say, a patch for a critical vulnerability in Photoshop. After all, Flash Player is a browser-based plugin with hundreds of millions of customers. Photoshop, on the other hand, has a much smaller customer base and would require significant social engineering to successfully exploit the product. So we started to wonder, how can we communicate the priority of our security updates more effectively?

We want to be as simple and direct as possible about the real-world risk associated with the vulnerabilities addressed in any given security update, and we decided that adopting a separate priority ranking scheme was the best way to accomplish this. Here is the priority scheme we are planning to use to rank security updates in the future:

Priority 1 Priority 2 Priority 3
This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours). This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days). This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

We’re going to base our priority ranking on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place. This is a new system, so we may find that adjustments will need to be made. We also believe that continuing to use the current severity ratings makes sense, since this information has been helpful to many customers, so you can expect to see both ratings being used in future security bulletins.

We look forward to your feedback. Our goal is to help our customers in managed environments prioritize updates, so we’ll see if this new priority ranking scheme works to accomplish that! As we have been emphasizing a lot recently, the majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security updates, so as always we recommend that users keep their software installations updated with the latest version of Adobe software.

SOURCE Boston Presentation

Posted on April 20, 2010 by David Lenoe | Comments (0)

David Lenoe here. Wendy Poland and I will be presenting at SOURCE Boston this Thursday, April 22. Here’s a description of the session we’re presenting:
Bullseye on Your Back – Life on the Adobe Product Security Incident Response Team
Ubiquity can come at a price: Experience has shown that the more popular and widely deployed an application is with end-users, the more likely that application will become a target for attackers and good security researchers alike.
Available in 34 languages, on all major platforms, and just about every desktop/laptop, it’s no surprise that Adobe Reader has made the lists of top applications targeted in 2010.
Join this session, and hear David Lenoe and Wendy Poland, members of the Adobe Product Security Incident Response Team (PSIRT), talk about the challenges of having the bullseye on your back and the hard lessons learned in the process. In looking at a recent zero-day vulnerability, Dave and Wendy will offer insight into Adobe’s product security incident response, the process of acting on vulnerability reports, and the analysis that goes into developing a schedule for a fix.
Live and learn–you could be taking center stage before you know it!
Please stop by and say hi if you’re at SOURCE!

Adobe Reader Blog Post Regarding PDF “/Launch” Social Engineering Attack

Posted on April 6, 2010 by David Lenoe | Comments (0)

Steve Gottwals has posted to the Adobe Reader Blog regarding Didier Stevens’ recent report on a social engineering attack which relies on the “/launch” functionality in the PDF specification. Mitigation information for consumers and administrators is included. You can find the full post here.

Adobe joins SAFECode

Posted on September 29, 2009 by David Lenoe | Comments (0)

We’re happy to announce that Adobe has joined SAFECode (Software Assurance Forum for Excellence in Code), a non-profit organization focused on the advancement of effective software assurance methods. We’re looking forward to sharing information on our software security process, learning from other SAFECode members, and helping to drive industry-wide software security initiatives. More information can be found here, and a Q&A with Adobe’s Brad Arkin can be found on the SAFECode blog here.

Co-authored blog with Microsoft

Posted on June 17, 2009 by David Lenoe | Comments (0)

We co-authored a blog post with Jeremy Dallman from Microsoft describing the collaboration between the security teams at both companies. Check it out here:
http://blogs.msdn.com/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx

Adobe PSIRT Process

Posted on January 28, 2009 by David Lenoe | Comments (0)

Following on Peleus’ ‘We Care’ post, we thought this would be a good place to give a more thorough description of Adobe’s Product Security Incident Response Team (or PSIRT) process. Much of the work ASSET does is on the proactive side, preventing software vulnerabilities before a product ships. Adobe’s PSIRT is the part of the ASSET organization that responds to security issues that are discovered by external security researchers, partners, customers and others after a product ships. Here’s a step-by-step description of our process; note that some of these steps overlap and happen in parallel:
Step 1

  • Adobe PSIRT receives information about security vulnerabilities through numerous channels, including (but not limited to):
    • Email from security researchers, partners, or customers, via our feedback web form or directly to PSIRT@adobe.com
    • Public posting (Bugtraq, VulnDev, etc.)
    • Adobe Support
    • Internal notification (usually from Adobe’s Engineering teams, Quality Engineering teams, or ASSET)
  • Adobe PSIRT responds to the person who reported the issue (let’s call them the ‘researcher’), acknowledging the report and asking for a proof-of-concept file to demonstrate the vulnerability, if applicable.
  • Adobe PSIRT logs the issue in the Incident Response Database for tracking purposes. An Incident ID is automatically generated at this point, and passed along to the researcher.

Step 2

  • Adobe PSIRT sends the report to the relevant product team’s PSRT (Product Security Response Team) for verification. The product team’s PSRT includes a collection of Development, Quality and Program Managers, along with Developers, Quality Engineers and Product Managers.
  • ASSET helps reproduce the bug and assists the product team with severity analysis. If reproducible, the product team (or ASSET, if appropriate) logs an internal Adobe bug for the issue.

Step 3

  • The product team investigates the issue and develops a fix, or workaround. ASSET helps to verify the fix.
  • Any fix will be ported to all supported versions, as well as any version(s) currently under development.

Step 4

  • Adobe PSIRT responds back to the researcher, informing them that the issue has been reproduced and a fix is being investigated
  • As soon as possible, Adobe PSIRT communicates a proposed timeline for a patch to the researcher.
  • Adobe encourages the responsible disclosure of vulnerabilities in our products, so the researcher is asked to keep the vulnerability confidential until a fix is available. Our goal is to keep our customers as secure as possible, so we want to keep the vulnerability information from malicious hackers.

PSIRTFlow.jpg
Step 5

  • The product team produces patches for all supported product versions, as quickly as possible.  Adobe PSIRT passes along any relevant status updates to the researcher and answers any questions they may have.
  • Adobe PSIRT produces a Security Bulletin draft for the issue. The Security Bulletin text is reviewed by internal Adobe stakeholders.

Step 6

  • Adobe PSIRT passes the patch to the researcher for verification, if possible.
  • Adobe PSIRT sends the Security Bulletin text to the External Security Researcher for review; the Security Bulletin includes an acknowledgment to the researcher thanking them for their help with the issue.
  • Adobe PSIRT works with MITRE Corporation to generate CVE identifiers for any relevant issues.

Step 7

  • The Security Bulletin is posted to http://www.adobe.com/support/security/ along with the product patch(es).
  • Adobe PSIRT posts a link to the Security Bulletin on the PSIRT blog (http://blogs.adobe.com/psirt/) to inform customers who have subscribed to the RSS feed. Customers are encouraged to sign up for the RSS feed by clicking on the link towards the bottom on the right side of the landing page for the most timely notification for security issues.
  • Adobe PSIRT coordinates a notification e-mail, sent to customers who have signed up for bulletin notification e-mails.
  • Customers update their product installations, and the researcher posts their own advisory, if applicable, once the patch is available for customers.

And that is how our PSIRT process works! It can be a complicated process, and we really appreciate the help of all of the security researchers who have cooperated with us, and been patient with us over the years as we fine-tune it. If you have any questions about the process (or, of course, any security vulnerabilities to report to us), please don’t hesitate to contact PSIRT@adobe.com.