Author Archive: Karthik

Collaboration for Better Software Security

Posted on September 10, 2012 by Karthik | Comments (0)

At Adobe we have found that building working relationships between developers and vulnerability researchers is to the benefit of everyone–including, and especially, the general public. We will be speaking this week on this topic at the SOURCE Seattle 2012 conference. In our talk we’ll share case studies of successful developer-researcher collaboration by examining examples of security incidents including bug reports, zero-day attacks, and incident response.

If you’re going to be at SOURCE Seattle please drop by our talk: “Why Developers and Vulnerability Researchers Should Collaborate” at 12:10pm on Thursday, September 13. We’re eager to share what we have learned from our developer-researcher collaboration. And, of course, we especially look forward to catching up in hallway conversations!

Cheers,

Karthik Raman, Security Researcher, ASSET
David Rees, Lead Developer, Acrobat 3D

Straight from the Source: SOURCE Boston

Posted on April 13, 2012 by Karthik | Comments (0)

Karthik here from Adobe PSIRT. My colleague from the Adobe Acrobat team, Manish Pali, and I will be speaking next week at the SOURCE Boston conference. In our talk, we’ll cover some of the processes behind incident response at Adobe, including our security community outreach via the Microsoft Active Protections Program (MAPP), and automation strategies and solutions from the trenches for new and known vulnerability reports.

Demo alert! Manish is going to demo one of his tools for incident-triage automation—we’re hoping this and other aspects of the talk will benefit our friends on other incident response teams.

Please swing by our talk, if you’ll be at SOURCE Boston. We look forward to catching up in hallway conversations.

See you in Boston,

Karthik

Presenting “Malware Classifier” Tool

Posted on March 29, 2012 by Karthik | Comments (0)

Hi folks,

Karthik here from Adobe PSIRT. Part of what we do at PSIRT is respond to security incidents. Sometimes this involves analyzing malware.  To make life easier, I wrote a Python tool for quick malware triage for our team. I’ve since decided to make this tool, called “Adobe Malware Classifier,” available to other first responders (malware analysts, IT admins and security researchers of any stripe) as an open-source tool, since you might find it equally helpful.

Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” The tool extracts seven key features from a binary, feeds them to one or all of the four classifiers, and presents its classification results.

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a data set of approximately 100,000 malicious programs and 16,000 clean programs.

Malware Classifier is available at Open @ Adobe.

I will be speaking about the research behind the tool at Infosec Southwest 2012 in Austin, TX, on April 1. If you’re going to be there, I look forward to meeting up and discussing product security and secure engineering at Adobe.

Buzz from Kaspersky SAS 2012

Posted on February 9, 2012 by Karthik | Comments (0)

Hello world! Karthik here from Adobe Product Security Incident Response Team (PSIRT) engineering. Last week, I got to attend the Kaspersky Security Analyst Summit 2012 in Cancun, which was a melting pot of great security research and ideas. It was wonderful to meet researchers from industry and government and discuss Adobe’s security activities, such as product security incident response and product vulnerability sharing in the Microsoft Active Protections Program (MAPP). Thanks for listening and sharing your ideas. Let’s keep the conversation going.

On a lighter note, Team Adobe—consisting of Brad Arkin, Domingo Montanaro (general manager at iSIGHT Partners Brazil) and me—bagged the “Security Jeopardy” competition at the event on Friday evening. The winning answer only our team could come up with, ironically: “What is ‘zero knowledge.’”

SAS 2012 Security Jeopardy Winners

Until the next conference!

Karthik

Making the JavaScript Blacklist Framework for Reader/Acrobat more Accessible

Posted on September 13, 2011 by Karthik | Comments (0)

Hello everyone! Karthik here from the PSIRT Engineering team. One thing PSIRT always thinks about is presenting mitigations for classes of vulnerabilities. When a product patch is not immediately available, alternative mitigations become even more valuable. To ease the mitigation deployment process we are releasing the JavaScript Blacklist Framework Tool which offers protections against an entire class of vulnerabilities related to the JavaScript API for Adobe Reader and Acrobat.

JavaScript exploits used to be one of the main attack vectors for Adobe Reader as well as the PDF format in general. In October 2009, Adobe introduced a series of security enhancements for managing JavaScript execution within Adobe Reader and Acrobat, all of which are described here.

One of these, the JavaScript API blacklist, proved invaluable only two months later when attackers launched targeted attacks against CVE-2009-4324. Both end-users and enterprises were able to completely mitigate attacks exploiting this vulnerability by blacklisting the individual JavaScript API. Since the technique simply involves adding new registry value entry to a particular registry key, some organizations we talked to were able to deploy a Group Policy Object with the updated registry entry to hundreds of thousands of machines within 24 hours.

To further refine this process for enterprise IT, the security team created a tool with a user interface for this feature, and it is now available on Adobe Labs.

Blacklist Tool Screenshot

Blacklist Tool Screenshot

The tool presents a list of JavaScript APIs that have been attacked in the past. It retrieves this list of APIs from an Adobe server. If an Internet connection is unavailable, it presents a default list. When you click on ‘View,’ it displays the current entries in the JavaScript Blacklist and saves this data in a text file in the directory the application is running from (usually its installation directory). You can check multiple APIs then ‘Add’ them to the JavaScript Blacklist or Remove them. Simple enough!

Note that the tool requires the Microsoft .NET 4.0 framework. The tool’s installer should prompt you to install dependencies automatically.

If you are a Windows sysadmin and have had to make changes to the JavaScript Blacklist by hand, this tool will make your life a little easier. To download the tool, visit Adobe Labs at http://labs.adobe.com/technologies/acrobat_ittools/. The tool will work with the JavaScript Blacklist Framework on Reader 9.2 and 8.1.7 and later versions (including Reader X and Acrobat X) on Windows.

Karthik Raman, Security Researcher, PSIRT
Ben Rogers, Technical Writer, Acrobat & Reader Engineering