Archive for February, 2012

When Do I Need to Apply This Update – Adding Priority Ratings to Adobe Security Bulletins

How urgently do I need to apply this update? That’s the most common question we get from customers in managed environments when we release a security bulletin. Our current severity ratings do a good job of objectively describing the worst-case scenario involved with a security issue, but they do not necessarily tell a customer all they need to know about the risk and priority of a particular security update. All critical security updates are not created equal. For example, if a Flash Player issue is being exploited in the wild, the update to resolve the vulnerability deserves a much higher priority than, say, a patch for a critical vulnerability in Photoshop. After all, Flash Player is a browser-based plugin with hundreds of millions of customers. Photoshop, on the other hand, has a much smaller customer base and would require significant social engineering to successfully exploit the product. So we started to wonder, how can we communicate the priority of our security updates more effectively?

We want to be as simple and direct as possible about the real-world risk associated with the vulnerabilities addressed in any given security update, and we decided that adopting a separate priority ranking scheme was the best way to accomplish this. Here is the priority scheme we are planning to use to rank security updates in the future:

Priority 1 Priority 2 Priority 3
This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours). This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days). This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

We’re going to base our priority ranking on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that may be in place. This is a new system, so we may find that adjustments will need to be made. We also believe that continuing to use the current severity ratings makes sense, since this information has been helpful to many customers, so you can expect to see both ratings being used in future security bulletins.

We look forward to your feedback. Our goal is to help our customers in managed environments prioritize updates, so we’ll see if this new priority ranking scheme works to accomplish that! As we have been emphasizing a lot recently, the majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security updates, so as always we recommend that users keep their software installations updated with the latest version of Adobe software.

RSA Conference Schedule

Brad Arkin here. RSA Conference is upon us once again. There are some exciting talks and events on the calendar, but I’m looking forward to the informal “hallway track” the most.

In the days leading up to RSA Conference, everyone in the industry seems to be reminding each other of the sessions you “absolutely should not miss.” Here’s my pitch—and a summary of where you can find me and members of the Adobe Secure Software Engineering Team at RSA Conference:

MONDAY, FEBRUARY 27, 2012

On Monday, February 27, you’ll find me at the “Improving Application Security Seminar” (SEM-002), along with experts from Symantec, Cigital, Fortify Software, HP, Microsoft, and Veracode. This full-day seminar for delegates will kick off at 8:30 a.m. in Room 305 at the Moscone Center.

In the evening, please join the Adobe Security Team from 6:30 to 9:30 p.m. at Roe Restaurant (10 Hawthorne Street, two blocks from the Moscone Center) for food, drinks, and a lively discussion on the current challenges facing the security industry. Please note that this is a limited capacity event, so please register for this event as soon as possible to save your spot.

TUESDAY, FEBRUARY 28, 2012

Join Adobe’s Kyle Randolph and other participants from EMC, Cigital, Symantec and Microsoft for a panel discussion titled “Making Sense of Software Security Advice: Best vs. Practiced Practices” (ASEC-106) at 1:10 p.m. on Tuesday, February 28, in Room 302. The panel, moderated by EMC’s Reeny Sondhi, will help you make sense of the different software security advice available and discuss how to apply it to your work.

WEDNESDAY, FEBRUARY 29, 2012

If you are an early riser, join me at 8:00 a.m. on Wednesday, February 29, in Room 302 for a panel discussion moderated by Chenxi Wang from Forrester, titled “War Stories: The Good, Bad and the Ugly of Application Security Programs” (ASEC-201). I’ll be participating on the panel along with Doug Cavit from Microsoft and James Routh from JPMorgan Chase & Co. We look forward to your questions and comments!

Afterwards, don’t miss my talk “Never Waste a Crisis – Necessity Drives Software Security Improvements” (ASEC-203), which will take place from 10:40-11:30 a.m. in Room 302. I’ll share some general lessons on both how to prepare for a crisis and what to do once it arrives. And I’ll provide step-by-step instruction on what to do through every phase of a crisis with an eye towards promoting the priority of software security activities throughout.

THURSDAY, MARCH 1, 2012

On Thursday, March 1, I’ll be moderating a SAFECode panel discussion titled “What Motivated My Company to Invest in a Secure Development Program?” (ASEC-301). Other panelists include Steven Lipner from Microsoft, Gunter Bitz from SAP, Janne Uusilehto from Nokia, and Gary Phillips from Symantec. Don’t miss what promises to be a lively discussion from 8:00-9:10 a.m. in Room 302!

We hope to see you at RSA Conference!

Buzz from Kaspersky SAS 2012

Hello world! Karthik here from Adobe Product Security Incident Response Team (PSIRT) engineering. Last week, I got to attend the Kaspersky Security Analyst Summit 2012 in Cancun, which was a melting pot of great security research and ideas. It was wonderful to meet researchers from industry and government and discuss Adobe’s security activities, such as product security incident response and product vulnerability sharing in the Microsoft Active Protections Program (MAPP). Thanks for listening and sharing your ideas. Let’s keep the conversation going.

On a lighter note, Team Adobe—consisting of Brad Arkin, Domingo Montanaro (general manager at iSIGHT Partners Brazil) and me—bagged the “Security Jeopardy” competition at the event on Friday evening. The winning answer only our team could come up with, ironically: “What is ‘zero knowledge.’”

SAS 2012 Security Jeopardy Winners

Until the next conference!

Karthik

Flash Player Sandboxing is Coming to Firefox

Peleus here. In December of 2010, I wrote a blog post describing the first steps towards sandboxing Flash Player within Google Chrome. In the blog, I stated that the Flash Player team would explore bringing sandboxing technology to other browsers. We then spent 2011 buried deep within Adobe laying the groundwork for several new security innovations.

Today, Adobe has launched a public beta of our new Flash Player sandbox (aka “Protected Mode”) for the Firefox browser. The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach. Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7. We would like to thank the Mozilla team for assisting us with some of the more challenging browser integration bugs. For Flash Player, this is the next evolutionary step in protecting our customers.

Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits. For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X. We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year. In the meantime, please help us get these protections out to end-users as fast as possible by volunteering to download our beta and help test. Information on known bugs, configuration options and other information can be found on Adobe Labs in the “Getting Started” section.

P.S.: I will be speaking at CanSecWest on this and other exciting topics. I hope to see everyone there!