Author Archive: David Lenoe

SOURCE Boston Presentation

David Lenoe here. Wendy Poland and I will be presenting at SOURCE Boston this Thursday, April 22. Here’s a description of the session we’re presenting:
Bullseye on Your Back – Life on the Adobe Product Security Incident Response Team
Ubiquity can come at a price: Experience has shown that the more popular and widely deployed an application is with end-users, the more likely that application will become a target for attackers and good security researchers alike.
Available in 34 languages, on all major platforms, and just about every desktop/laptop, it’s no surprise that Adobe Reader has made the lists of top applications targeted in 2010.
Join this session, and hear David Lenoe and Wendy Poland, members of the Adobe Product Security Incident Response Team (PSIRT), talk about the challenges of having the bullseye on your back and the hard lessons learned in the process. In looking at a recent zero-day vulnerability, Dave and Wendy will offer insight into Adobe’s product security incident response, the process of acting on vulnerability reports, and the analysis that goes into developing a schedule for a fix.
Live and learn–you could be taking center stage before you know it!
Please stop by and say hi if you’re at SOURCE!

Adobe Reader Blog Post Regarding PDF “/Launch” Social Engineering Attack

Steve Gottwals has posted to the Adobe Reader Blog regarding Didier Stevens’ recent report on a social engineering attack which relies on the “/launch” functionality in the PDF specification. Mitigation information for consumers and administrators is included. You can find the full post here.

Adobe joins SAFECode

We’re happy to announce that Adobe has joined SAFECode (Software Assurance Forum for Excellence in Code), a non-profit organization focused on the advancement of effective software assurance methods. We’re looking forward to sharing information on our software security process, learning from other SAFECode members, and helping to drive industry-wide software security initiatives. More information can be found here, and a Q&A with Adobe’s Brad Arkin can be found on the SAFECode blog here.

Co-authored blog with Microsoft

We co-authored a blog post with Jeremy Dallman from Microsoft describing the collaboration between the security teams at both companies. Check it out here:
http://blogs.msdn.com/sdl/archive/2009/06/17/microsoft-adobe-protecting-our-customers-together.aspx

Adobe PSIRT Process

Following on Peleus’ ‘We Care’ post, we thought this would be a good place to give a more thorough description of Adobe’s Product Security Incident Response Team (or PSIRT) process. Much of the work ASSET does is on the proactive side, preventing software vulnerabilities before a product ships. Adobe’s PSIRT is the part of the ASSET organization that responds to security issues that are discovered by external security researchers, partners, customers and others after a product ships. Here’s a step-by-step description of our process; note that some of these steps overlap and happen in parallel:
Step 1

  • Adobe PSIRT receives information about security vulnerabilities through numerous channels, including (but not limited to):
    • Email from security researchers, partners, or customers, via our feedback web form or directly to PSIRT@adobe.com
    • Public posting (Bugtraq, VulnDev, etc.)
    • Adobe Support
    • Internal notification (usually from Adobe’s Engineering teams, Quality Engineering teams, or ASSET)
  • Adobe PSIRT responds to the person who reported the issue (let’s call them the ‘researcher’), acknowledging the report and asking for a proof-of-concept file to demonstrate the vulnerability, if applicable.
  • Adobe PSIRT logs the issue in the Incident Response Database for tracking purposes. An Incident ID is automatically generated at this point, and passed along to the researcher.

Step 2

  • Adobe PSIRT sends the report to the relevant product team’s PSRT (Product Security Response Team) for verification. The product team’s PSRT includes a collection of Development, Quality and Program Managers, along with Developers, Quality Engineers and Product Managers.
  • ASSET helps reproduce the bug and assists the product team with severity analysis. If reproducible, the product team (or ASSET, if appropriate) logs an internal Adobe bug for the issue.

Step 3

  • The product team investigates the issue and develops a fix, or workaround. ASSET helps to verify the fix.
  • Any fix will be ported to all supported versions, as well as any version(s) currently under development.

Step 4

  • Adobe PSIRT responds back to the researcher, informing them that the issue has been reproduced and a fix is being investigated
  • As soon as possible, Adobe PSIRT communicates a proposed timeline for a patch to the researcher.
  • Adobe encourages the responsible disclosure of vulnerabilities in our products, so the researcher is asked to keep the vulnerability confidential until a fix is available. Our goal is to keep our customers as secure as possible, so we want to keep the vulnerability information from malicious hackers.

PSIRTFlow.jpg
Step 5

  • The product team produces patches for all supported product versions, as quickly as possible.  Adobe PSIRT passes along any relevant status updates to the researcher and answers any questions they may have.
  • Adobe PSIRT produces a Security Bulletin draft for the issue. The Security Bulletin text is reviewed by internal Adobe stakeholders.

Step 6

  • Adobe PSIRT passes the patch to the researcher for verification, if possible.
  • Adobe PSIRT sends the Security Bulletin text to the External Security Researcher for review; the Security Bulletin includes an acknowledgment to the researcher thanking them for their help with the issue.
  • Adobe PSIRT works with MITRE Corporation to generate CVE identifiers for any relevant issues.

Step 7

  • The Security Bulletin is posted to http://www.adobe.com/support/security/ along with the product patch(es).
  • Adobe PSIRT posts a link to the Security Bulletin on the PSIRT blog (http://blogs.adobe.com/psirt/) to inform customers who have subscribed to the RSS feed. Customers are encouraged to sign up for the RSS feed by clicking on the link towards the bottom on the right side of the landing page for the most timely notification for security issues.
  • Adobe PSIRT coordinates a notification e-mail, sent to customers who have signed up for bulletin notification e-mails.
  • Customers update their product installations, and the researcher posts their own advisory, if applicable, once the patch is available for customers.

And that is how our PSIRT process works! It can be a complicated process, and we really appreciate the help of all of the security researchers who have cooperated with us, and been patient with us over the years as we fine-tune it. If you have any questions about the process (or, of course, any security vulnerabilities to report to us), please don’t hesitate to contact PSIRT@adobe.com.