Mass Customization of Attacks Talk at RSA

Business consultant Stanley Davis defined mass customization as the “customization and personalization of products and services for individual customers at a mass production price.” Anyone who has ever ordered a custom PC is no stranger to mass customization: that particular combination of components wasn’t assembled into a PC until the customer initiated an order.

As we responded to zero-day exploits in the past couple of years, we took stock of some of the properties that separated them from mass malware, which affect older, patched vulnerabilities. For example, we noticed zero-day attacks starting to target more than one version of a platform on one or more operating systems. In addition, we observed that zero-day attacks contain more than one exploit possibly affecting multiple vendors’ products. Our thesis can be stated as follows: The exploit creation industry is maturing; by combining the features of mass malware with multiple zero-day exploits, they can create mass-customized attacks.

 masscustomizedattacks

 

We expand on this thesis in our upcoming talk at the RSA 2014 conference and use several case studies to prove it.

If you’re going to be attending RSA on Tuesday, Feb. 25, please swing by our talk at 2:40 p.m. in the West Room 3006. We look forward to sharing our research and the conversations with our friends and partners in the industry!

Peleus Uhley, Platform Security Strategist
Karthik Raman, Security Researcher

Adobe Sponsors Nullcon 2014

NullCon, held annually in Goa, is one of the premier security conferences in India. This conference has emerged out of a not-for-profit society, null, which is the largest active security community in India. I will be attending the conference along with two Security Researchers from my team, Kriti and Vaibhav. We are looking forward to an interesting lineup of talks, especially the keynote session by Jeff Moss, founder of Black Hat and DEF CON.

I’m most excited about the hallway conversations, which for me has always been the most interesting part of this conference and a time to catch up with some of the brightest minds in Security. This year, Adobe will have a booth at the conference and we are recruiting for the role of Security Researcher. So in case you are interested please drop by our booth with your resume or just come by to say hello.

If you haven’t registered yet for the conference, I encourage you to go ahead. The details are on the NullCon website.

See you there.

Priyank Choudhury
Manager, Secure Software Engineering

The Power of Interdisciplinary Research

I was privileged to give the keynote presentation at Norwich University’s Undergraduate Research Symposium recently, entitled “Keeping an Open Mind.” I still remember being a summer research fellow in math at Norwich, my alma mater, in 2004 and then pursuing independent studies in computer security my junior and senior years. Gaining the experience of research while still an undergrad eased my transition into a professional career in security research.

© 2013 Norwich University

© 2013 Norwich University

My message to the audience was that interdisciplinary research is possible, important, and fun. I used EO Wilson’s philosophy of consilience to reason why knowledge from diverse disciplines ought to mix: “The goal of consilience is to achieve progressive unification of all strands of knowledge in service to the indefinite betterment of the human condition.” This notion applies to our own industry of software security:  a leading practitioner would arguably be well-versed in computer science, discrete math, software engineering, systems engineering, and psychology, among other disciplines.

To demonstrate that interdisciplinary research is important I used two examples. First, the research of Prof. Kevin Warwick of the University of Reading in the UK and its potential for treating people with damaged nervous systems. Second, that of Alan Turing’s interdisciplinary work during World War II. Turing’s contributions are said to have shortened the length of the war by two years. Finally, I used the example of the winners of the 2013 Ig Nobel awards to say that research is fun and it can make us laugh and think.

I followed with practical advice about approaching research with an open mind, tracking your ideas, working with a collaborative spirit, and finding your passion in research:  when you become intrinsically motivated to learn something then there’s no stopping you – something we can all keep in mind throughout our careers.

Karthik Raman
Security Researcher

BSIMM Community Conference 2013

In mid-November, I attended the BSIMM Community Conference 2013 in Chantilly, VA.  The community represents 67 firms, and there were about 100 people in attendance.

The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives.  The BSIMM helps to measure, compare and contrast software security data.  The model also describes how mature software security initiatives evolve, change and improve over time.  Adobe was one of the nine original participants in the first version of BSIMM and has participated in subsequent BSIMM surveys.

This year the conference provided two tracks, thereby providing a smaller ratio of presenters to attendees per presentation.  Topics included Static Analysis, Software Security Meets Agile, Mobile Security, Software Security Metrics for Efficiency and Effectiveness, Architecture Analysis, Insider Threats, and Third Party Software and Security.

To sum it up, I appreciated the opportunity to connect, network and discuss comparative security initiatives, current events, and best practices with those in attendance.  Thanks to BSIMM organizers for putting on a great event.

Wendy Poland
Product Security Group Program Manager

 

Flash Player Sandbox Now Available for Safari on Mac OS X

Over the last few years, Adobe has protected our Flash Player customers through a technique known as sandboxing. Thus far, we have worked with Google, Microsoft and Mozilla on deploying sandboxes for their respective browsers. Most recently, we have worked with Apple to protect Safari users on OS X. With this week’s release of Safari in OS X Mavericks, Flash Player will now be protected by an OS X App Sandbox.

For the technically minded, this means that there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process. As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly. The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels. Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.

Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections. We’d like to thank the Apple security team for working with us to deliver this solution.

Peleus Uhley
Platform Security Strategist

Illegal Access to Adobe Source Code

Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.  Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

Adobe thanks Brian Krebs, of KrebsOnSecurity.com, and Alex Holden, chief information security officer, Hold Security LLC. holdsecurity.com  for their help in our response to this incident.

We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products.

For more information on Acrobat security, please visit the Acrobat Developer Center.

For more information on ColdFusion 10 security, please visit the ColdFusion Developer Center.

 

Brad Arkin

Chief Security Officer

My Summer Internship With the ASSET Team

Timber2I have spent the last three months working hard to release two coding projects for ASSET! In this blog, I am going to share my experiences working at Adobe from an intern’s perspective.

One of my projects was to develop a specialized tool written in Python for forensics experts in corporate environments. The finished tool incorporates user input on file features, in order to specify behavior and filter files by interest. For example, malicious actors might rename a RAR-compressed executable ‘X.rar’ to ‘X.jpg’ and exfiltrate it. This tool helps forensics experts locate the renamed file. In another example, when an actor encrypts compressed files to bypass AV signature scans, this tool can help detect these malicious files. The tool supports several filtering features and users can easily tweak the configuration to find whatever they are suspicious of.

The biggest part of this project is that we built our own signature library to recognize file types–this is different from most existing ones (WinHex, Scalpel, file UNIX command) which are doing rigid static-header and -footer searching. My project provides an open architecture to add more signature-searching methods. On the backend, we are implementing modules to provide searching-behavior functionality; on the frontend, signatures in the library are simply JSON objects that calls methods on corresponding tags. The objective behind the tool is that we want to explicitly know how the signatures are matched and make further extending signatures work as easily as we could.

This is a diagram of the architecture of the tool:

untangle

Currently the signature library supports several signature-searching methods, including dynamic signatures. This is really useful when handling executables (PE or ELF structured) which have file-specific computed offsets. As the needs from forensics experts increase, we will continue to develop more powerful features.

Here is a signature snippet for the DLL file type:

Dll-signature

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ASSET Senior Manager Mohit Kalra, ASSET Security Researcher Karthik Raman  and I have been cooperating with experts from other Adobe teams and justifying a few concepts behind the project. After the tool passed several phases of testing, I showcased the tool to other interns and team members at the Adobe Intern Expo, and separately to various forensic experts at Adobe. The project was difficult, and I couldn’t have completed it without the help of my co-workers. This is one of the things I appreciated the most about my internship: teamwork that proved to be productive, solid, and congenial!

Through the internship, I’ve gained hands-on experience on industry-level projects. It has given me insight into project development cycles and let me use many coding skills that I never had the chance to use previously. Apart from the technical side, there are many aspects of life you can learn in such a big corporate environment, and I’ve enjoyed the process of adapting to it.

Timber Deng
Security Intern

Flash Player Security with Windows 8 and Internet Explorer 10

With the launch of Internet Explorer 10 on Windows 8 last year, customers have experienced improved Flash Player capabilities. Adobe worked closely with Microsoft to integrate Flash Player into Internet Explorer 10 for the Windows 8 platform, but some of our customers are still unaware of the full benefit of the security enhancements. We’d like to take the opportunity to discuss how this integration introduced several new changes that have increased end-user security.

The first significant change is that Flash Player updates for IE 10 on Windows 8 are now distributed through Windows Update. End-users are no longer prompted by the Flash Player auto-updater to update Internet Explorer. This also means that enterprises can now distribute Flash Player updates for Windows 8 through their existing Windows OS patch management workflows. For IE 10 users on Windows 7, you will continue to be updated through Flash Player’s existing update mechanisms.

Windows 8 and IE 10 bring a new level of security known as Enhanced Protected Mode (EPM). In immersive mode, EPM is enabled by default. End users can enable Enhanced Protected Mode on the desktop by selecting Tools > Internet Options > Advanced and checking “Enable Enhanced Protected Mode.”

EPM on IE 10 provides several new protections. One is that all content processes will run as 64-bit processes. This means that Flash Player will also be run as a 64-bit process which will make heap sprays more difficult. The larger address space makes it more difficult to predict the memory location of the spray with a decent statistical likelihood.

The Windows 8 OS security model also utilizes AppContainers for Windows Store. The AppContainer for Internet Explorer 10 is an improvement on the existing idea of Integrity levels. The IE 10 AppContainer brokers both read and write access to most of the operating system. This is an improvement over traditional Protected Mode where only write access was limited. Since Flash Player will be executing as a low privileged process, it will not be able to read user-owned data without user interaction. In addition, the IE 10 AppContainer enforces certain network restrictions which are described here. Since Flash Player is integrated into IE 10, Flash Player is sandboxed by the same AppContainer broker as Internet Explorer.

One aspect of the new AppContainer brokers is that Internet Explorer 10 has an unique cookie store for each mode. Browser cookies for immersive surfing will be placed in the IE 10 AppContainer storage location. Cookies created while surfing Internet-zone content in IE 10 on the desktop will be placed in the Low Integrity Level (LowIL) cookie location. Flash Player acknowledges this paradigm for Local Shared Objects (LSOs), as well. This means that any data stored from your Flash Player gaming in immersive mode will not be available to Flash Player when you are surfing with IE on the desktop. More information on how IE 10 handles cookies on Windows 8 can be found in this blog.

Overall, these new protections serve to further improve security for our Windows 8 customers while also delivering a more streamlined update workflow. Adobe will continue to work with Microsoft to better improve security for our mutual customers going forward.

Peleus Uhley
Platform Security Strategist

Reflections on Black Hat & DefCon

This year the ASSET security team along with security engineers from several other Adobe teams travelled to Vegas to attend the summer’s largest security conferences – Black Hat and DefCon. The technical talks can typically range from “cool bugs” to “conceptual issues that require long term solutions.” While the bugs are fun, here’s my take on the major underlying themes this year.

One major theme is that our core cryptographic solutions such as RSA and TLS are beginning to show their age. There was more than one talk about attacking TLS and another presentation by iSEC Partners focused on advances related to breaking RSA. The iSEC team made a valid case that we, as an industry, are not prepared for easily deploying alternative cryptographic solutions. Our industry needs to apply the principles of “crypto agility” so that we can deploy alternative solutions in our core security protocols, should the need arise.

Another theme this year was the security issues with embedded systems. Embedded systems development used to be limited to small bits of assembly code on isolated chips. However, advances in disk storage, antenna size, and processors has resulted in more sophisticated applications powering more complex devices. This exposed a larger attack surface to security researchers at Black Hat and DefCon who then found vulnerabilities in medical devicesSIM cardsautomobilesHVAC systemsIP phonesdoor locksiOS chargersSmart TVsnetwork surveillance cameras, and similar dedicated devices. As manufacturing adopts more advanced hardware and software for devices, our industry will need to continue to expand our security education and outreach to these other industries.

In traditional software, OS enforced sandboxes and compiler flags have been making it more difficult to exploit software. However, Kevin Snow and Lucas Davi showed that making additional improvements to address space layout randomization (ASLR), known as “fine-grained ASLR,” will not provide any significant additional levels of security. Therefore, we must rely on kernel enforced security controls and, by logical extension, the kernel itself. Mateusz Jurczyk and Gynvael Coldwind dedicated significant research effort into developing tools to find kernel vulnerabilities in various operating system kernels. In addition, Ling Chuan Lee and Chan Lee Yee went after font vulnerabilities in the Windows kernel. Meanwhile, Microsoft offered to judge live mitigation bypasses of their kernel at their booth. With only a small number of application security presentations, research focus appears to be shifting back toward the kernel this year.

Ethics and the law had an increased focus this year. In addition to the keynote by General Alexander, there were four legal talks at Black Hat and DefCon from the ACLU, EFF and Alex Stamos. Paraphrasing Stamos’ presentation, “The debate over full disclosure or responsible disclosure now seems quaint.” There were no easy answers provided; just more complex questions.

Regardless of the specific reason that drew you to Vegas this year, the only true constant in our field is that we must continue learning. It is much harder these days to be an effective security generalist. The technology, research and ethics of what we do continues to evolve and forces deeper specialization and understanding. The bar required to wander into a random Black Hat talk and understand the presentation continues to rise. Fortunately, walking into a bar at Black Hat and offering a fellow researcher a drink is still a successful alternative method of learning.

Peleus Uhley
Platform Security Strategist

Adobe’s Software Vulnerability Report Form Gets a Facelift

This week Adobe launched a new software vulnerability report form. This web form is the primary mechanism for our colleagues in the information security community to disclose security vulnerabilities that may impact Adobe’s customers.

In addition to some functionality improvements, we’ve included additional questions to accelerate our vulnerability triage process. We welcome your feedback on the new form, as well as suggestions on ways to improve our process. You can always reach us via PSIRT@adobe.com.

Finally, we’ll be at Black Hat and DEF CON this year, and we’re looking forward to catching up with everyone who plans to attend. See you there!

Pieter Ockers
Program Manager, PSIRT