RSS Alerts

Share

More services

Related Links

Related Stories

  • New Zeus attack uses Adobe design flaw
    The Zeus botnet continues to spread graciously, according to new data collected by Websense – and other researchers say that it is exploring a recently discovered design flaw in the Adobe PDF file format.
  • Second quarterly patch from Adobe fixes 15 vulnerabilities
    Adobe released a mammoth set of security updates in its regular quarterly patch announcement yesterday. It also introduced an automatic updater for its PDF reader after several months of beta testing.
  • X-Force: Document vulnerabilities on the rise
    Adobe's PDF document format continued to take a bashing this week, after a report from IBM's X-Force security consulting arm singled out readers supporting the software company's de facto standard document format as a particular security worry.
  • Adobe fixes Adobe Download Manager flaw – by deleting the software
    Adobe has taken the easy option to fix the zero-day remote execution flaw discovered in its Adobe Download Manager last week. It advised users to simply delete the software so that it wouldn't come back again.
  • Sophisticated zero-day hits Adobe Reader
    More details are emerging of a zero-day attack on Adobe's PDF reader and Acrobat applications, and security experts are calling it highly sophisticated. Moreover, anti-malware tools have been woefully poor at spotting it.

Top 5 Stories

News

Applications under attack says Microsoft, Adobe

27 May 2010

Many in the security field agree that attack vectors have rapidly moved from exploiting operating system vulnerabilities to the application layer. Security specialists from Microsoft and Adobe lent their opinions as to why this is the case.

Greater than 80% of current vulnerability attacks target applications, including browser plug-ins, says Microsoft’s Dave Ladd, citing data compiled by IBM’s X-Force. The principal security program manager for Microsoft’s Trustworthy Computing group contends that attacks have recently moved to the applications space because hackers are abandoning operating system attacks as OS vendors take steps to vastly increase security.

Ladd also stresses the need for software companies to incorporate security into the development process. “Finding a bug at design time is a heck of a lot cheaper than finding after you have deployed an application”, he affirmed.

Microsoft does offer documentation on its Security Development Lifecycle process, which is free for download. The company also offers a simplified SDL process document that can be used by organizations of any size.

When asked why Microsoft would help potential competitors develop more secure products, Ladd responded by saying it’s a matter of creating a safer ecosystem. “Security is a neutral ground”, he noted, adding that his company’s customers often don’t make a distinction between bugs that cause applications to crash, and instead simply assume that the problem lies in the Windows operating system. And, aside from the reputational issues, Ladd said that, “frankly, it’s the right thing to do.”

Brad Arkin, director of product security and privacy at Adobe, agreed with this assessment. “The number of attacks on the platform have been decreasing, while the number of attacks against third-party apps running on the platform have been increasing”, he concurred.

Arkin acknowledged it has been a rather difficult year for security issues surrounding Adobe products, especially the company’s popular Reader product.

“Why do you attack Adobe software?”, he asked rhetorically. “Because that’s where the users are”, Arkin said, referring to the ubiquitous presence of Adobe’s Acrobat Reader, which commands overwhelming market share among PDF reader products and is run on more than 98% of desktop systems.

“Pretty much everyone on Earth uses our software” Arkin proclaimed. “This creates a rather interesting attack surface for bad guys to go after.”

The Adobe product security director says that attacks against applications are not just a dilemma for his company, but an industry-wide problem. As Arkin noted, however, Adobe does face a unique challenge: “The fact that we have some of the most widely deployed software on Earth puts us squarely in the middle of these types of attacks.”

This article is featured in:
Application Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012