We recently had the chance at the Hack in the Box 2011
security conference in Amsterdam to speak about PDF malware
with security researcher Didier Stevens. But Mr. Steve Adegbite, a senior security strategist at Adobe Systems, was also on site to speak on a much awaited panel, so we took the opportunity to learn his opinion on the matter too.Softpedia:
Last year Adobe released Adobe Reader and Acrobat X (10.0), which feature sandboxing technology and are important security updates for users. Can you disclose some adoption numbers for these products?Steve Adegbite:
I don't have the actual numbers. Adoption is not necessarily significant, but it is creeping up. If I'd have to take a guess, I'd say that about 20% of our regular user base has updated.
It's a slow process, but we're hoping that by the end of the year the numbers will be a lot higher. We're looking for a spike. People just need to learn that these are out there, that they have new security features, and adopt them.Softpedia:
Do you plan to push them through more aggressive means, maybe a prompt that asks users to upgrade because these versions are more secure?Steve Adegbite:
I think we're looking to do all that. We're looking at doing a marketing campaign, as well as working with our partners to advertise the new technology more. It's a fine line between encouraging and forcing users to move from a product they know and love to a new one and we're staying down the middle. But we're talking about promoting it every chance we get.Softpedia:
Do you think adoption is better or worse in business environments?Steve Adegbite:
I would hazard to guess that it's better for certain businesses, those that have high-assurance environments and are more concerned with security. I think their adoption rate is a lot better than that of businesses looking for more feature-type changes. Those have to weigh the option of whether or not they want to incur the cost of updating to something that feature-wise they might not need.
But I think people who are looking for security enhancements are moving quickly. In fact, I've gone out to a number of companies that applied Reader X the day it was released. Those guys were like "sandbox, high-assurance environment, we need it" and were on it instantaneously.Softpedia:
You've recently released out-of-band patches for Adobe Reader X in order to resolve a Flash zero-day vulnerability, with the exception of the Windows version because the sandbox technology protected users against the exploit. Some security experts have criticized this decision, claiming it encourages system administrators not to upgrade.
This could be a problem because sandboxes are not unbreakable and at some point someone will figure out a way to bypass it. If this mentality takes off we'll end up with a situation similar to the one a couple of years ago when there were a large number of outdated installations. How do you comment on this?Steve Adegbite:
We still end up fixing issues that are essentially protected by the sandbox, meaning vulnerabilities that can be triggered, but because of the sandbox there isn't anything that can happen with them. We may fix them in the next general distribution of the product.
We will update it. It's just that at the time when a zero-day vulnerability is disclosed, if the sandbox ends up mitigating it, its severity is lower. For a version that doesn't have sandboxing it may be critical, but for those that have it, it's important or moderate.
We'll still release an update, but it will be a future one. It's not critical to release it at time zero. A product update where we will fix all these vulnerabilities that didn't end up impacting users, but it's good hygiene to clean them up, because it's bad code.
We don't want users to believe that we will just forget about security issues. We'll still continue to patch them, it might just not be up in their face and prominent.Softpedia:
But it's just one more product. It's just Adobe Reader X for Windows. You clearly have the resources to release an out-of-band patch for it too. There are concerns that your security advisories telling people they are protected because of the sandbox sends a bad message and encourages them not to update. Why not go the extra mile?Steve Adegbite:
Well, here's the thing. People don't like unnecessary patches, because they need to apply resources for them. So if there is a vulnerability that doesn't affect them, most customers tell us "look, just delay it to a regular time when I can deal with it," because, you know, each of our patches are of considerable sizes.Softpedia:
So it's more about the costs of your customers than yours.Steve Adegbite:
Absolutely. We're looking to protect users, but the user comes back and says "hey, if I'm already protected, get me at another time when I deal with those costs."
There's been a significant decrease of the amount of PDF malware during the past year. Can you confirm that?Steve Adegbite:
From reports that we've seen from security vendors, there has been a decrease. There's been an increase in the number of Java exploits and a decrease in PDF ones, which we're happy for, because it gives us a sign that we're doing something right.
We don't believe the war is over, so we're still diligently doing the same thing, because one day you could see a decrease and the next one you could see a spike. At least we have an idea that what we've been doing so far makes sense and we're going to continue to ramp it up. We're happy for it, but we're still looking ahead at how we can do better. Until it's zero, we're not going to stop.Softpedia:
Do you think this decrease of PDF malware levels is because of the sandbox in Adobe Reader X and the implementation of ASLR and DEP in Adobe Reader 9?Steve Adegbite:
I think it's a combination of all that. I think the people who attack our products are finding that the investment is just not worth what they're going to get at the end. We try to put more barriers in front of them so they will move on to other technologies, such as Java or others that are easier for them to exploit.Softpedia:
Or Flash. Are you working on a sandbox for Flash Player?Steve Adegbite:
We are working on a different technology that might be sandbox-like for Flash, because we understand that containment is the best way for handling these problems. You're never going to write code that is 100% free of bugs, but if you contain it, it won't impact the user.
It's kind of like seat belts. Seat belts don't prevent a car crash. They just protect you, so that if you do have a car crash, you can walk away from it. That's the same thing we're looking to put in Flash and pretty much all of our products.Softpedia:
Can you give us an estimate as to when will this be available? This year maybe? Steve Adegbite:
I wish I could throw it out there, but there is a lot of compatibility testing to do.Softpedia:
What stage of development is it in?Steve Adegbite:
I would say it's getting past the concept phase. I wouldn't say implementation yet, but we're looking at different solutions on how we could do it and try to figure out what's the right path to take.
We're not dreaming it up just now. We've already gone through the phase of deciding how we want this to work. We're designing it at this point.Softpedia:
So there's still a long way to go.Steve Adegbite:
I wouldn't say a long way, because our development cycle is somewhat fast. I couldn't say it's less than a year, but I don't see it being five years down the line.
It would be something within a two-year cycle, if not even sooner than that, because most of the plans I've seen can be implemented rather quickly. But, we have to make sure it works seamlessly throughout all the browsers and that's where there may be a bit of a hiccup.Softpedia:
What about sandboxing for Adobe Reader on other systems? It's obviously not a priority because there haven't been any in-the-wild attacks for the product on other platforms, but it would be nice to have it because there is always that possibility, especially with Mac OS X being increasingly targeted by attackers. So, are you considering it?Steve Adegbite:
Right now, I would say no. The way we handle this is like triage. We want to stop the bleeding first and that's on the Windows platform. If a lot of attacks switch to Mac OS we will evaluate and we will have to put efforts into creating a sandbox for it, but we're not seeing the numbers yet and people are not being attacked.
It's a trade-off. Do we want to incur the cost and pass on that cost? Because people purchase the software and there's a cost to that. Do we want to charge people that aren't getting attacked? That's why we're stuck in the middle, but as soon as those numbers go up, yes we will start developing the same technologies for Mac OS and have people use them.Softpedia:
Researchers from AVAST [antivirus vendor] recently discovered
Didier Stevens [PDF malware expert] told us there are actually several filters that could be used in this way. Could you put up a list somewhere or inform AV vendors about them?Steve Adegbite:
We do work with them [AV vendors] and we share information. Adobe is part of Microsoft's Active Protection Program and there are also other programs we're working on. We try to give them as much information as possible because they protect our mutual customers.
So, we did share information about the different types of streams that can be parsed, but it's not broadly available. We don't put it on our website because the same type of information could be used by attackers. So we try to go through more trusted channels.(interview transcribed from audio)
Softpedia.com was an official media partner at the HITB2011AMS security conference.