Sophos Cloud Optix
If you’ve been following Adobe news this week, you’re probably as confused as I am. [That’s unlikely, Ed.]
The big news, released yesterday, is that Adobe Acrobat X is out. (Is Adobe trying to cuddle up to Apple here, do you think? As with Apple’s current Macintosh OS, the version number is written ‘X’, but pronounced ‘ten’.)
Version 10, sorry, X, includes Adobe’s much vaunted Protected Mode. The Protected Mode sandbox is not a simple thing – see these three blog articles from Adobe – and, as Adobe wryly reminds us, “the sandbox’s reliance on the operating system means that it could potentially be subject to its flaws.”
Additionally, of course, adding yet more complexity – albeit in the name of security – to already very complex, multi-million line applications may introduce yet more flaws.
Nevertheless, Adobe’s divide-and-conquer approach inside its version X is to be applauded. The abovementioned blog articles from the Adobe Secure Software Engineering Team include diagrams which show how sandboxing can greatly increase the number of sequentially successful tricks an exploit would need to perform in order to gain control.
I approve of defence-in-depth, and I am hoping to see positive results from this new protective cocoon.
The confusion in all of this is that version X isn’t really out, but merely emerging. Some parts of Adobe’s new product range can be ordered now, whilst other parts can only be pre-ordered, whatever that means.
Most importantly, Adobe Reader X isn’t out yet. But there is a brand-new update to Adobe Reader 9. This is not a routine quarterly patch from Adobe, since it deals with vulnerability APSA10-05, which the company didn’t have time to fix in its last regular security update.
As is usually the case for out-of-band patches, this one is considered critically important: attacks exploiting this vulnerability have been seen in the wild.
Added to all of this is Adobe’s understandably excitable email marketing campaign surrounding the gradual release of the Acrobat X series of products. Since the licensing of the many components is complex, and since some parts can be ordered now, whilst you can only get into a queue for others, it’s not surprising that Adobe has issued an advisory to warn everyone to be on the lookout for phishing scams using the latest Acrobat X upgrade as a hook.
Ignore emails which claim to give you earlier access to the not-yet-available products, or which ask you to sign up to be advised when Adobe’s products are out.
And ignore emails which offer you a way to access Adobe Reader X. It isn’t out yet (it’s expected by the end of the month); you don’t need to sign up for it; and when it does come out, you can just go directly to Adobe’s standard URL to fetch it: http://get.adobe.com/reader/.
(Note to Adobe: please remove the words you may have to temporarily disable your antivirus software from that download page. That’s risky advice, since it leaves the entire computer unprotected for the entire time of download and installation, and even longer if the user forgets to enable it again.)
Adobe’s next scheduled security update is one quarter away: Tuesday 08 February 2011. With all the many changes in version X, and given that there have already been three security updates this month, it’s reasonable to expect that neither we nor Adobe will be able to wait that long. Perhaps it’s time for Adobe to follow Microsoft into a pattern of monthly scheduled updates?
There you have it. Here’s my six-point summary:
* Adobe upgrades are for features, and updates are for security.
* The Acrobat X upgrade is out, but not all of it.
* Reader X upgrade is not out, but a critical update to Reader 9 is available now.
* Watch out for cybercrooks using the size and scale of the Version X upgrade to scam you.
* Be vigilant in case updates, even to the latest Version X upgrade, appear before next February.
* Don’t temporarily disable your anti-virus when installing new software. You may need to relax some strict behavioural features (or get your admin to do so), but disabling it altogether is a bad idea.
And if you’d like to learn more about Adobe’s new-found thrust for security, why not listen to this podcast, in which Sophos’s Chet Wisniweski interviews Brad Arkin – Senior Director of Product Security and Privacy at Adobe:
(23 August 2010, duration 24:36 minutes, size 11.8MBytes)
“I approve of defence-in-depth” — so do I, but wrapping a badly-written application in a sandbox is not DiD, because afterwards, you have exactly one layer of protection, the sandbox.
Well, strictly speaking, you have one more defensive layer overall than you did before.
Assuming you have a few layers already (I'll spare you the sales schpiel for Sophos Endpoint Security and Control :-), then one more really does give you deeper DiD.
You can say I merely hedged my bets with the words "I am hoping to see positive results from this new protective cocoon," but [a] I _do_ hope it works and [b] I can't see much point in being ungracious to Adobe right now.
Mind you, I wouldn't mind a "MiniReader" product version I could use instead of Reader, at least for stuff I click on via the web or in email – an official Adobe product which simply didn't contain the code to support any content-driven scripting (except PostScript itself, of course). No JS, no ActionScript, etc. "Best defence is not be there."
Microsoft did something like this with its very restricted Word Viewer and Excel Viewer utilities, years ago when Office viruses were everywhere. These utilities did make a difference – no VBA meant no macro virus risks, at least for documents which you had a business reason to open but where you couldn't be 100% sure of the source. Sales proposals, orders, price lists, that sort of thing.
Paul,
On a Mac isn't that Mini Reader just Preview or the PDF Viewer component of the core OS? You know, press Space on a document in the Finder?
I guess so. What I really meant was that I'd like to see _Adobe_ publish a MiniReader flavour of Reader, thus getting the company to accept that it's not only OK, but actually highly desirable, to support a Reader version without JavaScript and friends at all.
As far as I'm aware, Adobe vulnerabilities very commonly rely on JavaScript tricks to make them exploitable, thanks to the ease with which short pieces of JavaScript can arrange large and complex data structures in memory.
That means there needs to be a compelling reason to treat a JavaScript engine as an entry-level necessity in a PDF reader. I can't find one.
I have a Mac, and I only ever open PDFs in Preview. Before the Mac I had a Linux laptop, on which I used Xpdf. To the best of my knowledge I haven't yet come across a PDF which I couldn't use.