Could Adobe be vulnerable to an AIR attack?
- 04 October, 2007 08:55
Adobe Systems' moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.
"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group.
For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.
And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.
"The current generation of spyware, virus and malware detection products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."
John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.
But that creates its own obstacles. "AIR has been a challenge to do security for," said Bill Manning, senior product manager at Aptana, which makes an open-source development tool that supports AIR. "Because of the two sandboxes, there are two security models. It's a new method for developers to get used to. And the weight of security is on their shoulders."
Luke Adamski, a platform security strategist at Adobe, asserted that runtime environments such as AIR "are inherently a little safer" than simple Web sites based on AJAX or HTML are. But he agreed that AIR "can only do so much" on its own from a security standpoint.
In his e-mail, Schmelzer contended that "to protect the value of AIR and prevent a potentially fatal blow to the emerging technology," Adobe needs to partner with the major vendors of antivirus tools "to provide AIR-specific threat prevention and malware scanning."
Adobe does have some rudimentary partnerships with such companies, Landwehr said. But he added that Adobe, which moved two years ago to a monthly patch release schedule, is prepared to move fast to fix any flaws that do emerge. "We absolutely have the workflow to respond very quickly to issues with any app in the entire company," he said.
Adobe is also launching a slew of hosted services that it needs to protect against hackers in order to maintain their uptime. Those offerings, Landwehr said, will undergo the same bug-hunting process as Adobe's packaged software currently gets.
Landwehr pointed out that "as far as we know, there is no malware in circulation disguised as PDFs." But he conceded that there is little Adobe can proactively do to help curb the fast-growing problem of PDF spam. For instance, tens of billions of e-mails with PDF attachments touting stocks were sent in a matter of days this summer by so-called pump-and-dump scammers.
His advice: remind users to only open documents that are sent by authenticated senders and digitally signed so as to prove that they haven't been altered enroute. But that, Landwehr acknowledged, is something most users don't regularly do now.
Landwehr's other big challenge is ensuring that hackers don't break the digital rights management technology built into an increasing number of Adobe products.
For instance, the upcoming Version 3 of the company's Flash Media Server will ensure that users who download Flash videos for offline viewing will still have to view banner ads associated with the videos, as well as ads inserted before, in the middle of and after the video clips, Landwehr said. Any attempts to modify the encrypted Flash videos will mean that "nothing will play," he added.