Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Saturday, 10 October 2009

Adobe Zero Day - Too Much Functionality?

Praetorian Prefect Adobe to release critical update on patch Tuesday

I'm constantly staggered at the frequency of the reporting of vulnerabilities in what should be simple applications. This attack uses heap spraying in Javascript to execute malicious code that installs a backdoor. My eyes alighted on the phrase "JavaScript" in the notification. When did Adobe Reader gain JavaScript capabilities?

By most users, Adobe reader is used just for opening PDF documents, which themselves for the most part are static text and images. However the latest version of Adobe Reader, version 9.1 is a 35MB download, and it contains support for JavaScript and Flash and lots of other things that enable "feature-rich content". I doubt many people want animation in their PDFs, and one point of converting to PDF for many is to strip interactive MS-Office features such as tracking data and macros.

A humorous discussion of the issues can be found here on this NZ technician's blog, but seriously, practical Application Security starts with matching the product to the requirements. If you are just adding features for fun (or in Adobe's case, almost certainly to use the freeware to cross-sell other apps - they now sell Shockwave and Macromedia's old product lines) then you're failing your customers. Given Adobe's market penetration, their product's subsequent contribution to the global virus load makes this unforgivable.

Practically Secure recommends SumatraPDF - a 1.2MB downloadable PDF reader that just, er, reads PDFs.

No comments:

Post a Comment