Errata Security: Adobe misses low hanging fruit in Reader

Errata Security: Adobe misses low hanging fruit in Reader.

It appears that one of the reasons that Adobe has so many vulnerabilities is lack of a secure software development practices.

One of the most common features of “secure development” is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is “secure” is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the “low hanging fruit” of secure development.

The Errata article found a high-risk function, strcat, still being used in Adobe Reader and is possibly related to a recent vulnerability, SING Table Parsing Vulnerability (CVE-2010-2883).

In addition, Brian Krebs is reporting that Adobe published yet another security advisory earlier this week about a previously unknown vulnerability in Flash being actively exploited.

Only one way to block ‘Flash cookies’

While browsers now give you total control of standard “cookies,” Flash cookies are another matter. Woody Leonhard at Infoworld writes about the only way to control Flash cookies in his article, Block ‘Flash Cookies’ to thwart zombies. Hint: you have to go to the Adobe Flash Player Settings Manager site.

The attack of the Cookie monsters

This past Friday, the Wall Street Journal wrote an extensive article on the “nefarious” techniques web content sites use to help monetize their mostly free content. WSJ calls it “spying.” It implies that users are unaware that its happening and are helpless to do anything about.

First, if you read the WSJ or this blog, you are no longer unaware. Second, most browsers provide tools to protect your privacy while you are browsing and to delete the “cookies.” Third, since most people are unwilling to pay anything for content, the content providers have little choice but to monetize via advertising. In order achieve reasonable rates, advertisers want to be able to target their ads. Fourth, I believe that most people are OK with the trade-off – free content in exchange for giving up their privacy. If you are not OK with the exchange, see the second point above.

For the most part, I agree with Jeff Jarvis, who takes the Wall St. Journal to task in his post, Cookie Madness.

On the other hand, Wired reported earlier in the week that a lawsuit was filed against Quantcast, a subsidiary of MTV, which allegedly “violated federal computer intrusion law by secretly using storage in Adobe‚Äôs Flash player to re-create cookies deleted by users.”

The Wired article goes on to say,

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Quantcast claims it stopped using this technique last August 2009 after Wired had first brought this technique to light.