Errata Security: Adobe misses low hanging fruit in Reader

Errata Security: Adobe misses low hanging fruit in Reader.

It appears that one of the reasons that Adobe has so many vulnerabilities is lack of a secure software development practices.

One of the most common features of “secure development” is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is “secure” is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the “low hanging fruit” of secure development.

The Errata article found a high-risk function, strcat, still being used in Adobe Reader and is possibly related to a recent vulnerability, SING Table Parsing Vulnerability (CVE-2010-2883).

In addition, Brian Krebs is reporting that Adobe published yet another security advisory earlier this week about a previously unknown vulnerability in Flash being actively exploited.

New attacks leverage a zero-day vulnerability in Adobe PDF reader

Via ThreatPost yesterday:

Security researchers [at Symantec] say that a new wave of attacks suggests that the malicious hackers behind a security compromise [Aurora] at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application.

The post is well linked for background information on Aurora.

Adobe Reader improved security coming

ars technica reported that, “Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010.” Considering that Adobe Reader is #5 on Secunia’s list of third party products ranked by number of vulnerabilities, this is welcome news. More on Protected View in Office 2010 here.

The question is, why wouldn’t you want all your applications sandboxed this way?

How does Microsoft’s sandboxing technology compare to Suse Linux Enterprise Desktop‘s AppArmor?