Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security of hosted services is top priority for Adobe's first CSO

Lucian Constantin | April 26, 2013
Strengthening the security of Adobe's internal infrastructure is another goal for new CSO Brad Arkin

From his new position, Arkin will oversee the work of the recently created Engineering Infrastructure Security Team, which maintains the company's software building, signing and release infrastructure, in addition to that of the ASSET and PSIRT groups. He will also oversee the Adobe Security Coordination Center, a group that coordinates both network and product security incident response activities across the company.

Adobe's efforts to strengthen the security of its software products, especially the widely used programs, has had a visible impact on the threat landscape in recent years. The number of exploits targeting Adobe Reader used in active attacks has decreased considerably, forcing the attackers to switch their focus to Oracle's Java and other widely used software. A zero-day -- previously unknown -- exploit for Adobe Reader X that was found in February was the first to bypass the program's sandbox mechanism since its release back in 2010.

Flash Player is now also sandboxed under Google Chrome, Mozilla Firefox and Internet Explorer 10 on Windows 8, making successful exploitation of Flash Player vulnerabilities much more difficult than in the past.

The silent auto-update option added to Flash Player and Reader and the work the company has done with platform partners like Microsoft, Apple, Mozilla and Google, has led to the majority of users upgrading to the latest and most secure versions of those products, Arkin said.

In the consumer market, only a small number of users are still using Adobe Reader 9 and less than 1 percent are running an older version that's no longer supported and not receiving security updates, Arkin said. Most enterprise environments have upgraded to Reader X, yet "more people than I would like are still using version 9," Arkin said.

The company is being very aggressive to move people from Reader version 9 to version XI or at least X, especially since version 9 will reach end-of-life at the end of June, Arkin said. "We're using the update mechanism to push upgrades to the latest version and not just security updates for the installed version."

Ideally, the company would like people to use Reader XI because it offers the best level of security. Reader XI has a second sandboxing component known as Protected View, in addition to the one first introduced in Reader X, but unfortunately this feature is not turned on by default.

The reason why Reader XI is not shipped with Protected View enabled by default is that it breaks some workflows as the level of protection it offers is incompatible with screen readers or some other some common tasks like printing, Arkin said. With every update, the company is trying to solve some of the incompatibilities so that it can turn the feature on by default, Arkin said. However, people in highly targeted environments can still turn it on now and use various work-arounds to access the required functionality, he said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.