Hello everyone! Karthik here from the PSIRT Engineering team. One thing PSIRT always thinks about is presenting mitigations for classes of vulnerabilities. When a product patch is not immediately available, alternative mitigations become even more valuable. To ease the mitigation deployment process we are releasing the JavaScript Blacklist Framework Tool which offers protections against an entire class of vulnerabilities related to the JavaScript API for Adobe Reader and Acrobat.

JavaScript exploits used to be one of the main attack vectors for Adobe Reader as well as the PDF format in general. In October 2009, Adobe introduced a series of security enhancements for managing JavaScript execution within Adobe Reader and Acrobat, all of which are described here.

One of these, the JavaScript API blacklist, proved invaluable only two months later when attackers launched targeted attacks against CVE-2009-4324. Both end-users and enterprises were able to completely mitigate attacks exploiting this vulnerability by blacklisting the individual JavaScript API. Since the technique simply involves adding new registry value entry to a particular registry key, some organizations we talked to were able to deploy a Group Policy Object with the updated registry entry to hundreds of thousands of machines within 24 hours.

To further refine this process for enterprise IT, the security team created a tool with a user interface for this feature, and it is now available on Adobe Labs.

Blacklist Tool Screenshot

The tool presents a list of JavaScript APIs that have been attacked in the past. It retrieves this list of APIs from an Adobe server. If an Internet connection is unavailable, it presents a default list. When you click on ‘View,’ it displays the current entries in the JavaScript Blacklist and saves this data in a text file in the directory the application is running from (usually its installation directory). You can check multiple APIs then ‘Add’ them to the JavaScript Blacklist or Remove them. Simple enough!

Note that the tool requires the Microsoft .NET 4.0 framework. The tool’s installer should prompt you to install dependencies automatically.

If you are a Windows sysadmin and have had to make changes to the JavaScript Blacklist by hand, this tool will make your life a little easier. To download the tool, visit Adobe Labs at http://labs.adobe.com/technologies/acrobat_ittools/. The tool will work with the JavaScript Blacklist Framework on Reader 9.2 and 8.1.7 and later versions (including Reader X and Acrobat X) on Windows.

Karthik Raman, Security Researcher, PSIRT
Ben Rogers, Technical Writer, Acrobat & Reader Engineering

At Adobe we have found that building working relationships between developers and vulnerability researchers is to the benefit of everyone–including, and especially, the general public. We will be speaking this week on this topic at the SOURCE Seattle 2012 conference. In our talk we’ll share case studies of successful developer-researcher collaboration by examining examples of security incidents including bug reports, zero-day attacks, and incident response.

If you’re going to be at SOURCE Seattle please drop by our talk: “Why Developers and Vulnerability Researchers Should Collaborate” at 12:10pm on Thursday, September 13. We’re eager to share what we have learned from our developer-researcher collaboration. And, of course, we especially look forward to catching up in hallway conversations!

Cheers,

Karthik Raman, Security Researcher, ASSET
David Rees, Lead Developer, Acrobat 3D

In line with the Adobe Support Lifecycle Policy, Adobe’s Acrobat 9.x and Reader 9.x suite of products reached their end-of-life (EOL) today, June 26, 2013. This means that Adobe will no longer provide security or other updates to this product suite.

Over the years, we’ve made several security enhancements in the successors of Reader 9, Reader X and Reader XI, including the Protected Mode (aka “sandboxing”) and Protected View. There has never been a better time to upgrade to Reader XI. Please upgrade, ensure automatic updates are turned on, and stay secure!

Karthik Raman

Security Researcher, ASSET

Recon, held annually in Montreal, Canada, has a reputation for being one of the best technical security conferences in the world. I was once again privileged to attend Recon (June 21-23) and this year’s conference did not disappoint.

Slides from the conference are up here on the conference Web site. As a security defender, I especially enjoyed learning about the innards of EMET 4.0 from Elias Bachaalany of the Microsoft Security Response Center (MSRC). Christopher Domas’s talk on using visualization for reverse engineering will strike a chord with anyone who has thought about using the human brain’s formidable pattern-recognition capabilities for sifting through masses of data — in this case, binary data.

Recon is known for assembling researchers from the US, Canada, Europe, and many other parts of the world and it was fun, as always, to engage in conversations with friends, colleagues, partners, and the independent research community.

Vieux-Montréal (Old Montreal) is a 15-minute walk away from the conference venue and at sunset it is more than pleasant there:

Until belle Montreal beckons again!

Karthik Raman
Security Researcher

I was privileged to give the keynote presentation at Norwich University’s Undergraduate Research Symposium recently, entitled “Keeping an Open Mind.” I still remember being a summer research fellow in math at Norwich, my alma mater, in 2004 and then pursuing independent studies in computer security my junior and senior years. Gaining the experience of research while still an undergrad eased my transition into a professional career in security research.

© 2013 Norwich University

My message to the audience was that interdisciplinary research is possible, important, and fun. I used EO Wilson’s philosophy of consilience to reason why knowledge from diverse disciplines ought to mix: “The goal of consilience is to achieve progressive unification of all strands of knowledge in service to the indefinite betterment of the human condition.” This notion applies to our own industry of software security:  a leading practitioner would arguably be well-versed in computer science, discrete math, software engineering, systems engineering, and psychology, among other disciplines.

To demonstrate that interdisciplinary research is important I used two examples. First, the research of Prof. Kevin Warwick of the University of Reading in the UK and its potential for treating people with damaged nervous systems. Second, that of Alan Turing’s interdisciplinary work during World War II. Turing’s contributions are said to have shortened the length of the war by two years. Finally, I used the example of the winners of the 2013 Ig Nobel awards to say that research is fun and it can make us laugh and think.

I followed with practical advice about approaching research with an open mind, tracking your ideas, working with a collaborative spirit, and finding your passion in research:  when you become intrinsically motivated to learn something then there’s no stopping you – something we can all keep in mind throughout our careers.

Karthik Raman
Security Researcher

Adobe attends Black Hat in Las Vegas each year and this year was no exception. The Adobe security team as well as several security champions from Adobe’s product teams attended Black Hat and a few stayed on for DEF CON too. What follows is the experiences and takeaways of Rajat and Karthik security researchers on ASSET, from Black Hat and DEF CON 2014.

Security is often characterized as a dichotomy between “breaking” and “building”. Presentations at Black Hat and DEF CON are no exception – focused on these categories as a result of the approach that hackers take towards their research. For example, Charlie Miller and Chris Valasek’s, “A Survey of Remote Automotive Attack Surfaces” was a memorable talk in the breaking-security category, where they disassembled the onboard computers in over twenty commercial cars and analyzed ways to remotely control them. It was refreshing to take a step back and observe that security scrutiny can be brought to bear on all engineering design, not just software design.

In the building-security category, we appreciated the format of the various roundtables at Black Hat because they mirrored many of the themes of security conversations across Adobe. For example we found the roundtable discussions on API Security  and Continuous Integration and Deployment to be valuable lessons for our researchers and security champions. At DEF CON, we came across DemonSaw, a new tool that lets you securely share files in a peer-to-peer network without requiring cloud storage. We found it to be an impressive implementation of cryptography fundamentals to meet security and privacy.

We noticed the gradual shift in focus of the talks from last year, in that more hackers are going after hosted services and mobile/embedded applications. This gave Adobe security champions the opportunity to see how hackers adapt to changes in the industry and to get an attacker’s perspective on compromising applications that may be similar to our own. Often times security champions had to strike a balance between talks that apply to their day-to-day work, like Alex Stamos’ Building Safe Systems at Scale and talks that were interesting given the impact to the industry, for example the talk about BadUSB. We also saw the recurring theme that each year the security community finds more serious vulnerabilities than the last, as a result of new products and platforms flooding the market. It was a reminder that with the universal growth of technology there’s a need for deeper investment in security. 

 Adobe-hosted  event at the Cosmopolitan’s Chandelier Bar on August 7th.

Black Hat and DEF CON offer much more than the presentations and trainings. The Black Hat Arsenal showcased cutting-edge security research, with prototypes of packet-capturing drones and tools that harvest information from various embedded devices. Most of the tools on display were open-source and it was great to see research shared in the security community. The Vendor Expo was an expansive mix of large companies promoting their product suites, along with newcomers exploring niche problems such as log mining, threat intelligence, and biometric security. No DEF CON conference is complete without a Capture the Flag (CTF) event, which is a place for professionals–or hobbyists–to build their skills and compete with each other in solving real-world challenges related to forensics and Web exploitation – this year’s competition was won by PPP.

It was evident that Black Hat and DEF CON have steadily grown in popularity. For the first time at Black Hat we were standing in line to enter briefings. The size and scale of these events keep increasing, which is a testament to the expanding influence of security in technology and business. Despite the growth, the atmosphere at Black Hat and DEF CON remains collegial. Meeting and talking with people about the challenges we all face always makes for a valuable learning experience.

Karthik Raman, Security Researcher
Rajat Shah, Security Researcher