Risk
2/2/2012
05:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Adobe Calls For Defensive Approach In Security Research

Mitigation methods the emphasis at Adobe

CANCUN, MEXICO -- Kaspersky Security Analyst Summit 2012 -- Adobe Software's product security executive here today urged security researchers to consider focusing on coming up with defensive strategies for stopping attacks rather than just on finding new offensive attacks.

Brad Arkin, senior director of security for Adobe products and services, says Adobe's goal is not to address each and every vulnerability that's discovered in its software, but instead to build mitigations that drive up the cost of writing exploits: "It's how to drive up the cost [for attackers] to write exploits, versus making the [Adobe] software perfect," he said here on the first day of the Kaspersky Security Analyst Summit.

Offensive security research does the reverse, sometimes making it easier for potential attackers: Offensive research actually drives down the cost for attackers, he said. "The skill of writing something first is very high, but the cost to adapt a proven [attack] is a lot easier to do," Arkin said.

That doesn't mean offensive research isn't part of the equation, but there's a big need for new technologies to deflect today's advanced attacks, according to Arkin. Adobe has deployed sandboxing in the newest versions of its products, as well as Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). "ASLR, DEP ... and sandboxing are driving up the cost for the bad guys," he said.

Only about two dozen vulnerabilities in Adobe products during the past 24 months actually ended up with exploits, he says. "Finding a bug is fairly straightforward ... writing an exploit against it is a lot harder, and writing a reliable exploit that works 100 percent of the time is even harder," Arkin said.

Arkin said as a software vendor tasked with protecting and defending its products, new offensive methods make its job more difficult. Defensive research is a way to "make a difference" for software vendors, Arkin told the attendees, which include security researchers from Kaspersky and other firms. "Finding new offensive techniques honestly doesn't help us with anything," he said.

Recent data showed that the biggest jump in attacks against Adobe applications occurs after an attack method goes public or a Metasploit penetration-testing module is written, he said. "There's a heavy correlation between a broader release of information and more people getting attacked."

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, agreed. "It's a trickle-down effect," he said. "It becomes mainstream."

Defensive research is essential, Schouwenberg said. "Offensive is going lower and lower [in the stack]. There's a lot of room for defensive strategies [for this]," he said.

Taking the approach of fixing every possible bug, many that aren't exploitable, can backfire. "When I look at how to defend our users or our technology, spinning our wheels on CVEs doesn't help anything," Arkin said. "We fixed thousands of bugs in Adobe 9, screwing up a lot of the code that should have stayed where it was."

Adobe since reallocated its investment to mitigations such as sandboxing, for example, rather than emphasizing just discovering and remedying bugs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alex H.
50%
50%
Alex H.,
User Rank: Apprentice
2/7/2012 | 8:39:49 PM
re: Adobe Calls For Defensive Approach In Security Research
Last week, Brad Arkin from Adobe urged security researchers to consider focusing on defensive strategies for stopping attacks, rather than just on finding new offensive attacks. It does not make any sense to me. ItGs not an either or. Adobe should be adding additional layers of security to their products as an offensive strategy. On the defensive side, they should minimize their product vulnerabilities. In reality, sophisticated attackers have already found the vulnerabilities and I believe it is our responsibility as software developers to provide inherently secure products, and in the cases where they are not, fix them effectively and move on. I blogged more about this approach today @http://blog.coresecurity.com/2012/02/... -- Alex Horan, CORE IMPACT Product Manager
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web