Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/22/2009
02:57 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Adobe Owns Up To Security Issues

The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.

The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.My question: What is it going to take for vendors to focus as much on security as they do on the inclusion of new features and the emptying of our pockets?

Based on the announcement from Adobe on Wednesday (and what we've seen from Microsoft with efforts like the SDL in the past few years), it takes becoming the whipping boy of the IT security community to the point that even end users and the general public take notice. Adobe has suffered from a couple of zero-day vulnerabilities that immediately became a popular attack vector to both pen-testers and malicious attacker alike. Having received so much negative press for the vulnerabilities and time it took to get them patched, Adobe has realized the need to focus on software security.

Brad Arkin, Adobe's director of product security and privacy, posted an announcement on one of Adobe's blog that "since February, Adobe Reader and Acrobat engineers have been executing a major project focused on software security." Everything from their incident response procedures during a security update to the actual development has been reviewed. Accordingly, they company has chosen to focus on three particular areas: code hardening, incident response process improvements, and regular security updates.

Bravo! While we security professionals are likely to say, "It's about freaking time," I think it's a bold move to publicly announce it the way it did. Adobe took ownership of the security issues in its products and is going to actively make efforts to produce more security products. It has taken a lesson from Microsoft, which has been pushing its Secure Development Lifecycle (SDL) for years now, and has also benefited with much more secure products, such as IIS 7 and SQL Server 2008, compared to previous versions.

Let's not forget about the possibility of government regulation to help force companies to "do the right thing" in regard to security -- but hopefully it won't come to that. I'm personally hoping that Adobe's move is part of a trend we'll continue to see. I know...I can dream, right?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12881
PUBLISHED: 2019-06-18
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
CVE-2019-3953
PUBLISHED: 2019-06-18
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
CVE-2019-12133
PUBLISHED: 2019-06-18
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system ...
CVE-2019-12592
PUBLISHED: 2019-06-18
A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame.
CVE-2017-8328
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery prot...