Could Adobe be vulnerable to an AIR attack?

Software vendor faces increasing security challenges due to support for new apps

Adobe Systems' moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink.

"The current generation of spyware, virus and malware detection products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

But that creates its own obstacles. "AIR has been a challenge to do security for," said Bill Manning, senior product manager at Aptana, which makes an open-source development tool that supports AIR. "Because of the two sandboxes, there are two security models. It's a new method for developers to get used to. And the weight of security is on their shoulders."

Luke Adamski, a platform security strategist at Adobe, asserted that runtime environments such as AIR "are inherently a little safer" than simple Web sites based on AJAX or HTML are. But he agreed that AIR "can only do so much" on its own from a security standpoint.

In his e-mail, Schmelzer contended that "to protect the value of AIR and prevent a potentially fatal blow to the emerging technology," Adobe needs to partner with the major vendors of antivirus tools "to provide AIR-specific threat prevention and malware scanning."

Adobe does have some rudimentary partnerships with such companies, Landwehr said. But he added that Adobe, which moved two years ago to a monthly patch release schedule, is prepared to move fast to fix any flaws that do emerge. "We absolutely have the workflow to respond very quickly to issues with any app in the entire company," he said.

Adobe is also launching a slew of hosted services that it needs to protect against hackers in order to maintain their uptime. Those offerings, Landwehr said, will undergo the same bug-hunting process as Adobe's packaged software currently gets.

Landwehr pointed out that "as far as we know, there is no malware in circulation disguised as PDFs." But he conceded that there is little Adobe can proactively do to help curb the fast-growing problem of PDF spam. For instance, tens of billions of e-mails with PDF attachments touting stocks were sent in a matter of days this summer by so-called pump-and-dump scammers.

His advice: remind users to only open documents that are sent by authenticated senders and digitally signed so as to prove that they haven't been altered enroute. But that, Landwehr acknowledged, is something most users don't regularly do now.

Landwehr's other big challenge is ensuring that hackers don't break the digital rights management technology built into an increasing number of Adobe products.

For instance, the upcoming Version 3 of the company's Flash Media Server will ensure that users who download Flash videos for offline viewing will still have to view banner ads associated with the videos, as well as ads inserted before, in the middle of and after the video clips, Landwehr said. Any attempts to modify the encrypted Flash videos will mean that "nothing will play," he added.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Eric Lai

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?