Could Adobe be vulnerable to an AIR attack?

Software vendor faces increasing security challenges due to support for new apps

Adobe Systems' moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink.

"The current generation of spyware, virus and malware detection products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

But that creates its own obstacles. "AIR has been a challenge to do security for," said Bill Manning, senior product manager at Aptana, which makes an open-source development tool that supports AIR. "Because of the two sandboxes, there are two security models. It's a new method for developers to get used to. And the weight of security is on their shoulders."

Luke Adamski, a platform security strategist at Adobe, asserted that runtime environments such as AIR "are inherently a little safer" than simple Web sites based on AJAX or HTML are. But he agreed that AIR "can only do so much" on its own from a security standpoint.

In his e-mail, Schmelzer contended that "to protect the value of AIR and prevent a potentially fatal blow to the emerging technology," Adobe needs to partner with the major vendors of antivirus tools "to provide AIR-specific threat prevention and malware scanning."

Adobe does have some rudimentary partnerships with such companies, Landwehr said. But he added that Adobe, which moved two years ago to a monthly patch release schedule, is prepared to move fast to fix any flaws that do emerge. "We absolutely have the workflow to respond very quickly to issues with any app in the entire company," he said.

Adobe is also launching a slew of hosted services that it needs to protect against hackers in order to maintain their uptime. Those offerings, Landwehr said, will undergo the same bug-hunting process as Adobe's packaged software currently gets.

Landwehr pointed out that "as far as we know, there is no malware in circulation disguised as PDFs." But he conceded that there is little Adobe can proactively do to help curb the fast-growing problem of PDF spam. For instance, tens of billions of e-mails with PDF attachments touting stocks were sent in a matter of days this summer by so-called pump-and-dump scammers.

His advice: remind users to only open documents that are sent by authenticated senders and digitally signed so as to prove that they haven't been altered enroute. But that, Landwehr acknowledged, is something most users don't regularly do now.

Landwehr's other big challenge is ensuring that hackers don't break the digital rights management technology built into an increasing number of Adobe products.

For instance, the upcoming Version 3 of the company's Flash Media Server will ensure that users who download Flash videos for offline viewing will still have to view banner ads associated with the videos, as well as ads inserted before, in the middle of and after the video clips, Landwehr said. Any attempts to modify the encrypted Flash videos will mean that "nothing will play," he added.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Eric Lai

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >




Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?