Could Adobe be vulnerable to an AIR attack?

Software vendor faces increasing security challenges due to support for new apps

Adobe Systems' moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink.

"The current generation of spyware, virus and malware detection products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

But that creates its own obstacles. "AIR has been a challenge to do security for," said Bill Manning, senior product manager at Aptana, which makes an open-source development tool that supports AIR. "Because of the two sandboxes, there are two security models. It's a new method for developers to get used to. And the weight of security is on their shoulders."

Luke Adamski, a platform security strategist at Adobe, asserted that runtime environments such as AIR "are inherently a little safer" than simple Web sites based on AJAX or HTML are. But he agreed that AIR "can only do so much" on its own from a security standpoint.

In his e-mail, Schmelzer contended that "to protect the value of AIR and prevent a potentially fatal blow to the emerging technology," Adobe needs to partner with the major vendors of antivirus tools "to provide AIR-specific threat prevention and malware scanning."

Adobe does have some rudimentary partnerships with such companies, Landwehr said. But he added that Adobe, which moved two years ago to a monthly patch release schedule, is prepared to move fast to fix any flaws that do emerge. "We absolutely have the workflow to respond very quickly to issues with any app in the entire company," he said.

Adobe is also launching a slew of hosted services that it needs to protect against hackers in order to maintain their uptime. Those offerings, Landwehr said, will undergo the same bug-hunting process as Adobe's packaged software currently gets.

Landwehr pointed out that "as far as we know, there is no malware in circulation disguised as PDFs." But he conceded that there is little Adobe can proactively do to help curb the fast-growing problem of PDF spam. For instance, tens of billions of e-mails with PDF attachments touting stocks were sent in a matter of days this summer by so-called pump-and-dump scammers.

His advice: remind users to only open documents that are sent by authenticated senders and digitally signed so as to prove that they haven't been altered enroute. But that, Landwehr acknowledged, is something most users don't regularly do now.

Landwehr's other big challenge is ensuring that hackers don't break the digital rights management technology built into an increasing number of Adobe products.

For instance, the upcoming Version 3 of the company's Flash Media Server will ensure that users who download Flash videos for offline viewing will still have to view banner ads associated with the videos, as well as ads inserted before, in the middle of and after the video clips, Landwehr said. Any attempts to modify the encrypted Flash videos will mean that "nothing will play," he added.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Eric Lai

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?