Software companies have gotten a lot better with quick turnarounds with patches for known security flaws. As consumers, we aren’t really at much of a risk from known exploits anymore — provided we keep our software up-to-date, anyway. The real danger is ero-day exploits — security flaws that are found and attacked before anyone else even knows they are there, or has time to develop a patch. One way of mitigating ero-day exploits is through the use of sandboxes, which segregate an application from the rest of the computer. The idea is that even if an exploit is found within a certain app, it won’t be able to run amok in the rest of the operating system. Sadly, sandboxes are not panaceas.
Group-IB, a security firm in Russia, has discovered a ero-day exploit in Adobe Reader X and XI that is very scary. Not only does it compromise the application, but it is actually able to escape the sandbox and infect the computer with malware. This exploit is reportedly being sold to malware authors for up to $50,000. Punching holes in sandboxes has the potential to be extremely profitable for professional hackers, so it’s no surprise that we’re seeing such a high-profile application with a large install base being targeted.
If you’re running Internet Explorer or Firefox with the current unpatched Adobe Reader, you’re vulnerable to the attack. Interestingly, Chrome users are not directly in the line of fire thanks to Google’s added layers of protection from exploits in plug-ins. This might not seem like a huge deal on its surface, but it does highlight some flaws. Obviously, a single point of failure is bad news, so Microsoft, Mo illa, Apple, and Opera need to double down on their protection from exploits. Without a doubt, web browsers and their plug-ins are the most vulnerable pieces of software on your computer simply due to the fact that they’re frequently loading content from unknown and untrusted sources. Hopefully, news like this will serve as a catalyst for even better security.
Now, this news doesn’t mean that sandboxes are bad, or that we shouldn’t be using them in our software — quite the opposite. Sandboxes prevent the majority of attacks from becoming systemic and becoming a major problem. They are not an easy out for security, though. Operating system developers like Apple and Microsoft need to be working with third-party developers to use sandboxes, heuristics, code signing, and pretty much every tool in the security toolbox to detect and prevent malicious code from ever being executed.
The good news is that they are taking this very seriously, but it doesn’t seem like it is enough. We are still seeing a number of big security breaches like this every year. Both operating system developers and third-party developers need to pour more resources into preventing bad code from escaping. You, the user, still need to be careful as you surf and download content (see: How to surf safely: From LastPass to tin foil hats, and everything in between). We’re safer than we used to be, but we’re not out of the woods just yet.
Adobe Reader ero-day exploit shows us why sandboxes aren’t a magic bullet
0 comments:
Post a Comment