Are Adobe products safe?
Are Adobe products safe?
15:55

Are Adobe products safe?

Tech Industry
^M00:00:01 [ Music ] ^M00:00:04 >> We're here today with Brad Arkin Director of Product Security and Privacy for Adobe, thanks for joining us, Brad. >> Thanks for having me. >> I appreciate you coming by. First let's start off with anything knew you guys have got going on, any new research in security technology that's going on at Adobe? >> Well, we're always doing a lot of work and so right now we've had...we've sent releases, January 12 we put out a release for Reader and then we put out another release earlier this week for Reader as well. For Flash player we had a release in December and then about a week we had another release and some new things that have happened there with Adobe Reader and Acrobat we're piloting a new installer. This is something that all user have in the binaries they've downloaded but it's only active for beta users and what happens is it offers three choices one is fully silent automatic, installations that happen in the background without any user interaction and it still notifies the user that something got installed and then it goes back to the semi automatic where it will download it offer the choice to click install now please and then fully manual where you'd have to go in and install it. >> So you're striking a balance between what Crom does where it just installs it automatically and sort of what like Windows does where you can decide how you want it to be updated? >> Right yeah, and so we want to make sure that the default choice for users is going to be the easiest to work with and we're targeting this for the consumer environment, we expect most enterprise environments to do a fully managed desktop where they push on the patches on their own and so that's something that's exciting and then we've put out a few new features on things like the JavaScript Black List Framework for Reader and Acrobat so you can disable and individual JavaScript api if you want to instead of just turning JavaScript off altogether and so these are a few things that we've released over the past couple up dates that were shipped. And then we're always researching new things that we might be able to put out later this year. >> Man that's been an effort for you over the past year, I know it was about a year ago that you announced that you were going to quarterly updates, that you're reviewing code, writing new code, a lot of peoples complaints are that it's too bulky, it's too big, there's been a lot of concerns about security, how has the new effort been going over the past year? >> It's been going really well, it's been a lot of work and we still got a lot of things that we're planning to do but our big focus has been working on know on things that are very obvious to the end user so things like our response process, our communications, the work that we're doing to get updates out as soon as we can, these are things that people notice right away, and so the quarterly updates was a big part of that. We've also been doing a lot of work which no one really notices but it's very important for us and this is proactive things that we can do around hardening Reader and Acrobat so tightening up the input validation around the JavaScript api's, doing fuzzing and other things trying to create the faults that might lead to an exploitable situation and then fixing those things in advance before a bad guy can find it. >> Even with all these efforts there's still people like Stephen Northcott at Sans Technology says don't use Adobe products, there is a study out that says 80 percent of the malicious exploits came from pdf's and obviously these are the things you're doing to try to reduce that threat. Are Adobe products safe to use? >> Very safe to use. This is something that we're putting so much effort into and no product, no software in existence is 100 percent free of flaws and so for us the effort is to raise the bar as high as possible and then also in addition to the proactive work, have those reactive capabilities and the bad guys go to where the targets are and just about everyone on earth is using Adobe Reader, Flash player and other Adobe products and so we're getting a lot more attention from the hacker community but the work that we're doing to respond to that quickly and to get new features in place like the new updater and the new work that we're doing around hardening, you know fuzzing all these things are helping to make the products as robust as they need to be for the new threat environment that we're deploying into. >> In a lot of ways it's similar to Windows, Windows get attacked because they're popular, some sort of idea and Windows had that point in the early part of the decade where they decided they had to double down, they came up with a trustworthy computing initiative, is Adobe thinking of having some sort of revelatory experience like that, some sort of effort like trustworthy computing? >> So our big moment was the JB2 vulnerability about a year ago, this was something that came out for Reader, we learned about it on January 16, 2009 and we weren't able to get a patch to users until March 10 and that's just an artifact of when ever you deploy a software on hundreds of millions of machine you have to do a lot of work to make sure that it's going to deploy without an defects or flaws in the installer process or the product itself and what we learned from the amount of feedback we got from our customers, the media coverage was the we really needed to retool our capabilities to respond to the new threats that were out there and so what started out as responding to an individual bug turned into a 100 percent all team effort, all hands on deck for months, working not only on improving our processes but also working very hard at the proactive things so that we can reduce these types of events from happening in the future and then that work which started out in the spring last year expanded into more aggressive security work that we're doing with all of our products across the portfolio and we've got a list on any day it might be 300 different projects going on and so we prioritize based on the ones that are the most important for our users but it's still something that spanned out across the entire portfolio. >> Now do you think that those efforts are enough or do you have plans for even further expansion of those sorts of programs? >> Well, we're doing everything that we know what to do and we're constantly evaluating new ides and new technologies but from a process prospective we've got you know our version of Microsoft's SDL, we call it the Adobe Secure Product Life cycle, this is an 85 point plan that follows different events and cycles that have to happen throughout the development and making sure that we get all of that integrated into the way the we build software is just one step then we have the integration of platform security features and other things that we can do to increase the layers of defense and it's a fast moving field, we're constantly working with researchers, working with platform partners, making sure that we know the very latest technologies that can help us defend our customers. >> Now these sorts of efforts are only good if the whole company buys off on it, right? >> Um, hum, yeah. >> Are the Adobe executives listening to security experts like yourself and the independent analysts, how receptive are they? >> They're very receptive and they're not just listening they're talking, they're asking a lot of questions. We've got regular briefings with the CEO, almost daily interactions with the Senior Vice Presidents talking about what's happening within their product portfolios, just this morning I came here from a meeting with our CEO Kevin Lynch giving an update on some of the things we're that we're working on and so it's very much from the top down. We've got the buy in at every level, this is something we have to do for our user base. >> Now you talked about the...the sort of silent update option, if someone is running an older version of Adobe Reader they're not going to have that option, how are you going to get the message out to people to get them to update, I mean we've all seen IE 6 and how hard that is to eradicate from the enterprise, from the world, how you going to drag people into the future so they can take advantage of these new security options. >> Yeah, so the new updates is if you're on a version of Reader 8 or 9 that shipped anytime since October, so I think it was October 13, 2009 then the new updater is there and once we're ready to go live for the full production user base then anyone who has one of those versions will get it, will have it turned on. For people who are on version 7 or older of Reader those products are out of support and so unlike IE 6 which is still supported even though it may not be as advanced as IE 7 or 8 Reader 7 and older aren't supported and so there are no more patches for those version and we're doing every thing we can communicating through all or different user channels how to reach people and tell them how to get up to date and then once they get any version over the past three or four months from then on we will be able to reach them through the new updater. >> I know a lot of people have resisted actually updating because in the past it's taken a long time to update, updates have crashed or it's just been a hassle because you have to answer check boxes or your get things that you didn't know you were going to get installed, are you able to surmount that now what these new updates, have you reduced that hassle for people, I think that's probably what a lot of them want to know? >> Yeah, what we're doing wit the new updater is we looked at the entire user experience and everything that we can to do move past everyone of those road blocks and understanding what is it that prevents people from installing an up date, so maybe the notifier pops up right in the middle of doing some work or you know they just started something and they don't want to stop right now, so that's why the silent in the background updates are so valuable is because it's a way to get the update installed without disrupting what the user is intending to do. Now getting that one time hurdle from the old updater to the newer versions, that's something that we need to do through communication, you know talking to people, our field reps and sales guys that are out there as well as you know events like this talking about it and then also there's a bit renewal cycle going on where people are buying new machines and then one of the first things you do whenever you get a new machine is you install Adobe Reader and so if you install it today you're going to get the latest version and you're going to get that new updater so once we turn that on for all users it will be working for them. >> Would it be better to go to a Crom system where you just automatically update and just don't give people the choice? >> Well, for us we've got a lot of different types of users and so for the consumer market that's an option that a company could make a decision for, for the enterprise market there's no way and enterprise would accept a zero control trust us to do it for you, sort of updater and so for us we have to allow the ability for managed desk top environments to control their own up-dates and when we sat down and worked through the philosophy of it we decided that giving users the choice between the fully automatic don't bother me I just want it to work and that's our preferred option, if someone isn't sure which to take, we say take that one. If you've got reasons why you may not want to have updates installed without really having full control, semi automatic is there and if you really know what you're doing and you've got great reasons not installing updates when they are available then that fully managed desk top environment, you know zero update, turn it off option is something we have to support. >> Now one thing with Flash particularly and a little bit with Reader is security vulnerabilities or malware can take advantage of the fact that they open without user notification, you go to a website that has Flash, Flash gets loaded and starts executing so if something's bad behind the scenes you're already past the point where the user can stop it, are there options you can take to alert users what's going on without them having to put an ad on like no script or something like that. >> So with Reader there's a preference choice that you can select which would not load pdf's in the browser and so then if you see a pdf link to from your browser experience you'd have to download that an open it separately, so that's an option that's supported today. With Flash player it's really an integrated part of the browsing experience, it's the same as viewing an image so ten years ago when band width was really a scarce commodity maybe images wouldn't load unless you turned it on and people do that if they're on a slow dialup or something. Where as today the idea of browsing without gfs and tfs and png's you can't think about it. Same thing with Flash player we don't have any Crom or any borders in the Flash player itself and it's because it is an integrated part of the viewing experience and so for us disabling it or asking people to make a choice for every single Flash view really disrupts the use of the tool and so for us the challenge is to make sure that the viewing experience really matches expectations, that means keeping a secure or safe to use and all the other features that people are looking for. >> So what can people do to protect themselves if they're going to use Flash and Reader? >> Well, the most important thing is staying up to date. Almost every single person that's ever experienced a malicious attack using Reader or Flash player was using an out of date product, there's very, very few people in terms of absolute numbers that have ever experienced something where the attack wouldn't have been prevented if they had up to date software. There's a few more advanced things that you can do using the latest version of the platform you're on so Windows 7 has a lot more security features that Windows XP does. If you're using Reader on Windows 7 or Vista then you can opt into...or get SLR by default and than we also support DEP, D-E-P and these are two features supported by the Windows platform which makes it harder for attackers to successfully export a potential vulnerability. And then on the Flash player side staying up to date, understanding where you're browsing and making sure that you're being careful with where you're visiting and you know the types of things that you're doing. >> Don't click on the link unless you know where you're going. >> Yeah, that's something we recommend and also a lot of times people run into trouble where they'll get an installer notification, really check the digital signature to make sure that's coming from Adobe systems and not from some other place pretending to be an installer for Flash player. >> Right, earlier this month researcher of Black Hat demonstrated a vulnerability in internet explorer, the address face layout, SLR that you mentioned, that technique exploited weaknesses in Flash, what is being done at Adobe to address the holes that users use to break the security features that Microsoft has. >> Yeah and that's an interesting thing, what we find with Flash player happening a lot is that you've got not attacking the player itself but using the player in order to combine with other technologies, so it's the way the player, the browser and the operating system all work together and you can use little weaknesses in each one to lead to something that might allow you to take over the machine and so in this example Flash player itself isn't broken but it allows someone to exploit a weakness that's somewhere else in order to get past one of the hurdles that Microsoft put in place on the platform. And so we were at the conference, we had people working with the researcher and working very closely to understand exactly what the implications are of this two stage attack and then what are the things that we can do in order to continue to raise the bar and as the threat landscape keeps evolving researchers keep coming up with new things and so we're constantly at the conferences talking to researchers, doing everything we can to understand how to mitigate these attacks and for this one in particular we're still researching and looking into what we can do while still maintaining all the other things that Flash player has to do for the functionality. >> Now finally obviously you don't want AIR to be considered another platform for vulnerabilities but in the sense that every piece of software written in the universe can be a platform for vulnerabilities, what are the security issues you're facing with AIR and what kinds of things are you doing to address those? >> Yeah, so AIR is something that's been a fun experience for us because it's a very new product and we had the chance from the ground up to integrate all the things in there that address the types of attacks that are modern today. Whereas a lot of these other products were robust when they were built but security keeps evolving so we need to figure out ways to keep the software up to date in terms of the defenses. And so for AIR in particular we use that same secure product life cycle, the same 85 point plan making sure we're doing everything from thread modeling, testing, we use a lot of commercial tools and then third party security venders so doing quarterly testing against the newest code base, using tools like static code analysis, writing fuzzers and all of these things help us to shake loose any potential problems and then working with the research community to make sure that we understand the latest soft points where people are poking around looking for problems so that we can defend against that before it ever becomes a real issue. >> All right, Brad Arkin Director of Product Security and Privacy at Adobe, thank you very much for joining us. >> Thank you. >> I'm Tom Merritt cnet.com. ^M00:15:54

Up Next

Neuralink Is Trying To Reanimate Body Parts
neuralink2022-explainer-v1

Up Next

Neuralink Is Trying To Reanimate Body Parts

Watch Everything Revealed at Neuralink's 2022 Show and Tell Event
thumb1

Watch Everything Revealed at Neuralink's 2022 Show and Tell Event

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind
neuralmonkey

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind

How Tyler 'Ninja' Blevins Became a Millionaire Playing Video Games
streamer-and-gamer

How Tyler 'Ninja' Blevins Became a Millionaire Playing Video Games

How NASA Captured the First Artemis Moon Images with Hacked GoPro Cameras
artemis-moon-th-clean

How NASA Captured the First Artemis Moon Images with Hacked GoPro Cameras

Artemis I Launch Explained: NASA's Historic Slingshot Around the Moon
artemis-launch

Artemis I Launch Explained: NASA's Historic Slingshot Around the Moon

NASA Launches Artemis I Rocket to the Moon
artemis-cnet

NASA Launches Artemis I Rocket to the Moon

SpaceX's Falcon Heavy Rocket Lifts Off
falcon-heavy-launch-th-cms

SpaceX's Falcon Heavy Rocket Lifts Off

I Swam With a Deep-Sea Robot Designed to Outlast Humans
oceanonekthumb

I Swam With a Deep-Sea Robot Designed to Outlast Humans

Tech Shows

The Apple Core
apple-core-w

The Apple Core

Alphabet City
alphabet-city-w

Alphabet City

CNET Top 5
cnet-top-5-w

CNET Top 5

The Daily Charge
dc-site-1color-logo.png

The Daily Charge

What the Future
what-the-future-w

What the Future

Tech Today
tech-today-w

Tech Today

Latest News All latest news

Watch Elon Musk's SEMI Event in 9 Minutes
tesla-sb-v1-00-00-02-01-still001.png

Watch Elon Musk's SEMI Event in 9 Minutes

Fun Amazon Finds Under $100 for December 2022
p1050770-00-13-52-12-still004

Fun Amazon Finds Under $100 for December 2022

Neuralink Is Trying To Reanimate Body Parts
neuralink2022-explainer-v1

Neuralink Is Trying To Reanimate Body Parts

Watch Everything Revealed at Neuralink's 2022 Show and Tell Event
thumb1

Watch Everything Revealed at Neuralink's 2022 Show and Tell Event

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind
neuralmonkey

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind

Best Android Phones of 2022: Samsung, Google, OnePlus and More
1203459317449832-laz1jqjqlhclzhrpcncs-height640.png

Best Android Phones of 2022: Samsung, Google, OnePlus and More

Most Popular All most popular

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind
neuralmonkey

Elon Musk Shows Latest Neuralink Demo of Monkey Typing with its Mind

Watch Elon Musk's SEMI Event in 9 Minutes
tesla-sb-v1-00-00-02-01-still001.png

Watch Elon Musk's SEMI Event in 9 Minutes

Seen the New 2023 Prius? Here's Why It's Turning Heads
2023-prius-reveal-b-roll-toyota-mp4-00-00-39-19-still001

Seen the New 2023 Prius? Here's Why It's Turning Heads

Check Out the Three Best TVs for Every Budget
besttvs22-00pic

Check Out the Three Best TVs for Every Budget

Fun Amazon Finds Under $100 for December 2022
p1050770-00-13-52-12-still004

Fun Amazon Finds Under $100 for December 2022

How NASA Captured the First Artemis Moon Images with Hacked GoPro Cameras
artemis-moon-th-clean

How NASA Captured the First Artemis Moon Images with Hacked GoPro Cameras

Latest Products All latest products

First Look at Archer's Midnight Air Taxi
midnight

First Look at Archer's Midnight Air Taxi

Holoride Hands-On: VR in the Car Is Like a Disney Ride
holoride-00-00-03-12-still003

Holoride Hands-On: VR in the Car Is Like a Disney Ride

Hands-on With All of Microsoft's New Surface Devices
surfacepro9-event-00-00-04-05-still004

Hands-on With All of Microsoft's New Surface Devices

Microsoft Introduces Surface Studio 2 Plus
surfacestudio

Microsoft Introduces Surface Studio 2 Plus

I Used Meta Quest Pro: Here's What It's Like
questpro-00-03-30-13-still004

I Used Meta Quest Pro: Here's What It's Like

Fitbit Sense 2 First Look: New Software Makes a Difference
fitbit-aroll-00-00-46-14-still001

Fitbit Sense 2 First Look: New Software Makes a Difference

Latest How To All how to videos

MacOS Ventura Continuity Camera Turns Your iPhone Into a Webcam
1203246975312353-pnmdl8bwygpxcjffhlcf-height640.png

MacOS Ventura Continuity Camera Turns Your iPhone Into a Webcam

How to Clean Your Keyboard's Sticky Keys
3keyboards

How to Clean Your Keyboard's Sticky Keys

How to Play Games from PlayStation Plus on PC
psstill

How to Play Games from PlayStation Plus on PC

How to Delete or Disable Your Instagram Account
phoneonorange

How to Delete or Disable Your Instagram Account

Fix Your iPhone Screen With Apple's Self-Service Repair Kit
dsc00641

Fix Your iPhone Screen With Apple's Self-Service Repair Kit

How to Buy a Budget Laptop in 2022
budgetlaptops-00-08-35-15-still001

How to Buy a Budget Laptop in 2022