Adobe Calls For Defensive Approach In Security Research

Mitigation methods the emphasis at Adobe

CANCUN, MEXICO -- Kaspersky Security Analyst Summit 2012 -- Adobe Softwares product security executive here today urged security researchers to consider focusing on coming up with defensive strategies for stopping attacks rather than just on finding new offensive attacks.
Brad Arkin, senior director of security for Adobe products and services, says Adobes goal is not to address each and every vulnerability thats discovered in its software, but instead to build mitigations that drive up the cost of writing exploits: Its how to drive up the cost [for attackers] to write exploits, versus making the [Adobe] software perfect, he said here on the first day of the Kaspersky Security Analyst Summit.
Offensive security research does the reverse, sometimes making it easier for potential attackers: Offensive research actually drives down the cost for attackers, he said. The skill of writing something first is very high, but the cost to adapt a proven [attack] is a lot easier to do, Arkin said.
That doesnt mean offensive research isnt part of the equation, but theres a big need for new technologies to deflect todays advanced attacks, according to Arkin. Adobe has deployed sandboxing in the newest versions of its products, as well as Microsofts Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). ASLR, DEP ... and sandboxing are driving up the cost for the bad guys, he said.
Only about two dozen vulnerabilities in Adobe products during the past 24 months actually ended up with exploits, he says. Finding a bug is fairly straightforward ... writing an exploit against it is a lot harder, and writing a reliable exploit that works 100 percent of the time is even harder, Arkin said.
Arkin said as a software vendor tasked with protecting and defending its products, new offensive methods make its job more difficult. Defensive research is a way to make a difference for software vendors, Arkin told the attendees, which include security researchers from Kaspersky and other firms. Finding new offensive techniques honestly doesnt help us with anything, he said.
Recent data showed that the biggest jump in attacks against Adobe applications occurs after an attack method goes public or a Metasploit penetration-testing module is written, he said. Theres a heavy correlation between a broader release of information and more people getting attacked.
Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, agreed. Its a trickle-down effect, he said. It becomes mainstream.
Defensive research is essential, Schouwenberg said. Offensive is going lower and lower [in the stack]. Theres a lot of room for defensive strategies [for this], he said.
Taking the approach of fixing every possible bug, many that arent exploitable, can backfire. When I look at how to defend our users or our technology, spinning our wheels on CVEs doesnt help anything, Arkin said. We fixed thousands of bugs in Adobe 9, screwing up a lot of the code that should have stayed where it was.
Adobe since reallocated its investment to mitigations such as sandboxing, for example, rather than emphasizing just discovering and remedying bugs.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Adobe Calls For Defensive Approach In Security Research