Is Sandboxing the End-All Solution?

When you have millions of lines of code, like you have in an Operating System, you will have bugs. Hackers can use these coding bugs to create exploits. Microsoft and Adobe products have been a favorite target for hackers. But how do you protect software from hackers when there are unknown bugs?

The answer just might be sandboxing. But what is sandboxing? According to Wikipedia:

A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

We see this technology used in Virtual Machines. Several guest operating systems can run on a host system, and each has its own memory space, hard drive storage, etc.  They are on a single machine but are not allowed to communicate with each other. These types of features are being used in the development of secure Operating Systems. The client user space will not be allowed to communicate (or theoretically infect) the core functions of the system.

Programs can be sandboxed too.  Google and Adobe have added sandboxing features to their Chrome and PFD Reader products. If the products are compromised, this should limit the ability of the hacker to access the rest of the system.

But how well will this work? Sandboxing is a great idea, and will help a lot in dealing with buggy code. Although in reality is just another level of defense. Granted it adds to the difficulty of penetration, but it will be compromised just like everything else is over time.

Unfortunately security, like Anti-Virus, is a constantly evolving process. As soon as a new anti-virus definition comes out for the latest virus, three more new viruses are detected. The same is true in the security field. When a new security product comes out to address an issue, exploits and ways to bypass it follow along shortly.

At this point in the game, your hope is that you have added enough protection to your systems that the attacker gives up and moves on to easier pray. And to keep logs and monitor your systems in case they don’t.

Adobe Reader PDF 9.3.4 “Cooltype Sing” Zero Day Exploit

Yeah, I know, another Adobe exploit. And this one came out a few weeks ago. What is crazy though, is that Adobe has known about it for a couple weeks and has not released a patch for it yet. According to Security Focus, Adobe is not even planning on patching this until next month!

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: The vendor plans to release updates to address this and other issues during the week of October 4, 2010.

Just wanted to give everyone a heads up on this. This exploit is readily available and I have tested it against a fully patched Windows 7 machine with the latest Adobe Reader version and it worked flawlessly. If you run an infected PDF, it WILL give the attacker a FULL ACCESS remote shell to your computer.

The only clue you will get that something is not right is that Adobe will open the file and then just sit there. I have heard some Anti-Virus companies are starting to block this, but not all of them.

So, what can we do? Well, until Adobe decides to patch it, do not click on any unknown or unexpected PDF links in e-mails, and do not open a PDF file on a website that you are not familiar with. I am stunned that in essence, if they do not patch it until October, this exploit will have been left unpatched for a whole month!

Pen Testing Perfect Storm Part V: “We Love Adobe!”

Part V of the Pen Testing Perfect Storm webcast series will be held on August 31, 2010 at 2PM EDT / 11AM PDT. This will be presented by Ed Skoudis, Kevin Johnson and Joshua Wright. Ed is one of my favorite presenters, and authors, so this is a definite must see.

Webcast Information (From Coresecurity):

It’s no secret that Adobe’s ubiquitous applications provide a broad attack surface for criminals seeking to gain access to sensitive IT networks. During this webcast, security experts Ed Skoudis, Kevin Johnson and Joshua Wright will demonstrate penetration testing techniques that you can use to proactively assess the security of systems relying on Adobe technologies throughout your organization.

You’ll learn how to …

    * Assess Adobe Reader and Flash for exploitable vulnerabilities
    * Extend testing with escalation and session management techniques
    * Impersonate network infrastructure and simplify wireless hijacking
    * Gain remote control of exposed clients

Like all Perfect Storm webcasts, part V will go beyond simple vulnerability exploitation and show you how to replicate multiple stages of an attack – from identifying and profiling exposed systems to gaining root and gathering data for reporting and remediation.

*Bonus: Register now and you’ll also get on-demand access to the slide decks for The Pen Testing Perfect Storm Trilogy Parts I-V.

What is a Hackers Favorite Target?

What is currently the number one target for hackers? According to Computerworld, it’s Adobe products. Adobe Flash player and Adobe Reader are the specific targets of choice.

According to Finnish antivirus company F-Secure, 61% of all targeted attacks — ones purposefully aimed at specific individuals or businesses to break into company networks — in the first two months of 2010 exploited a bug in Reader. Rival security firm McAfee, meanwhile, estimated that 28% of all exploit-carrying malware in the first quarter of this year leveraged a Reader vulnerability.

When Brad Arkin, Adobe’s Director for Product Security was asked about this, he said, “We’re in the security spotlight right now, There’s no denying that the security community is really focused on ubiquitous third-party products like ours. We’re cross-platform, on all these different kinds of devices, so yes, we’re in the spotlight.”

Adobe is working on closing these holes and focusing on writing more secure code. Also, Adobe appreciates the fact that the security community is helping out by reporting zero day vulnerabilities. “We’re thrilled when someone shares [vulnerability] information with us responsibly. That’s one less potential vulnerability that could be used by the bad guys.”, Arkin said.

Hackers usually go after the most popular programs, so they can attack a large number of machines. This is why Microsoft and now Adobe are prime targets. Microsoft has changed its focus to being more security conscious and it looks like Adobe is following suit. Just like Microsoft updates, it is important to keep your Adobe products updated. Also, If you are using an old version of Reader or Flash Player, it would be a good idea to upgrade to the latest version. Both are available for free on Adobe’s website.