Rod, You might actually hit the nail on the head. Adobe has been on the threat landscape for years due to the number of flaws and attack vectors in there products, but because it's a very popular product ( despite all the flaws) and how its being utilized in the business and consumer worlds, therefore the same way that M$ came to the plate and improved their security because of the criticality of the Windows Systems in the business and consumer worlds, Adobe needs to do the same, or face the music and loose customers, and profit and ultimately die off to a better solution which is more secure.
But the problem is defintely, organizationally in my honest opinion, if the secure development of software and all the processes and procedures of how that is done that need to be understood and practiced accordingly is the responsibility of senior management and enforced all the way down through the chain, which doesn't seem to be done at adobe, which is a shame.... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Rod Trent [mailto:[email protected]] Sent: Tuesday, July 20, 2010 6:03 PM To: NT System Admin Issues Subject: RE: New sandboxing ability added to next version of Adobe, is it honestly too late? "... so why not strip that from running within the product and eliminate a big security threat." Over the years, I've come to the conclusion that their dev really doesn't know what they are doing. I really don't think they can figure it out. -----Original Message----- From: Ziots, Edward [mailto:[email protected]] Sent: Tuesday, July 20, 2010 5:52 PM To: NT System Admin Issues Subject: New sandboxing ability added to next version of Adobe, is it honestly too late? http://www.computerworld.com/s/article/9179403/Adobe_to_beef_up_PDF_secu rity_with_Reader_sandboxing?source=CTWNLE_nlt_pm_2010-07-20 Kinda looks like they know there software is insecure, and the patching is a loosing race, so they are trying to use sandboxing a corrective/detective control to prevent the nasty that can come of using adobe PDF's. Honestly, only of the biggest attack targets is javascript, so why not strip that from running within the product and eliminate a big security threat. I understand that the same scripting languages can be used for good or evil, but honestly, the line has to be drawn somewhere, that and packed PDF's with malicious .exe's and other malcode in them are the next step, sure the sandbox will help, but what if the sandbox becomes compromised or breached itself. Ideas, and thoughts, either way are welcomed... Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
