Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Hey everyone, Jeremy Dallman here. Today I will be co-blogging with David Lenoe (Group Program Manager, Adobe Secure Software Engineering Team (ASSET)). Now, here’s the story behind the Microsoft and Adobe security pairing …
A couple of years ago, Microsoft and Adobe made a decision to work together on security rather than address our similar security goals within the vacuum of each company. Our security teams have since been working closely together with the clear goal of protecting our mutual customers. This collaborative relationship enables faster implementations of security protection through the lifecycle processes both companies offer (Microsoft’s Security Development Lifecycle - SDL, Adobe’s Secure Product LifeCycle - SPLC), and allows us to share best practices learned over the years. In turn, each company learns about new ways to apply their respective lifecycle plan, thereby helping to provide our customers with a more secure computing environment.
Through the last couple of years we have had conversations about defining and implementing security requirements, prioritizing security risk, threat modeling, the benefits of compiler/linker flag protections, fuzzing, and penetration testing. We’ve even shared data on security incidents and response.
Implement proactive engineering protections
With support from the security folks at Microsoft, ASSET helped the Adobe product teams set the security-related C++ compiler and linker flags such as /NXCOMPAT, /DYNAMICBASE (ASLR), /GS, and /SAFESEH. Working together, we were able to address compatibility issues and get these protections in place for both Adobe Flash Player and Adobe Reader. These protections have helped to mitigate entire classes of vulnerabilities in Microsoft products and will improve the security of Adobe products as well.
Encourage consistent security updating
Most recently, we worked together to publish some 2008 attack data on vulnerabilities affecting Microsoft and Adobe products in the Microsoft Security Intelligence Report. Our goal was to emphasize to our mutual customers that installing security updates for Microsoft, Adobe and other third-party applications is very important. Having customers update promptly when Microsoft or Adobe addresses vulnerabilities is the best way to avoid the rapid spread of attacks.
Adopt security tools
After the Microsoft Security Sciences team released !exploitable in March, some of Adobe’s security testing teams started using it on their own products along with WinDbg to analyze the results of fuzz testing. Microsoft and Adobe continue to work together to address questions and help improve the effectiveness of this tool.
Some of Adobe’s development teams also use static analysis tools like /analyze and FxCop to identify potential security vulnerabilities in source code.
Share response information
By collaborating amongst the teams at Microsoft and Adobe, the Microsoft Security Response Center (MSRC), Microsoft Vulnerability Research (MSVR) program, the Microsoft Security Research and Defense team, the Adobe Product Security Incident Response Team (PSIRT) and Adobe Secure Software Engineering Team (ASSET), respectively, we have also been able to identify security trends and more rapidly address vulnerabilities.
Continue working together
We consider the collaboration between Microsoft and Adobe to be a great success for both companies. We look forward to continuing to work together and discovering new and better ways that we can protect both Microsoft and Adobe customers in the future.
PingBack from http://blog.a-foton.ru/index.php/2009/06/17/microsoft-adobe-protecting-our-customers-together/
Good to hear Adobe will be working with Microsoft to perfect that product and keep it safe and valued by the public
From a collaboritive standpoint what would be valuable to consumers is a unified update program for the Windows platform. It would be very easy for an end user to have a dozen different update services running constantly (MS/Win update, adobe update, apple update, google update, etc) and to be charitable not all of these services are created equal (the apple update, for example, is enraging and the adobe update is very poorly designed).
Also, from a security standpoint not all of them have the same level of safe guard to protect the integrity of the full update system. Given previous security research into subverting update mechanisms it is fairly accurate to say that they have not gone to the same extent that MS has.
Thus it would be preferable for end users to have a unified update system. I can understand where the companies involved are less enthusiastic about it - MS would be in the position where they have to build a mechanism to recieve and verify patches from 3rd parties (this must exist in a limited form now, as third party driver patches are distributed) and the 3rd parties would lose a level of control they currently enjoy (I doubt MS would be horribly inclined to break the 2nd tuesday tradition just because a 3rd party wants a patch *now*). Overall it would improve the Windows experience and remove the need for third parties to invest in a good update mechanism (though clearly many of them have a different opinion of good than I do - again, Adobe, yours sucks).