Vulnerabilities and Attack Surface
By Will Dormann on 06/25/2009 | Permalink
Two recent US-CERT Vulnerability Notes describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative. The two vulnerability notes are quite similar, except for one aspect: attack surface.
According to Pratyusa K. Manadhata's web page on attack surface, "A system's attack surface is the set of ways in which an adversary can enter the system and potentially cause damage. Hence the larger the attack surface, the more insecure the system." It may be an oversimplification, but the more functionality that is included with software, the larger the potential attack surface.
Shortly after the JBIG2 vulnerability in Adobe Reader was disclosed, I started investigating other image formats. Just like JBIG2, the JPX format is slightly obscure, and the support for it within PDF documents is relatively new. JBIG2 support was introduced in version 1.4 of the PDF specification, while JPX support is even newer at version 1.5 of the spec. Though not always the case, one would think that newer formats are not tested as well as older, popular formats such as JPEG.
As the result of investigating JPX format support in PDF readers, I found vulnerabilities in both Adobe Reader and in Foxit Reader. Both vendors wrote faulty JPX-handling code. Nobody is perfect at writing software; if they were, my job would be quite different. However, there is an important difference between the two applications with respect to attack surface: Adobe Reader comes with JPX support built in, while Foxit Reader requires an add-on to view JPX (and JBIG2) images. The modular design of Foxit Reader means that the extra functionality such as JBIG2/JPX decoding is only present on systems where the user has made the decision that they would like that ability. This design reduces attack surface.
Adobe Reader and Foxit Reader are just two examples that I have chosen to demonstrate the problem of software attack surface. Both vendors appear to understand security, and both handled the coordination aspect of the vulnerabilities quite well. Feature creep is a problem that is endemic to the software industry.
One driving force with software vendors is to include more features and to have those features enabled by default. End users of software may appreciate not having to make decisions about what features to enable when installing an application. However, not even giving them a choice is doing them a disservice, especially when it comes to security. I would like to see a more modular design with software and its installers. If I want the kitchen sink, I'll let you know. Don't give it to me by default.