Why Bother Assessing Popular Software

Explore a case study on assessing Adobe Reader's security in this Security BSides London conference talk. Delve into the challenges and rewards of evaluating popular software packages with complex, evolving attack surfaces. Learn about fuzzing techniques, sandbox analysis, and JavaScript API exploitation. Discover how to approach PDF vendors, generate test files, and identify vulnerabilities in font libraries. Gain insights into Adobe's sandbox implementation, kernel-level protections, and privilege escalation techniques. Witness a live exploit demonstration and understand the importance of continuous security assessment for widely-used software.

Straw poll
Introduction
How did this presentation come about
Agenda
Vendors improving security
Why assess popular software
CVS
Key resources
Attack surface
Adobe JavaScript
JavaScript in PDFs
Python script
JavaScript console
JavaScript debugger
Acro help
Initerating
Proofofconcept
Demo
Approaching the PDF vendor
Generating PDF files
Compressed PDF files
Fuzzing Reader
Crashes
Font Library
Mitigations
The Sandbox
Adobes sandbox
Kernel
JavaScript
Privilege
Trusted functions
Exploit demo
Summary
Conclusion
Future work
Final thanks