Security and Programming Developments

Adobe Systems Inc. and Google Inc. announced a "sandbox" to better protect users of Adobe Reader and Acrobat and Google Chrome. Meanwhile, Microsoft Corp. patched a security tool that has blocked some copies of Google Chrome from updating. Finally, Oracle Corp. detailed the submissions of upcoming Java releases, including versions 7 and 8 of Java's standard edition.

Focal Points:

• Adobe and Google announced that they have collaborated to put the Flash Player plug-in inside a "sandbox" within Google Chrome. The "sandbox" isolates processes on a computer, preventing malware from escaping an application, and thereby protecting users' machines from attacks. The vendors said that engineers from Google and Adobe partnered to build a "broker" process. This process decides which functions can be conducted outside the "sandbox," and mediates requests between the Flash plug-in and the rest of the browser, Adobe and Google added. According to the two companies, the "sandbox" has been introduced into the "dev" build of Chrome, and is currently available only on the Windows 7, Vista, and XP versions of the Web browser. Adobe and Google plan to add the "sandbox" to Mac OS X and Linux editions; however, they did not announce when these would be available. Google expects the Flash "sandbox" to be in a production version of Chrome in early-to-mid 2011.
• Meanwhile, Microsoft fixed a security tool that Google claimed blocked some copies of Chrome from updating. According to Microsoft, the Enhanced Mitigation Experience Toolkit (EMET) "may have potential issues with the update functionality" of Google's Chrome and Adobe's Reader and Acrobat. EMET allows enterprise IT staff to enable manually anti-exploit defenses for specific applications, and is used to boost the security of older programs and stop active attacks. Google noted the problem initially, saying that EMET interfered with Chrome's security and updates. To solve this issue, Microsoft released EMET version 2.0.0.3, and urged affected users to download the update. In related news, Adobe released Reader X. This version of Adobe Reader includes a "sandbox" to protect users from PDF attacks, said Adobe. The Reader X on Windows version features Protected Mode, a technology that isolates system processes, Adobe added. Reader X is also available for Mac OS X and Android; however, Adobe said that those editions lack the "sandbox." Windows and Mac OS X users can currently download Reader X manually from the Adobe site, according to the vendor.
• Oracle announced details of submissions of upcoming Java releases that are under consideration as Java Specification Requests (JSR) by the Java Community Process. The specifications include JSR 336: Java SE 7 Release Contents; JSR 337: Java SE 8 Release Contents; JSR 334 Small Enhancements to the Java Programming Language; and JSR 335: Lambda Expressions for the Java Programming Language, according to reports. Oracle said that Java SE 7, or Java Platform Standard Edition, will promote best practices and reduce boilerplate code by adding productivity features to the Java language and the Java SE application programming interfaces (APIs). Java SE 8 will further reduce boilerplate code, and the Java Collections Framework and related APIs will be enhanced, Oracle added. The final releases for Java SE 7 and Java SE 8 are set for July 2011 and October 2012, respectively. JSR 334 is intended to make programmers' jobs easier, while JSR 335 extends the Java Virtual Machine, said Oracle. JSR 334 is set for finalization next July, and the final release of JSR 335 is set for June 2012.

Experton Group believes the security releases are long overdue, especially the patches for the Adobe Reader, and need to be applied where appropriate. Most users assume Adobe PDFs are secure and willingly download and open them. Unfortunately, the Adobe Reader currently is being aggressively attacked by hackers who understand its vulnerability. Security staff should ensure that all users, regardless of operating system, have the appropriate sandbox solution installed so that they can protect their users from attacks. Oracle's submission of Java releases is good news for the Java community. The JSRs will now be put on the Java Community Process (JCP) ballot for approval, which should be available by yearend. IT executives that have Java in their shops should take this as a good first step but should press Oracle to detail its Java strategy.