Today’s news brings a couple articles discussing big-name companies who’ve decided to use sandboxes to make a more secure computing experience. This isn’t a new technique, it’s been one which has been used with varying degrees of success by a number of different companies. I find it most meaningful in that more companies are changing their architecture to try to be more secure, rather than just relying on patches or 3rd party companies to create plug-ins to do the job. I’m sure this won’t obviate the need for either, but …I digress.
I particularly liked this quote from Brad Arkin, Adobe’s senior director of product security and privacy:
“We’ve done everything we can to build the walls of that sandbox as tall as possible,” Arkin said. “We’re not sure how the offensive community will react. They may move on to a different product and attack QuickTime instead, or they may look at other applications that are easier to attack. Or they may find clever ways to carry out some type of malicious activity against Reader which are quite different than the attack techniques that they use today.”
It’s decidedly not warm and fuzzy, but it tells me they have decently realistic expectations. Malware authors aren’t going to be stopped by this change; they may focus in the short-term on other products but they may just find new ways in.