Partnering with the broader security community is one way that Adobe strives to protect our customers. One example is with Trend Micro and the Microsoft Active Protections Program (
MAPP). We are excited to share more details about the ongoing collaboration announced
here by Trend Micro.
For Acrobat and Reader vulnerability reports, we provide Trend Micro information ahead of the patches being made publicly available. They develop guidance for network defenders, and this guidance is sent out to participating MAPP vendors. This collaboration helps protect the broader ecosystem by making protections available on the day the patch is released. There have been public reports of patched bugs being weaponized and being put in exploit kits, and this collaboration helps ensure protections are available to as many as possible from day one.
This collaboration is not new. Starting in 2006, Trend Micro has worked with Adobe in the following ways:
- Through Trend Micro’s Zero Day Initiative (ZDI) program. They purchase vulnerabilities from verified researchers and responsibly report them to Adobe [through our product security incident response program (PSIRT)]. This responsible disclosure is greatly appreciated to help us protect our customers from potential security threats.
- Over the years, the ZDI has reported 1,174 vulnerabilities in various Adobe products. These coordinated disclosures lead to patches that help protect our customers around the globe.
- Adobe has participated in many Pwn2Own competitions over the years, and in 2021, Adobe showed further support of the community by sponsoring the event by providing planning and logistical support.
- Security researchers from Trend Micro have spoken to Adobe engineers about the best practices of fuzzing and how it can be used to improve vulnerability detection in code.
- There is currently a project within Trend to find variants of known issues that may exist across our product portfolio. This effort to find problematic shared code will lead to comprehensive fixes instead of a piecemeal approach where certain products remain vulnerable to known vulnerabilities.
- At the 2019 edition of Black Hat Europe, a security researcher from Adobe co-presented with a security researcher from ZDI on efforts to mitigate privilege escalations in the built-in security restrictions within the JavaScript engines.
ZDI researchers are responsible for submitting several innovative defense-in-depth solutions that helped reduce the attack surface within Adobe products. Because our collaboration, we felt confident in allowing Trend Micro to perform vulnerability research and analysis on Adobe proof of concept files (POCs). This analysis is provided to Independent Software Vendors (ISVs) and AV Providers to help scan and detect these potential vulnerabilities, to help prevent them from occurring in the wild. Participants in the MAPP program gain access to this threat intelligence before the public releases so their customers can be protected when the patches are live.
