Adobe introduces sandboxing technology for Reader in order to fight malicious threats

News by Dan Raywood

Adobe has introduced a protected mode for its Reader software.

Adobe has introduced a protected mode for its Reader software.

Brad Arkin, director of product security and privacy at Adobe, claimed that he had previously identified three main areas of focus of a security initiative - code hardening, incident response process improvements and a shift to a regular security update schedule – and this was the next step.

He said that Adobe Reader Protected Mode ‘represents an exciting new advancement in attack mitigation', as if an exploitable security vulnerability is found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files, changing registry keys or installing malware on potential victims' computers.

The technology is scheduled for inclusion in the next major version release of Adobe Reader and is based on Microsoft's Practical Windows Sandboxing technique and similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode.

Arkin said: “With Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the sandbox.

“Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user's temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funnelled through a ‘broker process', which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.”

He explained that the first release will sandbox all ‘write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008 and Windows Server 2003. It plans to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user's computer.

Security blogger Brian Krebs said: “Even if only somewhat effective, the new protections would be a major advancement for one of the computing world's most ubiquitous and oft-targeted software applications.

“The company is constantly shipping updates to block new attacks: less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. McAfee found that roughly 28 per cent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to F-Secure, Reader is now the most-exploited application for Windows.

However security researcher Didier Stevens said Adobe's planned protections should indeed block most known PDF-based malware, but questioned the ‘sandboxing of all write calls' feature.

In communication with Krebs, he said: “That's easy to bypass, for example by injecting code into another process (e.g. Windows Explorer) and let it write to disk. Then I read that registry and process calls are also sandboxed, so injecting code inside another process would be blocked.”

Stevens said the broker process could end up being the weakest link of Adobe's sandbox approach.

“If you can mislead the broker process, you can still get access. If similar bugs exist in the broker process, then researchers will soon find them. I hope this mechanism fails gracefully: if the broker process breaks down, then every action should be denied,” Stevens said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews