Adobe to introduce sandboxing to limit Reader exploitsannounced on Tuesday.
The new security feature, called “Protected Mode,” will force all operations that display PDF files to the user to be run inside a highly confined environment, known as a sandbox, in which certain functions are prohibited, Brad Arkin, Adobe's senior director of product security and privacy, told SCMagazineUS.com on Tuesday. Prohibited functions inside the sandbox include installing or deleting files, or modifying system information.
As a result, if an exploitable security vulnerability is discovered, the new functionality will help prevent an attacker from being able to write files, change registry keys or install malware on an individual's computer, Arkin said. Malicious code inside PDF files will be contained inside the Reader sandbox, instead of being installed on a user's system.
“The benefit to customers is we are providing an additional layer of defense against malicious code so they can view PDF files with confidence, and the potential impact if there's something malicious in there will be lower,” Arkin said.
If Reader must perform an action that is not allowed in the sandbox environment, such as launching an attachment inside a PDF using an external application, the request will be funneled through a so-called “broker process,” which will have a strict set of policies to prevent access to dangerous functionality, he said.
“It's an exciting new step, but it's not the security cure-all that will fix all problems forevermore,” Arkin said.
For example, the new security feature will not protect against phishing or other types of attacks that don't involve taking over process control and memory, he said.
The functionality, expected to be enabled in future versions of Reader by default, is based on a technique first described by Microsoft in 2007 and will be similar to already mature sandboxing technologies used in the Google Chrome web browser and Microsoft Office 2010, Arkin said.
In its development of the technology, Adobe collaborated with engineers who built Chrome and Office, as well as third-party consultancies and other external stakeholders.
“When you look at the size and complexity of a product like Adobe Reader, it represents a major engineering accomplishment,” Arkin said. “We are excited that we can extend this new level of protection to our users and defend against these attacks just as the bad guys continue to evolve their techniques.”Jeremiah Grossman, chief technology officer for web application security firm White Hat Security, told SCMagazineUS.com on Tuesday that the new security feature will protect against the bulk of exploits written for Reader.
“Adobe's had its fair share of vulnerabilities in Reader,” Grossman said. “An extra layer of security to prevent bad things from happening is welcome.”
With Protected Mode enabled, an attacker would have to successfully exploit two vulnerabilities – one in Adobe Reader itself and another to defeat the sandbox – to install malware a user's machine, Grossman said.
“It's a very needed, very welcome change,” he added. “I am sure most in the industry will agree.”
The first release of Reader Protected Mode is planned to sandbox all “write” calls on Windows 7, Vista, XP, Server 2008 and Server 2003, Arkin said. This will mitigate the risk of exploits seeking to install malware on the user's computer or change the computer's file system or registry.
Adobe plans to extend the sandbox in future releases of Reader to include read-only activities, which will protect against attackers seeking to read sensitive information on a user's computer.The only downside of the new technology, said Grossman, is that it will not immediately be supported for Mac users.
To get the most effective protection to users as quickly as possible, Adobe currently is developing the sandbox specifically for Reader for Windows, Wiebke Lips, an Adobe spokeswoman, told SCMagazineUS.com on Tuesday.
“Today, Adobe Reader for Windows represents the overwhelming majority of Adobe Reader downloads,” Lips said. “Adobe is always carefully evaluating the threat landscape to determine the priorities and next steps in the security roadmap for our products.”