Adobe provides its beleaguered PDF reader with sandbox technology to thwart exploits. "This is coming out in the next major release", reveals Brad Arkin, head of security at Adobe, to Webwereld.
The software maker has developed collaboration with Microsoft and Google. Specifically the development teams of Office 2010 and Chrome. This office suite and browser makes any isolation techniques also known as sandboxing, from Arkin explains. "We have the entire implementation or myself. For Adobe called the Protected Mode."
The sandboxing of Adobe Reader is turned on by default. It should stop almost all current exploits. "For example, it refuses write access to the registry, and writes in the file system of the computer." However if a write permission is needed, as might be the case for legitimate PDF documents, this is done through a new intermediate layer. "The sandbox process must request permission from the broker process. This is a small, newly created piece of software."Arkin is not worried that the new broker might be a new weakness. It will probably be a new attack target. But it will be a line of defence that malware creators have to conquer after they've successfully abused a hole in Adobe's PDF software. The latter has been done before, Arkin notes dryly. The PDF reader from Adobe has since last year been increasingly under attack from malware authors, who find and exploit holes in it.
Not a silver bullet
Adobe does not claim that this puts a stop to all security problems for it's PDF-reader. "It is exciting new technology, but not a silver bullet." This protection does not work against social engineering or some phishing attacks. It does help against malicious PDF files."
Tests in Adobe's security labs have proven the effectiveness of the sandboxing. But those exploits are aimed at the currect situation, the current Adobe Reader. "The malware authors will respond," Arkin acknowledges.Yet he is optimistic: "This will remain an effective protection. The bad guys now have to do a two-stage attack. First they have to hijack the PDF Reader process, and then get through the broker-process." That new intermediate layer functions based on policies: what application component may under which circumstances write where outside of the Reader software, for example in the Windows registry.
This isolation of the Adobe's client software for viewing PDF documents will be available for the Windows version, running on XP, Vista and 7. It will be delivered in the next "major release" of Reader, but Arkin can not yet say when that will be. "To clarify: Adobe Reader 8 and 9 will not have the Protected Mode."He stressed that the development of that protection was quite a job: "Adobe Reader is a large, complex application. This was not a matter of 'just sandbox it'." One of the stumbling blocks was the printing functionality, for an existing PDF document and for transforming another document to a PDF by using a virtual PDF-printer. Printing requires a lot interaction, including writing activities, wit the operating system.
'No user impact'
Initially, the Protected Mode in Adobe Reader only stops write access. That protection will be extended by a smaller update following the next major version containing the sandboxing. That so-called .1 release will deliver sandboxing for read operations.Adobe currently has no plans to implement the sandbox approach into it's professional PDF product Acrobat. That choice is also motivated by the large number of users worldwide of the free PDF-reading application. "But the new PDF Reader can run besides Acrobat and we change the default action for reading PDF files. Reader or its browser plug-in, opens PDFs, not Acrobat."Arkin says that Acrobat is not necessarily excluded, but that Adobe will first wait how the new security measure works out. Basically, it will watch for the response of malware creators. "Maybe we will bring the Protected Mode next to Adobe Reader on Unix, or Mac OS X."