Adobe rewrites PDF Reader to bolster security

Protected mode a ground-up revamp

Adobe has offered more details of the 'sandbox' security feature it plans to implement to secure its hugely popular but often-attacked PDF Reader software.

First announced last July, the latest description put out by Adobe's security development team makes clear that Reader's new 'protected mode' will be no mere bolt-on. This is starting to look like a ground-up re-design of how the program operates, almost from scratch.

The new Reader design will see core and risky PDF functions such as font rendering, Javascript execution, 3D rendering and image parsing happen within the confines of the application itself, isolating these from the privileges of the operating system.

This effectively relegates Reader to a new rung of privilege below that if the system user, which stops the application simply accessing key parts of the OS such as the Registry or file system as it likes. Instead all such calls will have to go through a trusted broker process if they want to communicate beyond the sandbox.

The new design won't stop exploits targeting Reader but they will limit what can be done from within its confines. At the moment, that is more or less anything the attacker wants, including being able to take over the system.

"The challenge is to enable sandboxing while keeping user workflows functional without turning off features users depend on," says Adobe's blog.

As the developers admit, the potential hole in security is always the operating system itself, which can still be compromised, although exploiting such vulnerabilities is as easy as it easy a few years back. Microsoft's software development lifecycle (SDL) has tightened up code security.

The first version sandbox will also not protect against read access to the file system (which allows data theft) or registry, or restricting network access, but future versions will look at this aspect of security.

Adding defence mechanism to specific applications other than browsers is an unusual approach to application design, but Reader's security troubles have gone beyond that of most applications.

The company's regular security updates have become almost as big an event as Microsoft's own patch Tuesday.

The timescale for protected mode to appear in Reader has still not been confirmed.

Tags Personal TechsecurityAdobe Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Techworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?