Adobe Reader to block attacks with sandbox tech

Adobe Reader will soon have an additional layer of protection against the many attacks that target the popular PDF viewer.

Adobe Systems is borrowing a page from Microsoft's and Google's playbook by turning to sandboxing technology designed to isolate code from other parts of the computer.

Adobe is adding a "Protected Mode" to the next release of Adobe Reader for Windows due out some time this year, said Brad Arkin, director of product security and privacy at Adobe. The feature will be enabled by default and included in Adobe Reader browser plug-ins for all the major browsers.

The company has no plans to add the feature to the version of its PDF (Portable Document Format) viewer for the Macintosh at this time because the vast majority of Adobe Reader downloads and exploits are on Windows, a spokeswoman said.

The sandbox mechanism will confine PDF processing, such as JavaScript execution, 3D rendering, and image parsing, to a confined area and prevent applications from installing or deleting files, modifying system information, or accessing processes.

While Adobe Reader can communicate directly with the operating system, applications running in the program cannot. If malicious code sneaks onto a computer by successfully exploiting a hole in Adobe reader, its impact will be limited because it will be contained within the sandbox.

"Even if an attacker is able to take over Adobe Reader you'll be protected," Arkin said. "This is an additional layer of defense that will help protect users in case they encounter a malicious or corrupted PDF."

Valid actions that are not permitted in the sandboxed environment, such as writing to a user's temporary folder or launching an attachment inside a PDF file using Microsoft Word, will be funneled through a secure broker process to block malicious activities.

The technology is based on Microsoft's Practical Windows Sandboxing and modeled after techniques used in Microsoft Office 2010 Protected View, Microsoft Office 2007, and the Google Chrome sandbox, Arkin said. Adobe consulted with Microsoft and Google on its implementation, he said.

Initially, code that makes so-called "write calls" to the computer to install software or change a file system will be sandboxed. Protected Mode will be extended later to include code that is "read-only" so that attackers will be prevented from being able to read sensitive information on a computer, according to Arkin.

While Adobe Reader Protected Mode will limit the impact of a successful exploit, it is not a "silver bullet" that can protect people from attacks like phishing, clickjacking, weak cryptography, and unauthorized network access, Arkin said.

In addition, the feature will only protect against transient keyloggers, which are stored temporarily in memory, under Windows 7, Vista, Server 2008, but not XP or Server 2003. And some assistive technologies, like screen readers for the visually impaired, may not be able to be used when Adobe Reader Protected Mode is enabled on Windows XP or Server 2003.

The sandboxing news comes as attacks on Adobe Reader continue to rise and attract the largest number of new exploits. Recent reports have found that Adobe Reader is at the top of the list for having the most exploited holes and that for Web-based attacks, suspicious PDF file downloads was the most common attack method, representing nearly half of such attacks. In addition, about 60 percent of the targeted attacks on organizations were aimed at users of Adobe Reader, according to F-Secure.

Things got so bad last year that F-Secure researchers urged people to avoid using Adobe software and security experts suggested that Adobe should learn some lessons from Microsoft, which improved its secure software development efforts in 2002 after being plagued by security holes and exploits.

Just last month, Adobe plugged 17 critical holes in Reader and Acrobat, including one being exploited in the wild.

In the wake of the security problems with Adobe Reader, there is more competition from PDF viewer alternatives like Foxit Reader and Nitro PDF Reader.

Even Google has gotten in on the act by integrating its own fully sandboxed PDF viewer into developer versions of Google Chrome.

Back in January, in a post on CNET sister site ZDNet, independent security researcher Dino Dai Zovi pretty much challenged Adobe to adopt sandboxing technology to stem the tide of attacks.

"Seat belts do not prevent car crashes, but they make deaths less likely in case of a crash," Dai Zovi said in an interview on Monday. "Sandboxing doesn't prevent code execution vulnerabilities, but it makes it much harder to achieve anything meaningful from them."

He noted that Chrome is the only one of the major Web browsers that has not been successfully compromised in the annual Pwn2Own contest at the CanSecWest security show.

In a presentation at CanSecWest in March, Charlie Miller, principal security analyst at Independent Security Evaluators, showed how easy it is to find bugs in software using a common method called fuzzing. He told CNET that he found 33 different bugs in Adobe Reader, of which about a dozen were probably exploitable, illustrating perfectly the difficulty Adobe faces keeping up with the attacks.

With sandboxing, successful attackers will be forced to find two bugs--in Adobe Reader and in the sandbox--instead of just one, Miller said.

"It's the same approach Microsoft took five years ago or so," he said. "Maybe that sandbox will be enough to make attackers look at some other software to attack, something that is easier."

Adobe's announcement was also praised by Mark Dowd, director of Azimuth Security. He was asked by Google to evaluate the security of its sandboxing technique in Chrome and found ways to break out of the Chrome sandbox that Google then fixed.

"I think this was pretty much required for Adobe Reader to protect against a large wave of malicious PDFs that have been found in the wild and are doing a lot of damage," he said. "This proactive step shows that Adobe is committed to the security of their products."