22
Nov 10

Adobe Reader X: Seeking Safety in the Sandbox

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe has at long last released Reader X, a fortified version of its PDF Reader software that is built to withstand attacks from the sort of zero-day security vulnerabilities that repeatedly have threatened its user base over the past several years.

The new Reader X version makes good on a promise Adobe announced in July of this year, when it said it would soon release a new kind of Reader designed to run the application in protected or “sandboxed” mode on Windows. Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

The hardened Reader X software is specifically crafted to block attacks against previously unknown security holes in the program. On at least four occasions over the past year, attackers have leveraged newly discovered flaws in Reader to install malicious software when unsuspecting users opened poisoned PDF files.

It would have been refreshing had Adobe chosen this occasion to simplify the process of installing its software. Unfortunately, Windows users who grab the new version from the Adobe home page still need to dodge the add-ons (such as McAfee security scan) and endure the annoying Adobe Download Manager. Those who would rather not monkey around with this stuff can grab the direct download from this link (the direct download link for Mac users is here).

I look forward to the day that Adobe warns of attacks against unpatched flaws in Reader but assures Reader X users that they are already protected against those threats. Only time will tell if this highly-anticipated feature lives up to the hype. A full list of features included in this latest version is available here.

Tags:

25 comments

  1. Important to note: the update resets your preferences, including the all-important options to disable Javascript, to lock down the Trust Manager options, and to prevent PDFs from opening in the browser. Be sure to re-secure Reader after install.

  2. I agree about the McAfee scan and the annoying download manager.

    Also, JavaScript is still on by default and Trust Manager still allows Reader to use other applications by default. This might be less of an issue on Windows 7 but if you are on Windows XP you may be out of luck because XP doesn’t have a lot of the technologies that are needed to make sandboxing effective. No ASLR, no integrity levels, …

    See also:

    http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html

    http://blog.didierstevens.com/2010/11/19/quickpost-adobe-reader-x/

  3. I would imagine by now that this new reader has already been owned and it will only be a short matter of time before we see 0 days bubbling up.

    The reasoning behind this is that Adobe _don’t_ know how to build secure software. I mean, realistically, nearly every computer that has had this product installed on it (thinking Windoze) has been vulnerable since the day it was installed… or 100% of the time, and for some users, that can be years.

    Whats worst, is that there own team of professionals can’t find these bugs, but hundreds of individual netizens whom have never meet, don’t have the source code, infrastructure or organisational support that Adobe has can. It doesn’t make sense. Where is the QA?

    Further to this, given that these same incompetent programmers will be the brains behind the sandbox logic, it only stands to reason that they too will have once again missed the boat and left vulnerabilities in sandbox logic which will be leveraged to produce a valid exploit.

    • good point. there really isn’t any reason to believe we can trust adobe’s sandbox any more than we could trust adobe reader before they stuck a sandbox in it.

      better, i think, to stick with an alternative reader and an application sandbox that can be used with any reader and that’s had time to mature.

      • Couldn’t agree with you more Kurt. I have been using Foxit for the past few years and it seems to be a lot more secure.

        The problemI have is getting corporate to understand.

      • Note that Adobe is using Microsoft built-in sandboxing technologies for this. The process runs in a very limited way (below limited user) and uses a broker process to talk to other parts of the OS. This is actually a very good implementation and an effective approach. They are not rolling their own. They’re using the “protected mode” model IE uses.

        There’s a real lack of IE exploits in Vista/7. Web based exploits generally go through a plugin (flash, java, reader, etc).

  4. Think i will be staying with sumatra, gave foxit a try till it also became bloated. Maybe Adobe and other big firms need to release feature lite versions of their favorite software, guess that is the power of open source cheap! & cheerful with basic functionality.

  5. I downloaded it and had it for one day because TurboTax said it was required to few the tax forms prior to printing (it doesn’t, I found, just find the temporary PDF and open it ,with your favorite alternative). It must be huge; it took a lo0ng time to load even without the McAfee scan. I’ll stick with Foxit until they get the bugs out of the sand.

  6. Bryan have you heard anything about when the Adobe customization wizard for 10 will be released? The only information I have found has it listed as TBD.

  7. I’m not so convinced that sandboxing is going to help much. Java was supposed to be “sandboxed” and look how well that turned out!

    http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

    • every sandbox is different and no sandbox is perfect, but sandboxing can help so long as the people who make the sandbox address vulnerabilities in an expedient manner

      oh, adobe, i forgot we were talking about you.

    • Note that Adobe is using Microsoft built-in sandboxing technologies for this. The process runs in a very limited way (below limited user) and uses a broker process to talk to other parts of the OS. This is actually a very good implementation and an effective approach.

      Java, on the other hands, runs like how you run. Running as admin? Then the Java VM runs as admin. If the VM has an insecurity then they will be exploited as admin or as limited user with a UAC prompt your grandma will hit yes to anyway.

      MS has also been historically better at patching better and quicker than Sun/Oracle. I’d also argue that a VM is difficult to secure by its nature. There’s really no good reason to run Java in the browser.

  8. “better, i think, to stick with an alternative reader”
    Yea, I use Foxit, but sadly my company has some banking sites that will not work with foxit (yes, BANKS – so my acct people have to use the dangerous acrobat :(

    here’s hoping X works.

    • I’ve noticed the main problem with many websites that don’t work with alternative PDF readers is they are designed with the expectation to open the PDF ONLY within the browser based on some type of Adobe specification. Those that do work provide the option to download the PDF which allows you to then open it with the program of your choice.

      An example of this was the option to download your statement from Capital One. It used to error out, but for a long time now prompts to download the pdf, which has always been my preference anyway. That way you have the PDF to use again without having to access the website again. That and it gives your anti-malware software a better chance of scanning the file for known stuff BEFORE opening it.

      • I dont think this affects your AV scanner at all. Copying the file onto a temp directory and opening it or copying it to your desktop and opening it are the exact same things. Either your malware has a definition for the pdf file or it doesnt.

        The biggest challenge in AV is that its always fighting yesterday’s fight. Sure, it has a definition for a popular malware 24 hours ago, but since then the hackers have compiled a dozen different versions.

        Im of the opinion that AV is useless for preventing attacks. Its only really good for detecting successful attacks. Limiting rights is really the only way to go.

  9. So much for beta testing. I installed Adobe Reader X and out of the box, it turns out that Adobe Reader X is incompatible with Symantec EP. According to the Adobe KB, there are also problems with McAfee as well as several unsupported configurations:
    http://kb2.adobe.com/cps/860/cpsid_86063.html

    Organizations looking to deploy Adobe Reader X need to carefully test this release.

    To top it off, the Adobe Reader X dialog box, “Adobe Reader Protected Mode”, which opens when Reader starts on an “incompatible” system and let’s the user turn off protected mode, has a link on it to “Tell me more about Protected Mode and incompatible system configurations” which goes to a bogus URL:
    http://www.adobe.com/go/protected_mode_info

    Woo-hoo, let’s hope Adobe Reader X.1 gets a little more testing :)

    • I installed it on a Windows 7 machine that’s running the free McAfee AV subscription provided by the vendor. I gave a pretty thorough run through and so far it seems to be working fine. The known bugs only affect McAfee VirusScan Enterprise customers.

  10. that url doesn’t look completely bogus. it looks like it’d be valid on the corporate intranet @adobe.

    — which means they tested it internally but didn’t flip a switch to release.

    you could complain to adobe or wait for someone from adobe to read this article.

  11. There comes a point when Adobe become complicit in aiding and abetting criminals by repeatedly providing software that is unfit for purpose.
    Brian, will Adobe put forward someone to answer questions; if they’re keen to solve the security holes they’ll provide someone; if not, we’ll know where we stand.

  12. At my company, we use digitally signed Acrobat files for a number of business processes. Reader X will not open files signed under Reader 9, even after playing with all the security options. It doesn’t matter to us if the sandbox works or not; we can’t upgrade until Adobe fixes this bug.

  13. I used the link Brian provided to download Reader X for my Mac. After I installed the software, I noticed that the installer had not removed or disabled the old version (9.4) which was on my machine. Doubleclicking on a file that was set to open with Reader would still open the old version. So presumably those vulnerabilities were still there, until I manually trashed Reader 9.

    I generally use the Preview software supplied by Apple to view PDF files. But a few weeks ago I had to download Adobe Reader to work with a form I downloaded from a US government site, that just wouldn’t work properly with Preview. Except for that one form, I find Preview much superior to Reader, even without considering the security concerns.

  14. I installed PDFXchange Viewer from Tracker Software products today. I think its a fast, feature rich, and smart program. The setup program does “offer” the Ask toolbar but its easy to opt out.

  15. I’ve already found out the hard way that Adobe Reader X doesn’t open all files, as someone has stated above ~ “Reader X will not open files signed under Reader 9.” It would be nice if they tell us problems up front. But I guess that’s not the American way. Now I don’t know whether to download Adobe Reader 9 or whatever it was.

  16. Well the cracks have already started to appear in the Sandboxing capabilities of Flash. PoC is published so its only a matter of time before the find similar bugs in the PDF reader.

    http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/

  17. I like Pdf-XChange too. I use it for long time and always be sure in safety. And it’s true. I never got virus from pdfs ))). In PDF-XChange there is an option to enable/disable Java Scripts. I would recommend to try this viewer and I guess you will not worry about yours comp safety.


Read previous post:
Why Counting Flaws is Flawed

Once or twice each year, some security company trots out a "study" that counts the number of vulnerabilities that were...

Close