Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Reader still has to legitimately touch the underlying filesystem in order to save PDF files, but it will be configured to work through a separate Adobe “broker process,” such that any attempts by Reader to communicate directly with the operating system will fail, Arkin said.

“Under such a system, not only would the attacker have to find a vulnerability in Reader, but they’d also have to carry out a second-stage attack from the Reader process to the broker process,” he said. “We have put in a place a very small set of policies to make sure that any action the broker process takes on behalf of Reader is absolutely necessary for operation.”

The initial release will not sandbox “read-only” activities in Reader, such as accessing content on the user’s system, but that functionality may be incorporated into versions down the road.

Arkin said the new feature will be on by default, and will not affect the performance or speed of the application.

“The vast majority of users will never know it’s there,” Arkin said. “It doesn’t increase the number of dialogue boxes or choices, and users should be able to continue to interact with Reader the same way they always have.”

Didier Stevens, a Belgian security researcher who has discovered and reported a number of security vulnerabilities in Reader, said Adobe’s planned protections should indeed block most known PDF-based malware.

“When I read ‘sandboxing of all write calls’ I said to myself: ‘That’s easy to bypass, for example by injecting code into another process (e.g. Windows Explorer) and let it write to disk’,” Stevens wrote in an e-mail to KrebsOnSecurity.com. “But then I read that registry and process calls are also sandboxed, so injecting code inside another process would be blocked.”

Stevens said the broker process could end up being the weakest link of Adobe’s sandbox approach.

“If you can mislead the broker process, you can still get access,” Stevens said. “If similar bugs exist in the broker process, then researchers will soon find them. And I hope this mechanism fails gracefully: if the broker process breaks down, then every action should be denied.”

Adobe isn’t willing to set a date certain for the release of the new sandboxed Reader, but said it should ship in the next version, due out before the end of the year. Arkin said the sandboxing feature will initially be available only for the Windows version of Reader.

“Our primary goal was to protect the largest number of users the fastest,” Arkin said. “In the lab it’s certainly possible to take one of those [vulnerabilities] and export it onto a different platform, but in the real world, every single attack we’ve heard about has been on a Windows platform.”

Adobe Systems Inc.

The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

It’s not hard to recommend almost any other PDF reader over Adobe’s. For starters, despite Adobe’s promises to streamline its update process, updating an Adobe product seems to have gotten far more complex over the past year or so. For instance, updating from Adobe’s Web site always pre-checks the installation of third party software, such as an anti-virus “security scanner” or a toolbar. This version of Reader also installs a program called “Acrobat.com,” an online PDF creation and manipulation manager. Incidentally, when you launch Acrobat.com from the icon the Reader update leaves on your desktop, another “mandatory update” is required for this product as well.

On top of that, the user is required to download the Adobe Download Manager, a program that has in the past introduced its own security vulnerabilities.

Many readers have asked about the purpose of the download manager, which is apparent with this month’s release: Adobe is using the Download Manager progress screen as an opportunity to pitch a number of other software titles available for download, apps made to work with Adobe Air, yet another multimedia component that comes bundled with each Reader update.

But the update process still isn’t complete. In fact, Adobe Reader at this point is only at version 9.3.0, and still needs to download an additional update to bring the user up to the latest version, 9.3.3. Getting that update requires opening Reader, waiting a minute or two for the Reader Update icon to appear in the Windows taskbar, and then double-clicking the install button. Windows users then need to restart their systems for the patch to take effect.

By the way, the vulnerability Adobe fixed in Reader and Acrobat also exists in Adobe’s ubiquitous Flash Player, but Adobe shipped an update to fix that flaw in Flash on June 10. If you haven’t already updated Flash this month, have a look at this post, which walks you through how to do that.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.

Please take a moment to check if you have Flash installed and — if so — to update it: A working copy of the code used to exploit this vulnerability has been included in Metasploit, an open source penetration testing framework. Also note that Adobe likes to bundle all kinds of third party software — from security scanners to various browser toolbars — with its software, so if you don’t want these extras you will need to uncheck the box next to the added software before you click the download button.

The vulnerability that prompted Adobe to issue this interim update (the company had been slated to issue these and other security updates on July 13) also is present in Adobe Reader and Acrobat, although Adobe says it does not plan to fix the flaw in either of these products until June 29.

Now would be a great time for longtime users of Adobe’s free Reader software to consider removing Reader and switching to an alternative free reader, such as Foxit or Sumatra.

Note that Flash generally comes with Adobe Download manager, a package that in prior versions has been found to harbor its own security vulnerabilities. The download manager is designed to uninstall itself from machines after a reboot, so to be on the safe side, you may want to reboot your system after updating Flash.

Oracle Corp.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

In other news about features in widely installed programs being used as a vehicle to load malware, security experts at M86 Security have spotted a spam campaign aimed at spreading the ZeuS Trojan that exploits a recently-documented feature in at least two different PDF readers. That feature, known as “launch action,” is intended to be used to run an application or to print a document, but recently it was discovered that this feature could be abused to run malicious programs within PDF files.

Both Foxit Reader and Adobe Reader now warn users if a PDF file tries to invoke this launch action feature, and the alert box will look similar to the one pictured above. If you use these applications and happen to see one of these alerts, it’s probably a good idea to decline launching the file in question.

Microsoft released 11 security updates that collectively fix at least 25 vulnerabilities in versions of Windows, Office, Exchange, and other Microsoft products.

Redmond said customers should install all of the relevant updates, but it called attention to a few as particularly urgent. Among those is a patch for all versions of Windows that fixes a bug which could allow attackers to fool Windows into thinking that a malicious program was created by a legitimate software vendor, said Joshua Talbot, security intelligence manager, Symantec Security Response.

“This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate,” Talbot said.

Another patch fixes a flaw that is critical on Windows 2000, XP, Server 2003 and Server 2008, and could be triggered just by visiting a Web page hosting a specially-crafted .avi video file. A separate critical bug patched today for Windows 2000 and XP users is another browse-a-bad-site-and-get-owned type of flaw.

Adobe issued an update to its PDF Reader and Acrobat software that fixes at least 15 security flaws in those programs. Adobe labels this update “critical,” meaning the attackers could use the security holes to crash the programs and seize control over a vulnerable system.

As promised, Adobe also is including a new updater technology with the latest version of both Reader and Acrobat (version 9.3.2) on both Windows and Mac systems. Adobe said the new updater includes an option to let Adobe “automatically install updates,” although the company said it will respect whatever update settings users currently have selected (the default is “download all updates automatically and notify me when they are ready to be installed”). Adobe’s Brad Arkin has more on this new updater in a post on Adobe’s ASSET blog.

Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF file. Worse, Stevens found that PDF readers from Adobe Systems and Foxit contained a feature that would run those embedded files upon request, in some cases without even warning the user.

Stevens found that when he triggered the feature in Adobe Reader the program throws up a warning that launching code could harm the computer (although he also discovered he could change the content of that warning in Adobe Reader).

Foxit, however, displayed no warning at all and executed the action without user approval. According to Stevens, the Foxit fix shipped last week changes the reader so that it now warns users if a PDF document tries to launch an embedded program.

Unlike previous attacks on PDF readers — which can generally be blocked by selecting the option to disable Javascript in the programs — this attack leverages features built into these readers. Adobe Reader contains an option to disable opening non-PDF attachments with external applications (under Preferences, click Trust Manager, and then uncheck the box at the top of the next window). However, I could find no such option in Foxit.

If you are using Foxit, please upgrade to this latest version, which is v. 3.2.1.0401. To update, click the Help menu, and then Check for Updates Now, or download the latest installer from this link here. And if you see a warning like the one above, it might be smart to click the “Do Not Open” button.

In other patch news, Apple has pushed out a security update for its QuickTime and iTunes media players. The QuickTime update, version 7.6.6, fixes at least 16 security flaws affecting both Mac and Windows systems. iTunes 9.1 addresses at least seven security holes for OS X and Windows versions. The patches are available through Software Update on the Mac, through the Apple Software Update package bundled with iTunes/QuickTime on Windows, or via Apple Downloads.

At issue is a non-public advisory issued by Fiserv, a Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide.

A reader who works in security for a mid-sized credit union shared with me a notice posted prominently to the “collaborative care” portion of Fiserv’s site, a section dedicated to security and IT managers at partner financial institutions.

In the notice, dated Feb. 16, 2010, Fiserv instructed its customers to avoid the latest Adobe Reader updates, apparently in favor of one that was released two years ago:

“NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.”

The notice continues:

“The following is of importance to all credit unions.

Until further notice, please do not upgrade Adobe Reader past version 8.1. We have recently found that there are potential compatibility issues with some of our Adobe-based products. If you have already upgraded past this version you can try uninstalling to a lower version. This may or may not be successful. For instructions on uninstalling, please visit www.Adobe.com.

We will provide you with further information when it is available.”

I have requested more information from Fiserv about what prompted this advisory, and will update this post when/if they respond.

Adobe 8.1 was first released in October 2007. But even if we give Fiserv the benefit of the doubt and assume that they really meant to say “Don’t migrate your systems past the latest 8.1 version — Adobe Reader 8.1.7 (released in October 2009) that would still leave financial institutions dangerously exposed to the Reader flaw that criminals are very actively exploiting to install data-stealing software, via spam and hacked or malicious Web sites.

According to a report issued last month by Web security firm ScanSafe, 80 percent of the Web-based attacks from malicious and hacked Web sites targeted Adobe Reader vulnerabilities in the last three months of 2009. Security firm F-Secure also has noted that Adobe Reader vulnerabilities by far are the most popular for use in targeted e-mail attacks.

This kind of advisory may seem shocking, but it’s incredibly common, said Didier Stevens, an IT security researcher who has done some extensive research on Adobe vulnerabilities. As Stevens noted, many application providers or companies will urge users to remain on outdated and insecure software platforms because upgrading may break functionality in custom software. Stevens said Fiserv’s advisory to customers is probably related to a similar custom-built application.

“I can imagine that in their software they are using some components of Adobe, for example, a component to display a PDF inside of a financial application, and they just haven’t upgraded that application yet,” Stevens said.

Indeed, just last month I wrote about opening up a new account at a local bank and noticing that the branch manager was still browsing the Web with Internet Explorer 6, just days after news surfaced that a zero-day vulnerability in IE6 was used in targeted attacks against Google, Adobe and a host of other Silicon Valley companies recently. For its part, Google said it would no longer support IE6 in its applications.

Update, March 9, 10:48 a.m.: Fiserv responded to this story with the following statement, sent via e-mail:

“We researched the client advisory mentioned in your posting.  We appreciate your attention to this matter, as the advisory did not effectively explain our advice, nor was it the right approach to the underlying issue of Adobe compatibility.

The advisory was not directed or available to all of our clients, but rather to clients of a single solution within one individual product line.   The advisory had been viewed by fewer than three dozen individuals at the time it was removed.  We are working hard to resolve the Adobe compatibility issue, and to improve the rigor of our content management on the client collaboration site where the advisory was posted.”

The latest update brings Adobe Reader to version 9.3.1, and fixes a pair of vulnerabilities that Adobe has labeled “critical,” which means the flaws could be used to install malicious software on vulnerable systems. Updates are available for Windows, Mac and Linux versions.

If you use Adobe Reader, please apply this update. Then, take a moment to turn off Javascript, the feature in Reader that is most exploited by attackers. To do this, follow these instructions:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Better yet, consider using an alternative PDF reader, such as the free Foxit Reader. I also disable Javascript in Foxit, mainly because I find I don’t need it.

Earlier this week, Web security firm ScanSafe released a report (.pdf !) showing that roughly 80 percent of the Web-based exploits it detected in the last three months of 2009 attacked Adobe Reader vulnerabilities. Add Adobe Flash vulnerabilities into the mix, and the two programs made up the lion’s share of the Web exploits ScanSafe detected in Q409.

Source: ScanSafe

For its part, Firefox maker Mozilla at the end of last year began tracking a huge uptick in the number of Firefox crashes due to Adobe Reader. As some posters to this Mozilla Bug Database entry posit, the crashes were almost certainly due to increased exploitation of the Adobe Reader zero-day vulnerability that Adobe finally patched on Jan. 12, weeks after evidence surfaced that criminal hackers were exploiting the flaw in targeted attacks.

Update, 4:06 p.m. ET: If you decide to do without Adobe Reader and uninstall it, you might want to nix the Adobe Download Manager as well. Researcher Aviv Raff points to some nifty work he’s done which shows that Adobe’s Download Manager — which ships with all new versions of Flash and Reader — can be forced to reinstall an application that’s been removed, such as Reader. According to Raff, a Web site could hijack the Adobe Download manager to download and install any of the following:

Adobe Flash 10

• Adobe Reader 9.3
• Adobe Reader 8.2
• Adobe Air 1.5.3
• ARH tool – allows silent installation of Adobe Air applications
• Google Toolbar 6.3
• McAfee Security Scan Plus
• New York Times Reader (via Adobe Air)
• Fanbase (via Adobe Air)
• Acrobat.com desktop shortcut

Raff writes: “So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.” Read more on his findings at this link here.