Adobe Secures Reader X With Sandboxing Technology

Adobe Systems has released Adobe Reader X, bringing with it the sandboxing technology the company has touted as an answer to some of its recent security failings.

The sandboxing is aimed at Windows users who have borne the brunt of the attacks against the PDF-viewing software. The technology is similar to that which Google built into Chrome and Microsoft incorporated into Office 2010 Protected Viewing Mode.

Mitigating Attempted Attacks

Adobe Reader now has its own ‘Protected Mode’, which represents “an exciting new advancement in mitigating the impact of attempted attacks”, the company told eWEEK.

“While sandboxing is not a security silver bullet, it provides a strong additional level of defence against attacks as software vendors work on reducing both the frequency and the impact of security vulnerabilities,” an Adobe spokesperson said.

The initial release of Adobe Reader Protected Mode sandboxes all write calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008 and Windows Server 2003. Future releases will extend the technology to include read-only activities as well, though the company said the timing for that is still being determined.

Enabled by default, Protected Mode effectively means all operations required by Reader to display PDF files are run inside the sandbox. If Reader needs to perform an action not permitted in the sandbox environment – like writing to the user’s temporary folder – those requests are funnelled through a “broker process” controlled by a set of policies for what is and what is not allowed.

“For Adobe Reader, this means that even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims’ computers,” the spokesperson said. “That’s because the attacker would not only have to find a vulnerability in the software itself – he would also have to find a second vulnerability to break out of the sandbox.”

There has been no shortage of Reader vulnerabilities this year. Earlier this week, the company released an update that patched a vulnerability affecting a component in Reader used to render Flash content that had come under attack.

“Adobe’s product security initiatives are focused on reducing both the frequency and the impact of security vulnerabilities,” blogged Brad Arkin, senior director of product security and privacy at Adobe. “Adobe Reader Protected Mode represents an exciting new advancement in mitigating the impact of attempted attacks. While sandboxing is not a security silver bullet, it provides a strong additional level of defence against attacks.”