Adobe Strengthens PDF Reader With Sandboxing

The upcoming version of Adobe Reader will comes with new sandboxing technology, as Adobe Systems seeks to protect users from vulnerability exploits.

Known as ‘Protected Mode’, the technology will be included in the next full version of the PDF viewing software, and comes at a time when attackers are increasingly using Adobe vulnerabilities to compromise computers. The technology is aimed at computers running Microsoft Windows, which have been the target of most of these attacks.

“Although vulnerabilities do exist in reader for Mac and Unix versions [of Reader], the real world attacks that we’re seeing are almost universally on Windows, and so by getting the protection in place for that platform…we’re able to do get that protection out to the users where the actual threats are occurring,” explained Brad Arkin, director of product security and privacy at Adobe.

Program Isolation

Sandboxing limits the privileges a program can run under, isolating that program from other programs on a computer. With ‘Protected Mode’, Adobe is following down the same path as Microsoft and Google, which were both involved in developing the technology with Adobe and have made sandboxing centerpieces of recent security moves. Microsoft for example added sandboxing to Office 2010, while Google brought sandboxing to bare in its Chrome browser as well as plans for the Chrome operating system.

Adobe Protected Mode will be enabled by default, and the initial release will sandbox all write calls by the program, thereby blocking attempts to install malicious code. Eventually, read-only activities will be placed in the sandbox as well, Arkin said.

“Adobe Reader Protected Mode doesn’t solve every conceivable security problem that might confront our users of the product,” Arkin said. “But the vast majority of attacks that we’ve seen in the past couple years, are leveraging some type of remote code exploit that allows them to execute code due to a memory trespass vulnerability and they use that to either install software or carry out some other malicious activity which the sandbox will make much harder to do.”

Tough Year

The past year has been particularly challenging for Adobe security. In 2009, the company changed its development process to include review for legacy code in updated applications, and changed the scheduling of its security updates to coincide with Microsoft’s Patch Tuesday. Three months ago, Adobe enabled a silent updating feature in Reader and Adobe Acrobat to protect users as well.

“[Sandboxing] I think is an important mitigation technology to help us defend our users against the type of attacks that are happening, and not just provide defences against it but really limit the potential for harm even if an exploit is carried out,” Arkin said.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago