Sandboxed Adobe Reader Finally Here

[tipo]

Following a massive security engineering undertaking, Adobe has finally released a fully sandboxed version of its ubiquitous Adobe Reader product, which promises to stop the majority of PDF-based exploits.

After facing repeated criticism from the security community during the past few years for being unable to secure its software or to keep its user base updated, Adobe now has congratulations coming its way.

The newly released Adobe Reader X (10.0), brings a lot of new document collaboration and multimedia functionality to what was already the most feature-rich PDF viewer program.

However, from a security perspective, the company's greatest achievement is the new Protected Mode, a sandboxing technology enabled by default in the program.

In the software development world, sandboxing means isolating a process within a restricted environment, from where its ability to interact with the underlying operating system is strictly controlled.

Conceptually it is similar to putting someone in a jail. A prisoner passes through a secure door in order to interact with the outside world and once they do so, their moves are closely watched.

In Adobe Reader's Protected Mode, the prisoner is the PDF rendering process. In order to call complex system APIs, it has to ask a guarding brokering process for permission.

This major security enhancement will not lower the number of vulnerabilities found in Adobe Reader, but leveraging them to compromise computers will be a much more difficult task.

It is not impossible to escape the sandbox in order to execute malicious code on the system, but doing so requires exploiting vulnerabilities in both the rendering and the brokering processes.

In addition, on Vista and Windows 7, the attacker also needs to bypass OS security technologies like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and Structured Exception Handling Overwrite Protection (SEHOP ), for both of the two chained exploits.

This is no easy undertaking, even for experienced exploit writers. And, even if they somehow manage to do this, the hurdles are not over.

The broker process is not running under an administrator account, so whatever code is executed after escaping the sandbox will have a limited impact.

To maximize the damage, an attacker would need to exploit a separate unpatched privilege escalation vulnerability in the operating system itself.

Scott Stender from iSEC Partners, one of the companies contracted to review the Protected Mode design and code, called Adobe's efforts the most ambitious attempt to sandbox a Windows application to date.

"While it is indeed simple to place a restricted wrapper around a minimal service or piece of demonstration code, placing large applications, with all of their dependencies, in a sandbox presents an entirely different challenge. [...]

"Millions of lines of existing code, a third-party development platform, every multimedia technology under the sun, all now running in an entirely new execution environment. It is hard to overstate the challenge of doing so and the accomplishment of getting there," he notes.

However, while the new Protected Mode is expected to drive hackers away from Adobe Reader, this will not happen over night.

Widespread adoption of the technology will take months or even years, especially in corporate environments, where many users still use Adobe Reader 8.x, for compatibility reasons.

For now, we can only advise home users to switch over to the new Adobe Reader X. If you're running 9.x, it will install on top of it (we haven't tested for 8.x).

It's worth noting that Adobe Reader X has only been released for Windows and Mac so far and the Protected Mode is only available for the Windows version.

link