Feeds

Adobe to fortify widely exploited Reader with security sandbox

Like airbags for apps

Choosing a cloud hosting partner with confidence

Under criticism for being the world's most exploited application, Adobe Systems' Reader program will soon include a security design that's intended to thwart malicious attacks against end users.

Borrowing a page from engineers at Microsoft and Google, Adobe is adding the a so-called sandbox feature to Adobe Reader for Windows operating systems. The protected mode will run by default to force the document reader to run in a highly restricted environment that prevents the underlying PC from carrying out sensitive functions. Installing and deleting files, modifying the system registry and launching other programs will no longer be possible under most circumstances.

“The idea is to run the application with lower rights so that even if a bad guy figures out how to take over a process, they can't do much with it,” Brad Arkin, Adobe's senior director of product security and privacy, told El Reg. “The benefit to our customers is it adds another layer of defense so that even if there is a vulnerability that someone is able to exploit, the impact of that attack is diminished.”

Over the past 18 months, Reader users have been repeatedly hammered by hackers pushing attack code that targets unpatched security bugs in the application. In March, Reader edged out Microsoft Word as the most exploited application, according to anti-virus provider F-Secure. Three weeks ago, Adobe pushed out an emergency update to patch at least two vulnerabilities that were being actively attacked in the wild to install malware on end user machines.

The addition of the sandbox architecture can be viewed as similar to adding airbags to a car. It won't purge Reader of bugs, just as airbags aren't intended to prevent accidents. Instead, Adobe hopes the new design will lessen the damage that can result when vulnerabilities are identified. Instead of leading to remote code execution – the holy grail sought by malware purveyors – the bugs would at worst result in a crash of the application.

“We've done everything we can to build the walls of that sandbox as tall as possible,” Arkin said. “We're not sure how the offensive community will react. They may move on to a different product and attack QuickTime instead, or they may look at other applications that are easier to attack. Or they may find clever ways to carry out some type of malicious activity against Reader which are quite different than the attack techniques that they use today.”

Of the dozen or so real-world attacks that have exploited vulnerabilities in versions 8 and 9 of Reader, none of them would have succeeded against the application had it employed the sandbox, Arkin said.

For help, Adobe engineers turned to their counterparts at Microsoft and Google. Microsoft has employed the technology in Office, while Google has it in its Chrome browser. Chrome was the only browser entered into this year's Pwn2Own hacker conference that emerged unscathed, and researchers widely credited the sandbox as the reason why.

Arkin said the sandbox will debut with the next major revision of Reader, which he expects to ship sometime this year. The design will initially block all functions that write to the underlying operating system, a feature that will prevent the remote installation of software on vulnerable machines. Eventually the sandbox will be extended to allow read-only activities, which Arkin said would help prevent more sophisticated attacks such as memory-resident exploits.

Adobe has been working on the new design in earnest for almost a year. In addition to Microsoft and Google, it has also sought help from third-party security consultancies and customers. Adobe has no plans at the moment to deploy a sandbox feature for Reader versions running on Max OS X or Unix.

There are no plans to add a similar feature to Flash Player, the other Adobe application that has come under repeated attack, although users of Windows Vista and Windows 7 have a protected mode for Internet Explorer plugins that includes Flash.

Adobe has more here and here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.