Adobe to fortify widely exploited Reader with security sandbox
Like airbags for apps
Under criticism for being the world's most exploited application, Adobe Systems' Reader program will soon include a security design that's intended to thwart malicious attacks against end users.
Borrowing a page from engineers at Microsoft and Google, Adobe is adding the a so-called sandbox feature to Adobe Reader for Windows operating systems. The protected mode will run by default to force the document reader to run in a highly restricted environment that prevents the underlying PC from carrying out sensitive functions. Installing and deleting files, modifying the system registry and launching other programs will no longer be possible under most circumstances.
“The idea is to run the application with lower rights so that even if a bad guy figures out how to take over a process, they can't do much with it,” Brad Arkin, Adobe's senior director of product security and privacy, told El Reg. “The benefit to our customers is it adds another layer of defense so that even if there is a vulnerability that someone is able to exploit, the impact of that attack is diminished.”
Over the past 18 months, Reader users have been repeatedly hammered by hackers pushing attack code that targets unpatched security bugs in the application. In March, Reader edged out Microsoft Word as the most exploited application, according to anti-virus provider F-Secure. Three weeks ago, Adobe pushed out an emergency update to patch at least two vulnerabilities that were being actively attacked in the wild to install malware on end user machines.
The addition of the sandbox architecture can be viewed as similar to adding airbags to a car. It won't purge Reader of bugs, just as airbags aren't intended to prevent accidents. Instead, Adobe hopes the new design will lessen the damage that can result when vulnerabilities are identified. Instead of leading to remote code execution – the holy grail sought by malware purveyors – the bugs would at worst result in a crash of the application.
“We've done everything we can to build the walls of that sandbox as tall as possible,” Arkin said. “We're not sure how the offensive community will react. They may move on to a different product and attack QuickTime instead, or they may look at other applications that are easier to attack. Or they may find clever ways to carry out some type of malicious activity against Reader which are quite different than the attack techniques that they use today.”
Of the dozen or so real-world attacks that have exploited vulnerabilities in versions 8 and 9 of Reader, none of them would have succeeded against the application had it employed the sandbox, Arkin said.
For help, Adobe engineers turned to their counterparts at Microsoft and Google. Microsoft has employed the technology in Office, while Google has it in its Chrome browser. Chrome was the only browser entered into this year's Pwn2Own hacker conference that emerged unscathed, and researchers widely credited the sandbox as the reason why.
Arkin said the sandbox will debut with the next major revision of Reader, which he expects to ship sometime this year. The design will initially block all functions that write to the underlying operating system, a feature that will prevent the remote installation of software on vulnerable machines. Eventually the sandbox will be extended to allow read-only activities, which Arkin said would help prevent more sophisticated attacks such as memory-resident exploits.
Adobe has been working on the new design in earnest for almost a year. In addition to Microsoft and Google, it has also sought help from third-party security consultancies and customers. Adobe has no plans at the moment to deploy a sandbox feature for Reader versions running on Max OS X or Unix.
There are no plans to add a similar feature to Flash Player, the other Adobe application that has come under repeated attack, although users of Windows Vista and Windows 7 have a protected mode for Internet Explorer plugins that includes Flash.