Unfortunately, exploiting security vulnerabilities in Adobe’s PDF products has become something of a growth industry. In response, Adobe has released major security updates to Reader (last November), Acrobat (two weeks ago) and their corresponding web browser plug-ins. These updates integrate ‘sandboxes’ to isolate the software from system resources.
The sandbox technology aims to protect a user’s system by disabling features that interact with PDF documents. The idea is that this will limit the number of opportunities for attackers to execute malicious code. The Adobe sandboxes operate via secure modes (‘Protected View’ for Acrobat and ‘Protected Mode’ for Reader) that are enabled by default whenever a user opens a file from an untrusted source.
Just a slight correction: The behavior of Acrobat’s sandbox tech (via Protected View) is more complicated than Reader’s. According to Joel Geraci’s post on The PDF Developer Junkie Blog, Acrobat’s Protected view is actually disabled by default to avoid breaking existing workflows. Geraci recommends enabling it all the time for casual users working in unsecured environments, and I agree with him. There are also functional differences between viewing PDF documents in Acrobat itself and viewing them in a web browser using Acrobat’s browser plug-in. I cover these items in more detail, along with exploring the implications for third-party plug-ins, in my follow-up to this article.
Of course, the term ‘untrusted source’ implies that one can designate ‘trusted sources’, and this is indeed the case. Users can specify files, folders and locations as privileged locations that are exempt from the secure mode restrictions. Unlike documents downloaded from, say, a new website you have just been browsing, these files will not open in sandbox mode. This ability to set up trusted sources and files saves Acrobat users the hassle of having to hit the ‘Enable All Features’ button every time they open an internal or personal document. Hopefully, it should also mean that users don’t just get into the habit of enabling every document they open, which would defeat the purpose of the new security measures. Once a document is enabled, it stays enabled without further manual action.
The new secure mode imposes the same sorts of restrictions as the Protected View associated with Microsoft Office 2010. A post on the Adobe Secure Software Engineering Team (ASSET) blog concluded:
The Acrobat Protected View sandboxing solution is a great way for protecting users from malware PDF attacks. In the protected view the user will have very limited access to the Acrobat functionality as such, but it’s just enough to make an informed decision as to whether he/she wants to trust the document or not. And its design allows the user to read the contents of a PDF file received from untrusted sources without having to worry about a system compromise due to malware infection. The yellow bar indicator at the top allows transition into the normal editing mode of Acrobat once the document has been explicitly trusted by the user. Sandboxing adds another layer of defense to the overall Acrobat product security. It’s not a silver bullet, but it can go a long way in protecting our customers and users from most of the commonly known attacks out there.
As suggested by the comment that sandboxing is ‘not a silver bullet’, the new technology makes it more difficult — but not impossible — to attack a user’s system. Application security researcher Billy Rios demonstrated a few months ago that it is possible to bypass Adobe’s sandboxing restrictions with Flash-based content. His method could potentially allow an attacker to silently transmit data to a server.
This point should be considered in context, however. The eternal conundrum in security is the necessary trade-off between protection and usability. No usable system is ever going to be 100% secure, and no completely secure system is ever going to be particularly usable. Adobe’s sandboxing technology illustrates this point, as it provides system security at the expense of functionality by disabling certain features. In this case, it seems a reasonable compromise, however, as users can reactivate the extra features for trusted files. Adobe also continues to release regular security patches for its PDF and Flash products as new issues are identified.
Clearly, the new sandbox technology will have implications for third-party plug-ins for Acrobat. Stay tuned for our follow-up piece on what this means for plug-in developers and users.