All that is wrong with the world…

November 22, 2010

Adobe Reader X

Filed under: Security — Tags: , , , , , — allthatiswrong @ 11:20 am

A few days the long awaited Adobe Reader X was released. Given that Adobe Reader and Flash have been the primary attack vector on PC’s for the last few years (with them being responsible for over 80% of attacks in 09 alone) a secure version of Reader is long overdue. It is a sad state of affairs that a PDF viewer needs a sandbox in the first place, but given the reality of the situation it is good to see Adobe finally stepping up. The question is, did they do a good job? Adobe have an atrocious track record when it comes to security, but going by their blog it seems they worked closely with experts, so hopefully it is as good as can be expected.

The initial impressions upon first using Reader X were not great. The setup file is quite larger, 35mb as compared to 26mb for 9.4. Nothing really seems to have changed except for the sandbox, and the ability to comment pdf’s built in to the reader, which I guess is nice. The toolbar seems to be using a different widget set and it now looks cartoonier, which I don’t like at all. I had originally thought the toolbar had disappeared from the browser plugin which would make it harder to navigate pages, but it is actually a minimal toolbar on autohide at the bottom of the screen. While not intuitive it is a big improvement. For some reason the installer still places a shortcut on your desktop as it has for years. I’ve never understood that, as I have no desire to stare at a grey screen.

The security changes seem interesting. The reader is now using marked as a low integrity process in addition to the sandbox, as well as having full DEP and ASLR support. There are no customization options for the sandbox that I could find, but then none are really needed. The sandbox is only for the Windows version, so OS X, Linux and Android users are still left unprotected. As per the Adobe blog post above all write attempts are sandboxed by default. This should effectively stop most drive by download attempts in their tracks. It isn’t terribly easy to tell if protected mode is on or not, requiring to view the advanced properties of the pdf you are currently viewing. It seems however Adobe is aware of this and other problems and will work towards them on future releases. I am actually having trouble finding any further detailed information on the new protected mode, as clicking on the link on the website simply shows me a nice generic image of Adobe Reader.

I often see the point come up that using an alternative PDF reader such as Foxit or Sumatra will provide better security. This is simply false. Neither Sumatra nor Foxit have DEP or ALSR support (which is trivial to implement) and act buggy if they are forced to run as a low integrity process. They also lack an equivalent to the Enhanced Security Mode present in Adobe Reader since 9.3, requiring confirmation for certain actions. PDF exploits are often reader independent, in which case Adobe Reader actually has better mitigation techniques than any other reader. The gain in security via obscurity by using these other readers is far less than the mitigations techniques present in Reader X. With the introduction of a sandbox, Adobe Reader X is clearly the most secure choice at the moment. In addition to security aspects, other readers are simply not good enough to be a replacement yet as they have problems with overly large files or lack compatibility entirely for features such as forms.

I wonder when Flash will gain a similar to sandbox, as it is another primary attack vector these days if not more so than PDFs. Flash is still being targeted such as in this recent attack yet I have no heard no plans for Adobe to make security a priority for flash as they have for Reader, which is kind of strange.

What the last few years and various PDF and Flash exploits have shown is that DAC continues to be a poor access control framework for a modern desktop environment. There is simply no reason that a program started as a user should inherit the full rights of that user. If we had an easy to use MAC implementation that was mostly transparent, than most of these exploits would not be an issue, in fact they probably would not exist due to them not being possible in the first place. It seems the industry is slowly heading in that direction and features like sandboxing and integrity levels for processes are a good start. At least they will suffice for the meantime until such a time when operating systems allow us to easily sandbox risky or untrusted applications instead of relying on each program implement their own version. In the meanwhile for applications that are not sandboxed, it is possible to do so using Sandboxie, however it is not as effective on 64bit versions of Windows due to Kernel Patch Protection. I am not aware of any sandboxing applications on OS X and of course on Linux you can use a jail or one of the main MAC implementations.


  1. I am not aware of any sandboxing applications on OS X

    Tony Lawrence provides a good entry point for understanding the built-in MacOS X MAC layer and the built-in sandboxing tools:

    Also, the narrower issue of how one might sandbox Adobe Reader on a Mac is mostly uninteresting because Most Mac users never bother installing Adobe Reader. MacOS X has its own PDF rendering engine which is in a sense a descendant of the old DisplayPostScript that was used in NextStep. With PDF as a core technology, it was a trivial matter for Apple to include nearly all of the functionality of what was then Acrobat Reader in their bundled general-purpose graphics application (Preview) and to make Safari display PDF’s without a 3rd-party plugin. There are some arcane PDF features that essentially demand Adobe Reader, but they are uncommon enough that most Mac users never notice.

    Comment by Bill Cole — December 18, 2010 @ 3:51 pm

    • Another, geekier starting point on MacOS sandboxing from the POV of the Chromium developers:

      Comment by Bill Cole — December 18, 2010 @ 3:56 pm

    • Thanks Bill, interesting links.

      I am not overly familiar with Preview, but had thought that like most non Adobe PDF readers it lacked functionality, such as form support?

      I’m actually working on an article at the moment about the security problems in OS X, so stay tuned.

      Comment by allthatiswrong — December 19, 2010 @ 2:31 pm

      • Preview has had partial form support since the Tiger release (2005) and all of the gaps that I have actually seen in a PDF other than a demo were closed in one of the later Leopard revisions (2008?) I understand that there’s still some functionality gap between Preview and Reader, but it isn’t anything major. A slice of my work is supporting mixed-platfrom businesses, and the only Mac users I know of who need more than Preview are the ones who need the full Acrobat for producing PDF’s.

        Comment by Bill Cole — December 19, 2010 @ 11:31 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: