Securing PDFs - Adobe's coming Sandbox feature
It's hard not to admire the software creativeness of Adobe, but security has usually been the company's obvious blind spot. News that the Acrobat PDF reader is to get a sandbox is a sign that things are changing.The case for radical measures to...
The case for radical measures to improve security doesn't take much making. Indeed, looking back on Techworld there has barely been a month in recent years when Acrobat and the PDF file format in general haven't featured in one security alert story or another.
It's almost become a whole security genre of its own. Witness, a recent story picked at random from only a few weeks ago on yet another round of vulnerabilities.
Now, according to a blog by Adobe engineer Brad Arkin, the next major version of the reader will feature a 'sandbox' design reminiscent of that found in Google's Chrome browser and in fact co-designed by Microsoft's Office team, Google's sandboxers and a number of others.
It will be called Adobe Reader Protected Mode and will, importantly, be turned on by default. The first release will target the way PDF exploits try to modify registry and other files on the victims' PCs by restricting 'write' calls. Write calls will still be possible, as they have to be in fact, but it will happen within the sandbox itself rather than anywhere on the PC.
Future versions will extend the sandbox to read calls, used by attackers in some circumstances to find and steal sensitive data, although that might be trickier to design for a number of reasons.
This is good news on various levels. It shows the power of industry co-operation, and the fact that Adobe sought external input in the first place. It should also make malware less likely to target the ubiquitous PDF as a way under the security radar, and it bodes well for the future of the format.
Critically, the sandbox won't ignore the legacy users, and will work on Windows XP as well as Vista, Windows 7, Windows Server 2008, and Windows Server 2003.
The complication in all this is how to handle certain calls within the sandbox environment. As Arkin himself says:
“Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.”
So there is some work to do here even as we can all see how attractive the concept is and how the involvement of Microsoft (which knows Windows) is probably what is making it all possible. We need to know more about how such policies will be set because that could introduce another layer of complexity admins could do without.
But let's let's not be put off. Sandbox all programs, I say. That could be the way we are heading for popular apps sooner or later and not just Acrobat.