Adobe Reader X sandbox leaves 'residual risk'

Adobe Reader X sandbox leaves 'residual risk'

Summary: Adobe's implementation of a new sandbox (Protected Mode) in the newest version of its PDF Reader software leaves significant "residual risk" for cyber-attackers to exploit.

SHARE:

Even as Adobe is touting the new sandbox (Protected Mode) in the newest version of its PDF Reader software, a security researcher says the company's implementation leaves significant "residual risk" for cyber-attackers to exploit.

According to Chris Greamo, a researcher at Invincea, the Adobe Reader X sandbox is definitely a step in the right direction but he argues that the implementation will not prevent attacks from accessing sensitive parts of a hijacked computer.

follow Ryan Naraine on twitter

[The] devil is in the design and implementation.  Protected Mode is a surgical sandbox implementation targeting really the most egregious vulnerabilities in a few core components, namely Reader’s renderer and its Javascript engine. Protected Mode will improve the security of Reader against certain types of attacks – those attacks that exploit the rendering engine and attempt to either install malware or monitor user keystrokes. Adobe engineers themselves enumerate Protected Mode limitations, including:

    • Protected Mode will not prevent unauthorized read access to the file system or registry.
    • Protected Mode will not restrict network access.
    • Protected Mode will not prevent reading or writing to the clip board.

Adobe adding 'sandbox' to PDF Reader to ward off hacker attacks ]

Greamo said these limitations will allow attackers that exploit these “protected” components to stay resident in memory and perform damaging activities such as:

  • Read and exfiltrate data from the registry and/or user’s file system
  • Attack other machines and devices on the network
  • Use Reader as a stepping stone to execute other exploits against the host system including exploits against kernel services

The sandbox, included in Adobe Reader X, is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode.  Based on Microsoft’s Practical Windows Sandboxing technique, it is turned on by default and displays all operations in a PDF file in a very restricted manner.

The first sandbox implementation isolates all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003.  Adobe argues that this will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry.  In a future dot-release, the company plans to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer.

Invincea's Greamo believes the residual exposures left by Adobe’s Protected Mode are "significant" and can only be addressed by a more comprehensive solution that confines attacks against all Reader components, the shared libraries it uses, the kernel, and the network.

"With the release of Adobe Reader X, expect to see new vulnerabilities presented by this additional code to be discovered and exploited by the BlackHat community," he added.

Topics: Operating Systems, CXO, Enterprise Software, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Should not sandboxing be part of the o/s?

    Linux provides linux security modules which sandbox your app.

    There is no equivalent in Windows. Why?
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Adobe Reader X sandbox leaves 'residual risk'

      @Dietrich T. Schmitz, Your Linux Advocate Linux has no native Photoshop, 3ds max, or most decent games. Why? Completely sandboxing an App would make bypassing most DRM schemes trivial (if you want that, just run a VM), but there are things you can do, such as using chml.exe, to increase the effectiveness of sandboxing on Windows.
      jamesrayg
    • RE: Adobe Reader X sandbox leaves 'residual risk'

      @Dietrich T. Schmitz, Your Linux Advocate
      I've seen the command to sandbox Firefox before. Can you post it again? Also, do I have to run that command for any app I want to run? If so, it looks like the command that james provided does the same in Windows.

      @james
      Thanks for the links. I'll check them out.
      riverab@...
    • RE: Adobe Reader X sandbox leaves 'residual risk'

      @Dietrich T. Schmitz, Your Linux Advocate
      Because Microsoft provides fine grain access control to files and applications that can't be matched in linux thus no need for the sandbox unless you loosen those controls.

      There is no equivalent in linux. Why?
      Loverock Davidson
      • Fine grain

        @Loverock Davidson
        That almost reads like you know of what you write.
        The jig is up A.H.
        Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Adobe Reader X sandbox leaves 'residual risk'

      @Dietrich T. Schmitz, Your Linux Advocate

      http://www.sandboxie.com/
      dev/null
    • Somebody would probably complain to the EU

      And then the EU would fine MS again.
      Michael Alan Goff
    • Integrity Levels and Mandatory Access Control in Vista

      @Dietrich T. Schmitz, Your Linux Advocate <br>Integrity Levels and Mandatory Access Control is in Vista since 2007.
      directory
    • Integrity Levels is a core security feature introduced in Windows Vista

      @Dietrich T. Schmitz, Your Linux Advocate
      Mandatory Integrity Control (MIC) or Integrity Levels is a core security feature, introduced in Windows Vista and Windows Server 2008
      directory
  • RE: Adobe Reader X sandbox leaves 'residual risk'

    You can use CHML.EXE to make your data unreadable to sandboxed programs on Windows Vista and Windows 7. By default, sandboxed programs can not write to files, but can read. CHML.EXE is available from: <a href="http://www.minasi.com/apps/" target="_blank" rel="nofollow"><a href="http://www.minasi.com/apps/" target="_blank" rel="nofollow"><a href="http://www.minasi.com/apps/" target="_blank" rel="nofollow">http://www.minasi.com/apps/</a></a></a><br><br>For example:<br>chml.exe c:\finances -i:m -nx -nr -nw<br>Will make c:\finances unreadable, unwriteable, and unexecutable to IE and Reader X.

    RegIL.EXE (same URL) can do the same for the registry, but is only recommended for advanced users.

    <br><br>This and other tips on securing/hardening Windows Vista and Windows 7 can be found at my security guide at <a href="http://bulletproof-windows.blogspot.com" target="_blank" rel="nofollow">http://bulletproof-windows.blogspot.com</a>
    jamesrayg
  • just about completely specious, isn't it?

    Ryan, what are you actually trying to do with this blog?<br><br>- your scare article here is based on a scare article from a 'protection' vendor. Shilling after shilling?<br><br>- the base article says Adobe Reader X has a sandbox that works just as they say it does. It addresses where the problems have been coming from -- and crucially protects against any writing to your computer.<br><br>- the 'complaint' is that somehow Adobe's software doesn't harden up the rest of the computer. Hardly what it would be expected to do. Most of the items mentioned should be taken care of by any professional protection suite. You do run one of those, right?<br><br>- the chart in the article shows how specious the article itself is, by inspection. Note that the the 'dangers remaining' for Adobe are exactly the same 'dangers remaining' for _any_ software that connects to the internet. Like browsers, email programs, chat, tweeters...do I need to go on?<br><br>- You never published announcement of Adobe Reader X, no doubt one of the greatest steps forward in malware prevention this year.<br><br>- you didn't even publish the crucial Adobe Acrobat and Reader 9.x upgrades a week ago, after hyping the recent attacks.<br><br>I would just shake my head and use more dependable sources, but I also like people and what they understand to do to grow in this world, Ryan. How are you on that?<br><br>Narr vi
    Narr vi
    • RE: Adobe Reader X sandbox leaves 'residual risk'

      @Narr vi Agreed, the whole blog post is kinda bazaar, and is akin to making a blog post saying that Fort Know is still susceptible to nuclear attack.. This sandbox will be a major blow against malware writers once most people have upgraded. With Office, IE (plus plug-ins), reader x, all sandboxed and using DEP/ASLR/etc., the only major hole left is java, which I doubt will ever be fixed, the whole java concept is an abomination and I wish people would just dump it already, but I digress.
      jamesrayg
  • RE: Adobe Reader X sandbox leaves 'residual risk'

    It's Adobe, that's what it does.
    james347
  • RE: Adobe Reader X sandbox leaves 'residual risk'

    Use Foxit Reader or Nitro PDF or any one of the other PDF readers. They're not only safer bur infinitely faster.
    mark16_15@...
  • RE: Adobe Reader X sandbox leaves 'residual risk'

    Adobe: Bringing vulnerabilities to your computer since the 20th century.
    mark16_15@...
  • Digital Security is Impossible to Totally Rely on

    The real/best security you can get is self awareness in your brain. If a user is self aware of his/her own computer security, i.e. they don't only rely on the computer to secure itself, then he/she has nothing to worry about threats on the internet.<br><br>On the other hand, no matter how much security one has on their computer, if they are not self aware of their computers security status, they are for sure one way or another likely to get their computer infected.<br><br>It all depends, and will always depend (until we build skynet, lol), on who is using the software.
    MrElectrifyer