Adobe Reader X is here. Adobe announced earlier this year that it was working on a more secure version of its ubiquitous PDF reading software, Adobe Reader. The new version includes Protected Mode, a sandboxing security control designed to prevent malware exploits against the application.
An Adobe Secure Software Engineering Team (ASSET) blog post proclaims, "Over the last few months, the Adobe Reader engineering team together with the Adobe Secure Software Engineering Team, partners
in the software development community such as the Microsoft Office security team and the Chrome team at Google, as well as
customers, third-party consultancies in the security community, and other external stakeholders were hard at work to help
ensure the sandbox implementation was as robust as possible.
The sandboxing concept is not unique to Adobe. As Adobe points out above, Microsoft, Google, and others have already built
sandboxing security controls into products. The software sandbox is like a temporary holding area where processes are allowed
to run, but can't impact the core functionality of Adobe Reader or the rest of the PC. Malicious processes can then be sifted
out, and legitimate processes can be allowed to run unhindered.
To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.
Adobe Reader X is here. Adobe announced earlier this year that it was working on a more secure version of its ubiquitous PDF reading software, Adobe Reader. The new version includes Protected Mode, a sandboxing security control designed to prevent malware exploits against the application.
An Adobe Secure Software Engineering Team (ASSET) blog post proclaims, "Over the last few months, the Adobe Reader engineering team together with the Adobe Secure Software Engineering Team, partners
in the software development community such as the Microsoft Office security team and the Chrome team at Google, as well as
customers, third-party consultancies in the security community, and other external stakeholders were hard at work to help
ensure the sandbox implementation was as robust as possible.
The sandboxing concept is not unique to Adobe. As Adobe points out above, Microsoft, Google, and others have already built
sandboxing security controls into products. The software sandbox is like a temporary holding area where processes are allowed
to run, but can't impact the core functionality of Adobe Reader or the rest of the PC. Malicious processes can then be sifted
out, and legitimate processes can be allowed to run unhindered.
Adobe engineer Kyle Randolph describes the challenging balancing act of developing a functional sandbox. "A perfect sandbox is akin to the perfectly secure computer--the "...one buried in concrete,
with the power turned off and the network cable cut." A sandbox is distinguished by the restrictions it places on a piece
of running code. Software, on the other hand, is evaluated based on its usefulness. Balancing these competing goods - preventing
bad software from doing bad things, while allowing good software to be useful--is the impossible challenge the sandbox engineer
faces."
Sandboxing is not a perfect solution, though. It is another security control, providing another layer of protection, and preventing
many attacks--but don't assume Adobe Reader is now invulnerable. Adobe explains, "Adobe Reader Protected Mode represents an
exciting new advancement in mitigating the impact of attempted attacks. While sandboxing is not a security silver bullet,
it provides a strong additional level of defense against attacks. Even if exploitable security vulnerabilities are found by
an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential
victims' computers."
Adobe Reader Protected Mode is built on the foundation of the Windows security model and the protection it provides. An attacker
that finds an exploitable weakness in the Windows operating system may be able to use that flaw to develop an attack that uses PDF files and Adobe Reader as an attack vector.
Don't get me wrong. Adobe Reader X should be a significant improvement over previous versions of Adobe Reader when it comes
to security. I commend Adobe for taking steps and investing resources to develop a more secure version of the popular product.
By all means, download Adobe Reader X and start using it today. Just don't let that be an excuse for letting your guard down.
