Adobe Details Reader Protected Mode Sandbox

Adobe officials have said that the next version of Reader, one of the more popular and oft-targeted applications on the Internet right now, will have a sandboxing feature, and now the company is providing a detailed description of the new Protected Mode addition.

Adobe officials have said that the next version of Reader, one of the more popular and oft-targeted applications on the Internet right now, will have a sandboxing feature, and now the company is providing a detailed description of the new Protected Mode addition.

Adobe’s Brad Arkin, the director of product security and privacy, said back in July that the company would be including the sandbox in the next Reader release, but the details on how the system will work have been sparse. On Tuesday the company began releasing some interesting bits about the way that Protected Mode will work and what it will and won’t do. Like all sandboxes, Reader Protected Mode is designed to prevent a vulnerability in the application from allowing an attacker to jump to the operating system or other applications.

Adobe’s Kyle Randolph said in a blog post explaining Protected Mode that the feature is meant to lessen the effects of bugs in the application:

The Adobe Reader sandbox leverages the operating system’s security controls to constrain processes execution to the principle of least privilege.
Thus, processes that could be subject to an attacker’s control run with
limited capabilities and must perform actions such as accessing files
through a separate, trusted process. This design has three primary
effects:

  • All PDF processing such as PDF and image parsing, JavaScript execution, font rendering, and 3D rendering happens in the sandbox.
  • Processes that need to perform some action outside the sandbox
    boundary must do so through a trusted proxy called a “broker process.”
  • The sandbox creates a new distinction of two security principals: the user principal, which is the context in which the user’s logon session runs, and the PDF principal,
    which is the isolated process that parses and renders the PDF. This
    distinction is established by a trust boundary at the process level
    between the sandbox process and the rest of the user’s logon session and
    the operating system.

The goal of this design aspect is to process all potentially
malicious data in the restricted context of the PDF principal and not in
the context of the fully privileged user principal.

In announcing the inclusion of Protected Mode in July, Arkin said that the sandbox eventually should help defeat many of the exploits that attackers have been using to target Reader as part of a larger attack.

“This will help us protect against most of the attacks we’re seeing
today.  The attacker will end up in a sandbox and will need a second
attack to escape to do [dangerous things],” Arkin said.

Suggested articles