Adobe Systems Inc. has released Reader X, a version of its PDF viewing software that has a new architecture designed to make it more difficult for attackers to exploit vulnerabilities and gain access to a victim's machine.
If an attacker found a vulnerability that today might allow him or her to take over a computer, in the future he or she would be stuck in the sandbox.
Brad Arkin, senior director of product security and privacy, Adobe Systems Inc.
Adobe announced in July that its engineers were working on a version of Reader that was protected using a "sandboxed" mode on Windows. The technology, which is used by Google in its Chrome Web browser only enables processes to run within the confined environment of the application. It blocks actions that could be malicious, such as modifying system information.
Adobe has been struggling to keep up with the pace of zero-day vulnerabilities being targeted by attackers in its popular Reader and Acrobat PDF viewing software. Brad Arkin, senior director of product security and privacy at Adobe, said the new sandboxing technology won't stop all attacks, but it does provide an additional layer of defense.
In an interview with SearchSecurity.com in July (see video below), Arkin said the first release of Adobe Reader X would be write-only, running Reader in a low-rights process. "If an attacker found a vulnerability that today might allow him or her to take over a computer, in the future he or she would be stuck in the sandbox," Arkin said.
Arkin said the sandboxing technology is based on Microsoft's Practical Windows Sandboxing technique. If Adobe Reader attempts to write to the user's temporary folder or launch an attachment inside a PDF file using an external application, the requests are funneled through a "broker process" which allows or prevents potentially dangerous functionality, Arkin said.
"Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims' computers," Arkin wrote in the Adobe Secure Software Engineering Team blog.
Adobe also released a version ofReader X via the Android Market for devices running Google's Android OS.