Adobe's Updated Reader: Thwarting or Tempting Hackers?

Here's a distinction no software company craves: For two quarters running, Adobe's popular Acrobat and Reader software have been the favorite target of hackers around the globe. According to Symantec's quarterly threat assessment, attacks related to PDF usage accounted for 36 percent of malicious activity in the most recent quarter and 57 percent in the preceding three months.

Indeed, yet another attack widespread attack struck just last week, targeting Flash Player, Reader, and Acrobat on Windows, Mac, Linux, and Solaris. The vulnerability, Adobe reports, can cause affected systems to crash and allows attackers to take control of them.

Fortunately, though, help is on the way. By the middle of November, Adobe expects to launch version 10 of Acrobat Reader, built upon a technology known as "sandboxing." Simply put, the program will run inside a kind of digital shell that keeps it from interacting with the rest of the computer--unless it has explicit permission from a feature called the broker. I'll explain how this works in a bit.

There's a rather nasty twist to the latest attack. According to Adobe, it appears to target the latest version of Reader, version 9, while ignoring older versions. That's something of a slap in the face to conscientious users who follow the advice of Adobe and other software vendors to keep up with the latest version of their programs.

PDF Safety Tips

The good thing about Adobe's PDF format is that nearly everybody uses it--and if you just need to read those documents, it's free. Sadly, the program's very popularity is what attracts the bad guys. Hackers, say the security experts, look for a "target-rich environment," and with tens of millions of users, Acrobat and Reader fit the bill.

I've never heard a compelling argument that Adobe's product's are inherently insecure, or simply poorly designed, but from a consumer's point of view, it really doesn't matter. Having a chunk of malware dropped on your computer is always bad news.

So what can you do to stay secure? I wish I had advice that went beyond the conventional wisdom, but I don't. I contacted security experts at Adobe and Symantec, and they both said pretty much the same thing. Marc Fossi, Manager, Research and Development, Symantec Security Response said this:

1. Consumers should make sure to keep their software up-to-date with all the most recent versions and security patches at all times. An easy way to do this is to ensure that applications are configured to retrieve updates automatically whenever there is a live Internet connection.

2. Using a full security software suite that includes antivirus and intrusion prevention capabilities can also protect against these types of threats.

Sure, Symantec is in the business of selling security software, so naturally they'll tell you to use their product. But in this case, put aside your skepticism and do what the man says. Newer security programs really do filter out lots of malware. And while it may seem utterly obvious, I'll repeat this old chestnut: Don't open attachments from people you don't know.

Remember I said that the latest PDF attack was aimed at newer versions of the software. If you're running version 9 of Reader, you'll be prompted to download a security patch within the next few weeks. Do it.

Adobe's New Sandbox Technology

Adobe Reader X (version 10) will run in "protected mode" which means that most operations will take place within the sandbox. Poisoned code within the PDF would still run, but because it is running within the sandbox, it can't get out to make trouble.

When Reader is running in protected mode, it relies on a "broker" which decides what functions it can carry out, such as launching an attachment. It's not likely to be a perfect defense, but Adobe has been testing the technology for some time, and is confident that it will provide a significant security enhancement.

In a recent interview with our colleagues at Computerworld, an Adobe researcher said that the Version X will probably attract a new wave of hackers eager to see if they can defeat the new technology. "Everyone will want bragging rights to be the first to come up with a working exploit of the sandbox," said Brad Arkin, Adobe's director of security and privacy.

But Arkin was confident that Reader X will withstand the inevitable assaults.

After last week's attack, I asked Arkin if it would be possible to patch older versions of Reader with the sandbox technology. Unfortunately, it isn't. "The development of a sandbox, in particular for a product as complex as Adobe Reader, is significant new functionality that impacts the entire code base and can only be introduced as part of a major new version. It is simply not possible to apply the sandbox developed for one version of a product as a patch for a previous version," he said in an email exchange.

There you have it. My experience is that consumers who follow the common-sense recommendations I've recounted rarely are hit with malware. But it does happen. In the case of Reader, you should move to Version X as soon as it's out.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at bill.snyder@sbcglobal.net.

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.

Subscribe to the Security Watch Newsletter

Comments