Why a “Sandbox” Makes Adobe Reader More Secure

Adobe released a major security update for Adobe Reader and Acrobat yesterday–a week ahead of the quarterly release scheduled for next Tuesday. At the same time, Adobe provided a glimpse at how “sandboxing” in the upcoming Adobe Reader Protected Mode will help prevent exploits even when vulnerabilities exist.

The out-of-band update from Adobe fixes a whopping 23 vulnerabilities in Acrobat and Reader. Most of the vulnerabilities are critical, and at least one has been actively exploited in targeted PDF attacks for a month or more.

Adobe has recognized that the cross-platform, ubiquitous nature of its products has made it a primary target for exploits and malware, and it has taken steps to improve coding practices and develop inherently more secure software. However, it is unreasonable to expect that Adobe–or any other developer–can create impenetrably secure software, so other defenses are needed to shield off attacks.

Enter “sandboxing”. A post from Kyle Randolph on the Adobe Secure Software Engineering Team (ASSET) blog defines the concept. “A sandbox is a security mechanism used to run an application in a confined execution environment in which certain functions (such as installing or deleting files, or modifying system information) are prohibited. In Adobe Reader, “sandboxing” (also known as “Protected Mode”) adds an additional layer of defense by containing malicious code inside PDF files within the Adobe Reader sandbox and preventing elevated privilege execution on the user’s system.”

The ASSET blog post also explains some of the limitations of the sandboxing approach. “The sandbox’s reliance on the operating system means that it could potentially be subject to its flaws. Like the Google Chrome sandbox, the Adobe Reader Protected Mode sandbox leverages the Windows security model and the operating system security it provides. This intrinsic dependency means the sandbox cannot protect against weakness or bugs in the operating system itself.”

Adobe also notes that Adobe Reader Protected Mode is a work in progress and that there are some scenarios the initial implementation of sandboxing will not address. For example, the first release of Adobe Reader Protected Mode will not prevent exploits that read and write to the Clipboard, access the file system or registry, or traverse the network.

As these limitations illustrate, sandboxing is also not an invulnerable security measure. Malware developers are generally a clever bunch, and if there is a way to circumvent the sandbox and exploit a vulnerability in Adobe Reader they’ll find it. But, by providing additional barriers and layers of security, attacking Adobe Reader will be that much harder and minimize the potential for compromise.

One quick side note. Adobe points out that this week’s patches for Reader and Acrobat take the place of the quarterly update scheduled for October 12, 2010. Apparently, Adobe doesn’t quite grasp the concept of “quarterly” though, or simple math. The next regularly scheduled update from Adobe should be in January, since that is three months from now, but Adobe states that it is scheduled for February 8, 2011.