Adobe Systems plans to release a major security upgrade by year’s end to its Reader product, which has been under siege from attackers.
Reader 10 will have a sandbox feature that will seal off the application from attacks intended to tamper with, for example, a computer’s registry or file system, said Brad Arkin, Adobe’s director for product security and privacy, during an interview on Tuesday at the RSA security conference in London.
Reader 10 will mark a major upgrade to the application, capping off more than 18 months of development. Like many other Windows applications, Reader has been increasingly probed in order to infect computers with malware. Adobe has had much trouble with attackers finding vulnerabilities in its products. Often, those flaws are exploited by manipulating PDF (Portable Document Format) documents.
The sandbox will be on by default. If an exploit — which is a mechanism developed by an attacker in order to deliver malicious software to a computer — attacks the application, it won’t be able to get out of the sandbox, Arkin said.
The sandbox method has been used by both Microsoft and Google in their applications, and Adobe worked with both of those companies in developing the system for Reader.
“The amount of attack surface is very, very small,” Arkin said.
The sandbox, however, also has to allow regular functions such as saving a file. In that scenario, the sandbox can talk to the file system, but that communication goes through a broker. The broker uses a set of very restrictive policies to see if the particular action is allowed.
Essentially, Adobe has created a two-stage attack requirement, where an attacker would also have to bypass the policy restrictions. Arkin said Reader 10 represents a dramatic increase in defense such that none of the attacks against Reader known up until now will work in the same way against the application.
But “bad guys and researchers won’t give up because this is an exciting challenge,” Arkin said. “The reward for finding out a flaw is quite high. We think there is going to be lots of attention here.”
Although Adobe has subjected it to rigorous testing “it is still possible that someone may be able to find something,” he said.
Send news tips and comments to jeremy_kirk@idg.com