Adobe: Hacker 'spotlight' will shine on Reader X's sandbox
Adobe’s chief security executive said that the bull’s-eye will be on the back of Reader X when the new version ships next month.
Adobe Reader X, slated for release in the next 30 days, will feature Protected Mode, a “sandbox” technology that isolates processes, preventing or at least hindering malware from escaping an application to wreak havoc on the computer.
Security researchers and experts have long called for Adobe to add sandboxing to Reader because of its many vulnerabilities and resulting popularity as a route to PC infection. They’re getting what they asked for in November.
But Brad Arkin, Adobe’s director of security and privacy, recognized that Protected Mode won’t stop attacks against the popular PDF viewer. In fact, it will probably encourage researchers to redouble their efforts, at least initially.
“We’re going to have the spotlight of the security researcher community on us when Reader X launches,” Arkin said. “Everyone will want bragging rights to be the first to come up with a working exploit of the sandbox.”
But Arkin was confident that Reader X would withstand the inevitable assaults.
“We have a lot of confidence that we’ve leveraged the positive aspects of the best technologies,” he said, referring to the work on sandboxing by both Google and Microsoft that Adobe used to construct its defense.
In Reader X, all PDF rendering chores will take place within the sandbox, which severely limits the application’s privileges to cut it off from the rest of the system. Any malicious code packed into a rogue PDF would still run, but it should not be able to escape the isolation chamber.
A separate “broker” decides which functions Reader can conduct outside the sandbox, such as writing to disk or launching an attachment or executable file from within the software.
The key to Protected Mode, Arkin acknowledged, is the broker. Hack the broker and attackers will still be able to infect machines using rigged PDFs.
“The broker is 13,000 lines of code, brand new modern code that’s been exhaustively tested and gone through Secure Product Lifecycle,” said Arkin, talking about Adobe’s development strategy that, like Microsoft’s better-known Software Development Lifecycle (SDL), mandates that programmers go through security-specific steps as a way to reduce possible vulnerabilities.
“That code has had more security attention than any other like-sized code in the history of the company,” Arkin said. “We’ve had multiple sets of eyeballs on it to make sure we didn’t have group-think going on here.”
Adobe tested the broker specifically and the sandbox in general, both inside the company and with a limited number of enterprise customers who use Reader. The company also hired outside researchers, who tried to break out of the sandbox, with results that Arkin declined to specify.
“The sandbox was not perfect the first day we had it working,” he acknowledged. “We found things during the testing and adapted [the sandbox].”
Adobe also flung exploits that had worked on earlier editions of Reader against testing versions of Reader X that had been tweaked to include older vulnerabilities. “In 100 percent of the cases, the sandbox stopped the exploit from infecting the PC,” said Arkin.
But while Arkin sounded confident that the sandbox in Reader X would withstand attack, realistically the technology is simply another hurdle in front of hackers.
“We think that a successful exploit of Reader X will have to be a multi-staged attack,” said Arkin. “The first stage would be against the PDF rendering [in the sandbox], with the second stage necessary to leverage [a vulnerability] in the sandbox. That makes it harder for attackers, and exploit reliability will also be diminished because of the complexity.”
One noted vulnerability and exploit researcher agreed that the complexity inherent in breaking out of a sandbox might be enough to keep most attacks at arm’s length.
“I think it accomplishes its goal, which is to make researchers look for something easier to attack,” said Charlie Miller, a researcher with Baltimore-based Independent Security Evaluators, in an e-mail reply to questions about sandboxing. “I don’t really see the point in looking for a Reader bug and a sandbox bug, when I could just find some other easier way to break into a system.”
Adobe plans to urge Reader 8 users to upgrade to Reader X shortly after the latter’s launch, but will hold off notifying users of the newer Reader 9. “We want to roll over the older segment of the Reader user base first,” Arkin said. “I would like to do both [Reader 8 and Reader 9 update notifications] within the first 12 months of X’s release.”