Adobe builds a sandbox in upcoming Reader X

Steve Adegbite Adobe

Steve Adegbite, senior security strategist at Adobe

With the upcoming launch of Adobe Reader X (due out in the next few weeks), the software company is taking a different approach to security.

Reader X will introduce Protected Mode, a type of “sandboxing” that creates a layer between the data and potential malicious request that seeks vet requests that are appropriate from those that are to be considered unsafe and disallowed. It’s been used in a number of Microsoft products and in Google’s Chrome browser, but Reader X marks the technology’s debut in Adobe technology.

Steve Adegbite, senior security strategist at Adobe, said the new technology would present a significant hurdle to those looking to inject malware into PDF files. Here’s how.

By stripping away most of the rights of the software itself to talk to the operating system and putting it through a much smaller broker process that is built with security in mind from the ground up, the company says it creates an environment where attacks are quarantined and sought out well before they get a chance to interface with the host operating system.

“When you’ve got 49 million lines of code, as we do in Reader, it’s a never-ending marathon to secure your products,” Adegbite said. “The broker process is all new, only 13,000 lines of code and has a lot more policy in place to protect what it can and cannot do with the operating system.”

Protected Mode is not a perfect form of defense – it only works in protecting users from attacks that seek to write to the local file system, although Adegbite said such attacks currently make up more than 75 per cent of all current attacks. Malware that seeks to look for data on the host system and sends it back to the attackers will not be blocked by the current Protected Mode, although Adegbite said the company has plans to add such functionality in time for version 10.1.

The sandboxing technology also works only at current on Windows-based systems, largely because it uses much of Microsoft’s Windows security mechanisms that other platforms either don’t support or don’t document. It’s also less of a factor because 85 per cent of PDF-based attacks are Windows-specific, giving Adobe lots of room to “focus on where the bleeding is.”

“If other platforms ever pick up significantly, we’ll add the same kind of protection for them as well, but today we just don’t see it,” Adegbite said.

Like many software companies, Adobe (and by proxy its partners) often have to deal with “good enough” computing challenges – the idea that users will stick with current versions of software that works for them and from which they’re not feeling security pain. But Adegbite suggested that with the imminent launch of Reader X and the rest of the family, channel partners can play a key role in getting around that mentality.

“If you can’t move clients to Reader X immediately, make sure they’ve got the latest and greatest version they have access to,” he advised partners. “The longer they’re on older platforms, the more at risk they are.  Help them stay as up to date as possible and create an easy channel for them to get those security updates.”

Adegbite said he’s hopeful that with rising awareness of security and a little partner push, the addition of sandboxing will provide the “catalyst” to drive great early-days adoption of Reader X.

The move towards Protected Mode is part of a wider focus on security internally at Adobe. The company in recent years has been placed in the most oft-attacked offerings along with Microsoft, and just like its Redmond-based partner and sometimes-competitor, the company is responding with changes to its culture around security.

Adegbite, who himself joined Adobe earlier this year after working on Microsoft’s Trustworthy Computing initiative, said security has become much more engrained in the culture, and that rather than thinking of “what new features to provide end users,” the focus is on “what new features to safely provide end users.” The company’s internal “black belt” training on security has also helped, he reported, leading to developers attaining and competitively comparing their relative levels of security proficiency. That cultural change, in turn, is helping Adobe’s security team spend more time on dealing with challenges than dealing with evangelism to its own people.

“We don’t have to work as hard on security education because it’s getting out there,” he said.

Although it doesn’t share its security code, Adegbite said Adobe is very interested in helping partners and other software developers with their own security stance. “We think it’s the way to write software, and anyone who wants to implement sandboxing is welcome to come work with us and learn from what we’ve learned,” he said.