Adobe Reader X with sandboxing now available

Filed Under: Malware, Vulnerability

Acrobat Reader X logoThe much awaited Adobe Reader X was made available today at http://get.adobe.com/reader for OS X and Windows platforms.

Paul Ducklin wrote about the release of Adobe Acrobat X a few days ago and shared his confusion over the way Adobe has managed the release of Reader/Acrobat and his concern at the very large size of the current codebase. The Mac version weighs in at just under 70 megabytes (415MB on disk), while the Windows version is 35 megabytes (105MB on disk).

Reader X download page for OS X

While more lines of code certainly leaves more room for error, Reader X does include Adobe's latest efforts to thwart attackers through the use of a write-blocking sandbox. This means that when you open a PDF file that may try to exploit a vulnerability in Reader X it will be unable to write any files to your hard disk which will help prevent malware from installing itself on your computer.

Although Reader X is available for OS X, the sandbox technology is only implemented on the Windows platform. This doesn't mean Mac users shouldn't consider updating to the latest release, however they will not benefit from the enhanced safety provided by the sandbox.

Sandboxing has had a spotty track record. Oracle Java is the most well known implementation of a sandboxed application environment and has been plagued by security flaws. Microsoft Office 2010 and Google Chrome on the other hand share a heritage with Adobe's implementation and have demonstrated improved security over their non-sandboxed counterparts.

Bottom line? If you are an Adobe Reader user or administrator I recommend rolling out Reader X as a precautionary measure. The next attack against Reader may be right around the corner and it presents your best defense against malicious PDF files.

, , ,

You might like

3 Responses to Adobe Reader X with sandboxing now available

  1. Richard · 1344 days ago

    The Adobe DLM is getting extremely annoying. A download manager might have made sense ten years ago, but with wide-spread broadband access, it doesn't make sense any more. Why should we be forced to download and install a specialised download manager simply to download and install the software we actually want?

    Thankfully they haven't extended this horrendous bit of software to Google Chrome yet, so it is possible to bypass the DLM and simply download the software directly:
    http://get.adobe.com/reader/completion/?installer...

    Other post-installation tasks:

    * Check the Adobe Reader security settings, which will all have been reset to the insecure defaults;

    * Remove the "Adobe Reader Speed Launcher" auto-run entry (unless you only ever use your PC to read PDFs);

  2. ConcernedCitizen · 1342 days ago

    Yep, remove speed launcher from startup.

    Only need/want a PDF reader.
    So after install- uninstall the DLM & AIR.

    The sandboxing only protects from exploits of Reader X itself?
    or there's enough common code with older versions, and they won't catch?
    ...so need to upgrade

  3. Bob · 1342 days ago

    You can always get it from http://ftp.adobe.com to avoid the download manager mess.

    ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.