Adobe has announced the long-awaited sandboxed versions of their ubiquitous Adobe Reader and Adobe Acrobat applications, now branded as X. Brad Arkin, Adobe's Senior Director of Product Security and Privacy, first spoke with Sophos about Adobe's plans to better secure Reader in a podcast back in August.
Adobe Reader X will be available sometime in November and will implement a virtual sandbox to help isolate it from the operating system. This technique will allow controls to be put in place to prevent Reader X from making unwanted modifications to files, modifying the registry and executing unwanted content.
Sandboxes are by no means foolproof, as we've seen from the large number of vulnerabilities found in Oracle's Java Runtime Environment. In fact, Brian Krebs has pointed out that Java is more successfully exploited to compromise PCs through web exploits than Adobe Reader. In a recent interview with ITPRO magazine, Arkin acknowledged that "Protected Mode," as the sandboxing technology is being branded, is not a silver bullet.
SophosLabs' Paul Baccas recently referenced "The Flying Wallendas" in his Virus Bulletin paper to make the point that always operating with a safety net may encourage laziness. He was concerned that Adobe continue to make progress in securing the product's core and not get too comfortable with the idea that the sandbox will stop future exploits.
Based on Brad Arkin's comments, it appears Adobe is taking Paul's concerns seriously and is just using Protected Mode as an additional safety measure. When Adobe releases Reader X, we will be sure to blog about it. I recommend deploying it on your network to enhance the security of viewing PDF files.
Creative Commons image courtesy of redjar's Flickr photostream.