Slashdot Mirror
Adobe Putting PDF Reader In a Sandbox
Captain Eloquence writes "The next major version of Adobe's PDF Reader will feature new sandboxing technology aimed at curbing a surge in malicious hacker attacks. The initial sandbox implementation will isolate all 'write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. Adobe security chief Brad Arkin believes this will mitigate the risk of exploits seeking to install malware on the user's computer or otherwise change the computer's file system or registry. In a future dot-release, the company plans to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information from the user's computer."
I have only Sumatra PDF on my Windows 7 machine. I don't have a copy of Adobe's viewer on the machine at all.
Sumatra PDF is dumb, but reasonably secure. It can't do cut and paste, it doesn't do forms, and it doesn't have Javascript.
Sounds suspiciously Apple-like. iPhone apps do this very thing.
That piece of bloatware should be put on a harsh diet before that.
Sometimes, life itself is sarcasm...
It appears Adobe finally realized that a document reader shouldn't have access to my entire sysetm.
If this adds another 10mb to the download, then forget it, I'll be sticking to Foxit PDF and/or Sumatra PDF.
Why does a PDF viewer need to give the document the ability to write at all?
Would ripping some of the crazy features out of the PDF spec solve this more completely and reasonably?
What do we use PDFs for which involves writes?
Should it be an operating system feature to force all user applications to run in a sandbox by default?
Honestly, give up on Adobe Reader. There are other options. FoxIt has about the same feature set, and CAN do all the dangerous boneheaded stuff like embedded javascript and external execution, but by default it's off, and the vast majority of people never need that stuff.
On the skinny end there's Sumatra (too skinny for me, no browser plugin). At the other end is Nitro PDF, which has a TON of features even in the free version.
Honestly, just take Adobe reader right off your machine. Do it now.
Why not sandbox it entirely? If the JS engine in Acrobat can run arbitrary commands I don't want it reading files from my local filesystem either. I suppose it wouldn't directly be able to transmit those files if its not able to write to a network socket, but that doesn't mean it should be allowed to read random things either.
Adobe obviously wants to keep a very tight grip on the PDF ecosystem, why not limit Reader and only allow it to perform scripting actions on signed and verified PDFs? This benefits Adobe since the only tool that can create and submit PDFs for signing and verifying would probably be from Adobe.
Comment removed based on user account deletion
Adobe -- UR DOIN IT RONG! (Insert picture of adorable cat here)
A sandbox doesn't matter if said sandbox has as many flaws as the orignal reader...
TIDserve gets right past virtualization. It uses a privilege escalation in IE to find the virtual OS' drivers and then it follows the driver chain down to atapi.sys (which it can exploit).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
My cat's sandbox is the right place for Adobe's products.
Too heavy, too slow, too buggy, too dangerous, etc.
-- Rastignac was here.
IANAMCSE but.....(I am not an MCSE :) )
Is there just no possible way to develop software that is NOT exploitable?
Tweet, tweet, all id10t's out of the gene pool, open swim is over.
One can always hope that with half of Windows 7 installations being 64 bit, malicious software readily bypassing the protection will force Microsoft to finally implement a sufficient API for sandboxing.
A sandbox doesn't matter if said sandbox has as many flaws as the original reader...
That's good that you have an alternative that works for you on your home computer, but you're never going to get my whole department to trade some of those features for security, even the ones who -could- install it themselves. Them using an insecure PDF viewer is problematic for me because I have to use the same network. Thus it's a good thing.
It seems that Microsoft already went through this 15 years ago with Word macros. It's kind of scary that these companies that are producing software for looking at / creating documents would enable this sort of functionality in their file formats. I realize that there are a handful of applications where it's beneficial to have a document be able to write to the filesystem, but for 99.99% of documents, what business do they have reading or writing anything?
It would be like if you bought a book, sat it down on your desk, and when you pick it up later, you find that the book was doodling on your desk the whole time.
Sure there are free pdf readers that work on Linux and 64 bit, but I find that none of them are as flexible with regards to printing options as Acrobat is.
And the last time I installed multi-libraries on my system supporting both 32 and 64 bit, primarily just so I could use Acrobat, I started having some stability issues that I would just as soon not repeat.
File under 'M' for 'Manic ranting'
Well in windows 7 you can use the Windows XP virtual mode and with it's integration into the start menu it's pretty transparent it's running under a VM.
Will there also be a sandbox to prevent another shite Adobe product causing my browser to flash?
My web domain.
This.
My customers sends a lot of blueprints as PDF files. I tried the alternatives because I think Acrobat is bloated, but the competitors had issues with printing. One printed everything as raster images and another one couldn't print anything at correct scale.
Just sayin'...
Edith Keeler Must Die
Why yes, because when I think of what it would take to quickly open and view PDFs, I immediately conclude that the only solution is a program big enough and complex enough to require a sandbox, to make sure that it can't be exploited.
For years, Adobe has been creating extremely bloated software. And it has been years, not coincidentally, since I've wanted to install any of their stuff.
Why did PDF have to have all this crap added to it? The answer is, it didn't; Adobe just wanted to keep extending their reach, for as long as they could convince people to keep installing "free" readers that just happen to contain your kitchen sink. Enough.
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
Who sandboxes the sandboxers?
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
(I'm not an MSCE either but I have written program snippets). My vague hand wavy thinking is that it is a difficult problem with a time, money, skill and resources tradeoff. You could:
The above also assumes that you don't get done in by software you (the author of the program) didn't write (e.g. the operating system code for drawing a letter has a hole in it and this allows an attacker to then break your program).
Basically non exploitable software is a difficult problem and because writing perfect programs is so hard, damage mitigation with sandboxing is probably the way we will go for now (unless you are writing something life critical etc). The resources to do the sandboxing are higher than without but we are at the stage where it is worth the cost.
The initial sandbox implementation will isolate all 'write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003...
I was always perplexed at how a text document can somehow make calls to an operating system. It seems to be that PDF is a programming interface that supports text, and not a document format.
Sandboxing Adobe PDF? How about just burying this bloated, slow, insecure garbage in the sand so it never shows again. Then in 200 years it's discovered in an archaeological dig, and people marvel at how badly written software was ever unleashed to market.
Take Nobody's Word For It.
I will try Sumatra, thanks for the tip.
Currently, on a Windows box, I'm using Evince, from the Gnome project.
To plug Evince into Firefox, I'm using something called "libertexto" http://www.libertexto.org/
I got tired of the Adobe bullshit. The crashes, freezes, etc. Version 9 broke the camel's back. The stupid thing wants to install a Firefox "download manager" extension first, which then downloads and installs the reader. This is completely moronic compared to a normal Installshield-style installer which users are accustomed to on that platform. Like any wheel re-invention, this downloader/installer has issues. If you abort an installation midway through, it becomes confused; it thinks that it had completed. Moreover, you cannot pick the installation directory. If your C: drive is low on space, tough luck.
With this new development, it's become obvious that Adobe are jumping on the bandwagon of sandboxing bugs and hoping for the best, instead of fixing them.
So, goodbye and good riddance.
Sandbox A will be put inside Sandbox B, and Sandbox B will be put inside Sandbox A. Problem solved!
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
the obvious solution is of course to run Adobe Reader in a dedicated VM ..
duh !
Sandboxing your document reader so that corrupted documents stop installing malware to the host machine?
You. are. doing it wrong.
This is like giving people guns, then throwing them in jail. Why give them guns to begin with?
1.) About fucking time, morons
2.) Okay, i feel a bit safer
3.) Who cares? I've not used Acrobat in several years.
Sumatra, PDF X-change or Foxit works as well or better.
Pain is merely failure leaving the body
a little unusual, fuzzy targeting, but still COPY/PASTE
Nobody puts Acrobat in a sandbox, nobody!
coding is life
Instead of sandboxing the software, couldn't they fix the software so it's not vulnerablerable to so many attack vectors?
and then sandbox it...
I've got better things to do tonight than die.
It’s yet another piece of danger from the company that for many releases circumvented your operating system security settings by using its own embedded tcpip stack. Now they are going one step further, the sandbox, this time they will attempt to circumvent read, circumvent independent tagging, examination, and wrapping of files through their proprietary Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 implementation. I don’t like the product, it is able to execute with root privilege on many implementation’s unless constrained at installation, and now you have to monitor the complete range of adobe product to have any chance of saying no, every installation of an adobe product seems to correct your settings, back to the adobe preferred default.
I never cut and paste a pdf. Sumatra PDF can however do copy/paste very well. Ctrl + left drag, ctrl+c.
And I am baffled - it's a PDF viewer! "Read/Write operations?" Its purpose it to render PDF documents, and maybe print them. No need to touch anything else on the computer. Save some preferences, but that's done by the program, separated out from any PDF-interpretation - certainly not made available from "scripting" inside the document. Abandoned Acrobat Reader long time ago too.
Well if Sumatra doesn't do it for you I give my customers Foxit which has safe mode built in which halts executable code in PDFs by default, which is of course how they hit you with malware in the first place. Why Adobe decided executable code was just gravy for a document format, I'll never know. But that link will install any of the programs on their page with no toolbars, including Sumatra or Foxit, all automated. Great for setting up a PC for the first time. After version 6 Adobe became just too bloated for me to recommend to customers, but I've not gotten any complaints with Foxit.
ACs don't waste your time replying, your posts are never seen by me.
With boxes as with platitudes, it's what's inside that counts.
Some time ago I ran a PDF software research, annoyed by Adobe Reader 7. BTW, all this is for Windows platform (I have an XP copy).
I purposefully didn't upgrade for a long time (years), wrongfully assuming that Reader 8 (and 9) are even slower. What I learned (and verified myself) is that Adobe Reader 7.x is slowest of them all, so...
PDFs software has multiple requirements/features (not everyone needs all of them):
- display PDFs as standalone application
- display PDFs online in the browser
- load quickly
- allow editing and forms
- install a thumbnail generator (when explorer is in thumbnail view, it can display first page of the PDF document)
- install a PDF IFilter (will get back to it) *
- display tooltip when hovering mouse over document icon
- add a property sheet (right click->Properties) with some document infos
IFilter: is a piece of code which parses a document (PDFs in this case) and extracts pieces of information which might be interesting for indexing (file name, author, some keywords specified during editing, etc.). The filter is used by: desktop search technology (specifically WDS - Windows Desktop Search) and by SharePoint servers.
So, during my research I quickly found this article, which taught me about alternatives: http://www.downloadsquad.com/2007/12/28/pdf-xchange-another-light-weight-adobe-reader-alternative/
Basically, some alternatives are:
- Adobe Reader Speedup - a small program which allows to enable or disable Adobe plugins. It comes with presets if you don't feel like manually tinkering with plugins. It works with all Adobe versions I tested (7.x, 8.x, 9.x) - I guess it just makes some registry changes.
- Adobe Reader Lite - this is an unofficial installer which re-bundles only the most commonly used pieces of Reader. Each time Adobe releases a new version of software, someone (an external volunteer) has to redo the work with the new DLLs. It is therefore versioned (Adobe Reader Lite 9.x.y, etc.)
- Foxit, which many people know about.
- PDF-XChange, an excellent solution with great editing and form capabilities. It is more powerful (feature rich) than Foxit, just a bit slower at startup but still obviously faster than Adobe.
- Sumatra, which is rather dumb (bugs in rendering, no editing options at all) but fastest of all I'm writing about. Actually, I never tried Sumatra, I was happy with PDF-XChange.
Therefore there are 3 contenders:
1. Adobe
Slowest of them, displays documents standalone and in browser, allows powerful editing. Creates explorer thumbnails and tooltip. Does NOT add a new sheet when looking at file properties. Comes with an IFilter.
2. Foxit Reader
Fastest of them, displays documents standalone and in browser, allows editing (but not very powerful). Does NOT create explorer thumbnails and tooltip. Does NOT add a new sheet when looking at file properties. Does NOT come with an IFilter.
3. PDF-XChange
Fast but slower than FoxIt, displays documents standalone and in browser, allows free editing (powerful). Creates explorer thumbnails and tooltip. Adds a new sheet when looking at file properties. Comes with an IFilter.
So, there you have it.
I installed FoxIt and PDF-Xchange on my system - FoxIt is the default viewer, but I get the IFilter and stuff for XChange, and I sometimes open with the other one. On my GF's laptop I instaled Adobe Reader Lite (for some reasons she insists on using Adobe, albeit she only reads PDF files only now and then, never edit).
BTW: FoxIt takes advantage of the fact that people don't know that Adobe Reader comes with a free PDF IFilter and sells (for 100's of $) their own FoxIt PDF IFilter. This being said, some guys tested for IFilters on a huge collection of PDFs, and FoxIt's was fastest (and has a 64-bit version IIRC). Again, SharePoint servers do need such an IFilter installed.
HTH.
The sieve-like structure of the Adobe Sandbox (tm) assures that the sand is self-cleaning! And for a nominal fee, Adobe is delighted to offer genuine replacement Adobe Sand (tm) with 100% Photoshop compatibility!
MS are lairy of doing anything that will level accusations of monopoly at them again - they have been in trouble for bundling apps before now and if they put in a PDF viewer this is the card that Adobe will play against them.
This is is why Notepad is still the same awful useless piece of rubbish that can't even open files with Unix line endings properly. (note - not sure if the Vista/7 version does this but the most-used business version, XP, does not). The text editor industry is so large that they would be accused of destroying it single handedly if they updated it.
I just don't get adobe...at what time would my PDF reader need to edit the registry, and what good reason would I need web access with javascript...? Seriously....if I need web info from another app, you can call IE from that app with command line arguments, why use a faulty app to open a web page with...IE is not secure, why would you think adobe reader would be?
I have used Foxit, but even that has holes apparently....i think i will stick to chm books for now, if I can avoid pdf altogether.
You stated that "the vast majority of users have Adobe Reader installed to view PDF files, and they will not know why or how they should change to something else". That may be true, but that explains why we have so many security problems in the first place.
The more people that say, "Product X has too many security problems, I will switch to product Y", the faster the maker of product X will wake up and eliminate security vulnerabilities. Or disappear, leaving room for whoever makes product Y. Making a secure program is not rocket science; the principles have been known since the mid-1970s, and there is lots of freely-available information on how to do it (e.g., see my Secure Programming material). But developers will only do that if there is a reason to do so.
If most users accept whatever product they have, as if it appeared by magic from the heavens, then unsurprisingly, the maker of that product will not improve the product.
People should be rising up and saying, "Your product keeps having security problems, ones your competitors don't have. So I'm switching to a competitor". If enough people do that, security problems will be a rare event. So, let's get people to say "I'm not going to take it any more!!" Then, Adam Smith's invisible hand will cause products to either get better in a hurry, or disappear into their rightly-deserved rubbish bin.
- David A. Wheeler (see my Secure Programming HOWTO)
Honestly, am I the only person who doesn't have an immense hatred for Acrobat Reader?
Yea, it's a big install, and uses a sizeable chunk of RAM...but does any of that matter anymore?
I have a 9 MB PDF file...600 pages of Oracle documentation. Adobe Reader opened it from a cold start in less than 2 seconds, and I was able to scroll the entire document quickly, and find the information I needed. No other free PDF viewer I've tried can do this, with the same responsiveness and ease of scrolling, zooming, or selecting text...all without the annoyance of ads. It's using about 30 MB of RAM to do this. Big fucking deal....Firefox is using 150MB, Chrome 60 MB, Outlook 80 MB...hell IE 8 is using almost 30 MB with only one tab open.
For any computer newer than 4 years old, the 'bloat' in Reader is negligible. It truly hasn't sucked from a performance standpoint since version 8. And in my mind, it beats the hell out of dealing with the various quirks in other PDF viewers...especially when you have to fill out a PDF form.
I for one welcome the attempt at beefing up security, and hope that other highly targetted apps take a cue from this and implement sandboxing for themselves.
Foxit has a history of exploits. You really need a reader with no Javascript or execute support at all.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Acrobat halts executable code as well - with its trust manager. These exploits are bugs, and Foxit was actually vulnerable to the most recent PDF bug that Acrobat was - Adobe just took two weeks longer to fix it (but then they had 25+ more languages they had to test the patch on).
Real operating systems have real jails.