Slashdot Mirror
Adobe Putting PDF Reader In a Sandbox
Captain Eloquence writes "The next major version of Adobe's PDF Reader will feature new sandboxing technology aimed at curbing a surge in malicious hacker attacks. The initial sandbox implementation will isolate all 'write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. Adobe security chief Brad Arkin believes this will mitigate the risk of exploits seeking to install malware on the user's computer or otherwise change the computer's file system or registry. In a future dot-release, the company plans to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information from the user's computer."
I have only Sumatra PDF on my Windows 7 machine. I don't have a copy of Adobe's viewer on the machine at all.
Sumatra PDF is dumb, but reasonably secure. It can't do cut and paste, it doesn't do forms, and it doesn't have Javascript.
That piece of bloatware should be put on a harsh diet before that.
Sometimes, life itself is sarcasm...
It appears Adobe finally realized that a document reader shouldn't have access to my entire sysetm.
Why does a PDF viewer need to give the document the ability to write at all?
Would ripping some of the crazy features out of the PDF spec solve this more completely and reasonably?
What do we use PDFs for which involves writes?
Should it be an operating system feature to force all user applications to run in a sandbox by default?
Honestly, give up on Adobe Reader. There are other options. FoxIt has about the same feature set, and CAN do all the dangerous boneheaded stuff like embedded javascript and external execution, but by default it's off, and the vast majority of people never need that stuff.
On the skinny end there's Sumatra (too skinny for me, no browser plugin). At the other end is Nitro PDF, which has a TON of features even in the free version.
Honestly, just take Adobe reader right off your machine. Do it now.
Why not sandbox it entirely? If the JS engine in Acrobat can run arbitrary commands I don't want it reading files from my local filesystem either. I suppose it wouldn't directly be able to transmit those files if its not able to write to a network socket, but that doesn't mean it should be allowed to read random things either.
Adobe obviously wants to keep a very tight grip on the PDF ecosystem, why not limit Reader and only allow it to perform scripting actions on signed and verified PDFs? This benefits Adobe since the only tool that can create and submit PDFs for signing and verifying would probably be from Adobe.
Comment removed based on user account deletion
A sandbox doesn't matter if said sandbox has as many flaws as the orignal reader...
TIDserve gets right past virtualization. It uses a privilege escalation in IE to find the virtual OS' drivers and then it follows the driver chain down to atapi.sys (which it can exploit).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
My cat's sandbox is the right place for Adobe's products.
Too heavy, too slow, too buggy, too dangerous, etc.
-- Rastignac was here.
IANAMCSE but.....(I am not an MCSE :) )
Is there just no possible way to develop software that is NOT exploitable?
Tweet, tweet, all id10t's out of the gene pool, open swim is over.
One can always hope that with half of Windows 7 installations being 64 bit, malicious software readily bypassing the protection will force Microsoft to finally implement a sufficient API for sandboxing.
That's good that you have an alternative that works for you on your home computer, but you're never going to get my whole department to trade some of those features for security, even the ones who -could- install it themselves. Them using an insecure PDF viewer is problematic for me because I have to use the same network. Thus it's a good thing.
Sounds suspiciously Apple-like. iPhone apps do this very thing.
No shit Sherlock: sandboxing, emulation, memory and hardware virtualization, CPU ring modes are all Apple inventions from 1970s and Windows 7 you're browsing from right now has its code base from Apple Lisa of that era.
It seems that Microsoft already went through this 15 years ago with Word macros. It's kind of scary that these companies that are producing software for looking at / creating documents would enable this sort of functionality in their file formats. I realize that there are a handful of applications where it's beneficial to have a document be able to write to the filesystem, but for 99.99% of documents, what business do they have reading or writing anything?
It would be like if you bought a book, sat it down on your desk, and when you pick it up later, you find that the book was doodling on your desk the whole time.
Sure there are free pdf readers that work on Linux and 64 bit, but I find that none of them are as flexible with regards to printing options as Acrobat is.
And the last time I installed multi-libraries on my system supporting both 32 and 64 bit, primarily just so I could use Acrobat, I started having some stability issues that I would just as soon not repeat.
File under 'M' for 'Manic ranting'
Will there also be a sandbox to prevent another shite Adobe product causing my browser to flash?
My web domain.
True, but not as transparent as I'd like it. I'm in, once they get GPU virtualization performance as the CPU one... or just move all SIMD logic into CPU and standardize instruction set.
Just sayin'...
Edith Keeler Must Die
Why yes, because when I think of what it would take to quickly open and view PDFs, I immediately conclude that the only solution is a program big enough and complex enough to require a sandbox, to make sure that it can't be exploited.
For years, Adobe has been creating extremely bloated software. And it has been years, not coincidentally, since I've wanted to install any of their stuff.
Why did PDF have to have all this crap added to it? The answer is, it didn't; Adobe just wanted to keep extending their reach, for as long as they could convince people to keep installing "free" readers that just happen to contain your kitchen sink. Enough.
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
Do most third party applications on PCs put themselves in a sandbox? Is this Adobe adopting the way of the majority or are sandboxed applications rare in a PC environment?
I was under the impression that using a sandbox wasn't standard and the first thing that came to mind was the sandbox limitations Apple is famous for imposing on every third party developer for iDevices.
Who sandboxes the sandboxers?
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
(I'm not an MSCE either but I have written program snippets). My vague hand wavy thinking is that it is a difficult problem with a time, money, skill and resources tradeoff. You could:
The above also assumes that you don't get done in by software you (the author of the program) didn't write (e.g. the operating system code for drawing a letter has a hole in it and this allows an attacker to then break your program).
Basically non exploitable software is a difficult problem and because writing perfect programs is so hard, damage mitigation with sandboxing is probably the way we will go for now (unless you are writing something life critical etc). The resources to do the sandboxing are higher than without but we are at the stage where it is worth the cost.
And Apple Stole every aspect from the XEROX PARC development. They guy credited with creating the GUI and Mouse worked for Xerox, not Apple. Xerox let them steal it, no question, but don't give credit where it's not due, PARC is responsible for far more than what you are crediting to Apple. The only thing Apple did was make these software interfaces cost effective by using commodity hardware instead of PARC'a tendency to use specialty hardware.
No, don't worry. Because of how bloated Acrobat Reader already is, Adobe was able to fit a re-skinned copy of virtualbox, containing a minimal linux image running Evince, in a package smaller than the prior download.
This is how they managed to get a "sandboxed" PDF reader out in less than the usual absolutely glacial Adobe development timeframe...
The initial sandbox implementation will isolate all 'write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003...
I was always perplexed at how a text document can somehow make calls to an operating system. It seems to be that PDF is a programming interface that supports text, and not a document format.
Sandboxing Adobe PDF? How about just burying this bloated, slow, insecure garbage in the sand so it never shows again. Then in 200 years it's discovered in an archaeological dig, and people marvel at how badly written software was ever unleashed to market.
Take Nobody's Word For It.
And PARC got their ideas from Douglas Engelbart's Mother of All Demos. The 1960s were a groovy time.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Sandbox A will be put inside Sandbox B, and Sandbox B will be put inside Sandbox A. Problem solved!
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Java and .NET have sandboxes.
This is like giving people guns, then throwing them in jail. Why give them guns to begin with?
The Mother of All Demos was cool but it did not have a WIMP interface (Windows, Icons, Mouse, Pointer). It had a mouse and a pointer. From what I remember from the demo they were used to edit text (well, more like hypertext to be accurate). Apple's interface is more similar to Xerox's. You could even say it was less advanced, since the Xerox systems had an object-oriented programming language (Smalltalk). Apple only got that with MacOS X and Objective-C. Oh so many decades afterwards. I blame it on the hardware.
memory and hardware virtualization and cpu ring modes were inventions of the 60's, before apple existed. Multics used them 10 years before Apple was incorporated
This.
My customers sends a lot of blueprints as PDF files. I tried the alternatives because I think Acrobat is bloated, but the competitors had issues with printing. One printed everything as raster images and another one couldn't print anything at correct scale.
Have you tried asking your customers to send you their technical drawings in vector graphic formats? PDF can include vector graphics, but it is a horrendously complicated format that can include anything and everything, and usually does. EPS is a much more predictable interchange format that has quite a lot of software support.
Which PDF competitors did you try?
1.) About fucking time, morons
2.) Okay, i feel a bit safer
3.) Who cares? I've not used Acrobat in several years.
Sumatra, PDF X-change or Foxit works as well or better.
Pain is merely failure leaving the body
Instead of sandboxing the software, couldn't they fix the software so it's not vulnerablerable to so many attack vectors?
and then sandbox it...
I've got better things to do tonight than die.
"Yeah, hi. Can you please change your workflow and the way you've been doing things for years that has worked with no problems just because I can't be bothered installed a free program to open your PDF files? Thanks!"
PARC is responsible for far more than what you are crediting to Apple
IIRC Xerox PARC created/invented the GUI, the mouse, and ethernet.
"Yeah hi, if you are creating your blueprints in a CAD program, it would save me time and effort if you sent me the blueprint in a vector format that I can import effortlessly into my workflow, and I can pass those savings on to you."
It’s yet another piece of danger from the company that for many releases circumvented your operating system security settings by using its own embedded tcpip stack. Now they are going one step further, the sandbox, this time they will attempt to circumvent read, circumvent independent tagging, examination, and wrapping of files through their proprietary Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 implementation. I don’t like the product, it is able to execute with root privilege on many implementation’s unless constrained at installation, and now you have to monitor the complete range of adobe product to have any chance of saying no, every installation of an adobe product seems to correct your settings, back to the adobe preferred default.
And I am baffled - it's a PDF viewer! "Read/Write operations?" Its purpose it to render PDF documents, and maybe print them. No need to touch anything else on the computer. Save some preferences, but that's done by the program, separated out from any PDF-interpretation - certainly not made available from "scripting" inside the document. Abandoned Acrobat Reader long time ago too.
Well if Sumatra doesn't do it for you I give my customers Foxit which has safe mode built in which halts executable code in PDFs by default, which is of course how they hit you with malware in the first place. Why Adobe decided executable code was just gravy for a document format, I'll never know. But that link will install any of the programs on their page with no toolbars, including Sumatra or Foxit, all automated. Great for setting up a PC for the first time. After version 6 Adobe became just too bloated for me to recommend to customers, but I've not gotten any complaints with Foxit.
ACs don't waste your time replying, your posts are never seen by me.
The most immediate comparison here is probably Internet Explorer, which has been sandboxed by default since Vista. The comparison is relevant since IE and Adobe Reader are both native binary applications in a desktop system which are sandboxed as an afterthought using the security system of the OS.
With boxes as with platitudes, it's what's inside that counts.
Not entirely true, the XEROX PARC being the source of all apple idea's is a bit of an urban myth. See Jef Raskin's story here http://www.digibarn.com/friends/jef-raskin/writings/holes.html
The sieve-like structure of the Adobe Sandbox (tm) assures that the sand is self-cleaning! And for a nominal fee, Adobe is delighted to offer genuine replacement Adobe Sand (tm) with 100% Photoshop compatibility!
MS are lairy of doing anything that will level accusations of monopoly at them again - they have been in trouble for bundling apps before now and if they put in a PDF viewer this is the card that Adobe will play against them.
This is is why Notepad is still the same awful useless piece of rubbish that can't even open files with Unix line endings properly. (note - not sure if the Vista/7 version does this but the most-used business version, XP, does not). The text editor industry is so large that they would be accused of destroying it single handedly if they updated it.
Not if a "vector format" is a proprietary CAD format that can be only edited in a CAD that costs tens of thousands dollars to license. CAD viewing-only programs are notoriously bad at printing and usually only available for Windows, so on any other OS you also have to deal with emulation or virtual machines just to see the drawing.
PDF is actually great for EPS pseudo-encapsulation -- any "print to PDF" program that uses Ghostscript as its engine, does a reasonably good job at converting vector formats.
Contrary to the popular belief, there indeed is no God.
I just don't get adobe...at what time would my PDF reader need to edit the registry, and what good reason would I need web access with javascript...? Seriously....if I need web info from another app, you can call IE from that app with command line arguments, why use a faulty app to open a web page with...IE is not secure, why would you think adobe reader would be?
I have used Foxit, but even that has holes apparently....i think i will stick to chm books for now, if I can avoid pdf altogether.
.pdf is actually currrently the best format for sharing and printing vector graphic CAD drawings, and it's an open format that anyone can implement. Viewers and print drivers for it are ubiquitous, the spec is open, all major CAD programs can output to it (though some might need and add-in or plotter driver)
.pdf is more reliable than using the actual CAD file, as even if you put up the $thousands for AutoCAD different versions and different add-ons will look different and may not work with each other at all. Also line thickness, colors, plotting attributes, etc. need additional info not typically stored inside the document. .pdfs became common, AutoCAD printing was typically done by making .plt files, for which there are no good viewers, and which still require plotting setup files to plot properly. .pdfs became common, sharable drawings for viewing were usually .tiff files, which are large, cumbersome, slow, and hard to print to scale.
.DXF drawings relatively open, but are large, have limited accuracy, and will not usually contain all of the information needed to plot a modern drawing (see the .DXF definition of a 3D Solid, for example)
Before
Before
You stated that "the vast majority of users have Adobe Reader installed to view PDF files, and they will not know why or how they should change to something else". That may be true, but that explains why we have so many security problems in the first place.
The more people that say, "Product X has too many security problems, I will switch to product Y", the faster the maker of product X will wake up and eliminate security vulnerabilities. Or disappear, leaving room for whoever makes product Y. Making a secure program is not rocket science; the principles have been known since the mid-1970s, and there is lots of freely-available information on how to do it (e.g., see my Secure Programming material). But developers will only do that if there is a reason to do so.
If most users accept whatever product they have, as if it appeared by magic from the heavens, then unsurprisingly, the maker of that product will not improve the product.
People should be rising up and saying, "Your product keeps having security problems, ones your competitors don't have. So I'm switching to a competitor". If enough people do that, security problems will be a rare event. So, let's get people to say "I'm not going to take it any more!!" Then, Adam Smith's invisible hand will cause products to either get better in a hurry, or disappear into their rightly-deserved rubbish bin.
- David A. Wheeler (see my Secure Programming HOWTO)
Honestly, am I the only person who doesn't have an immense hatred for Acrobat Reader?
Yea, it's a big install, and uses a sizeable chunk of RAM...but does any of that matter anymore?
I have a 9 MB PDF file...600 pages of Oracle documentation. Adobe Reader opened it from a cold start in less than 2 seconds, and I was able to scroll the entire document quickly, and find the information I needed. No other free PDF viewer I've tried can do this, with the same responsiveness and ease of scrolling, zooming, or selecting text...all without the annoyance of ads. It's using about 30 MB of RAM to do this. Big fucking deal....Firefox is using 150MB, Chrome 60 MB, Outlook 80 MB...hell IE 8 is using almost 30 MB with only one tab open.
For any computer newer than 4 years old, the 'bloat' in Reader is negligible. It truly hasn't sucked from a performance standpoint since version 8. And in my mind, it beats the hell out of dealing with the various quirks in other PDF viewers...especially when you have to fill out a PDF form.
I for one welcome the attempt at beefing up security, and hope that other highly targetted apps take a cue from this and implement sandboxing for themselves.
Foxit has a history of exploits. You really need a reader with no Javascript or execute support at all.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Acrobat halts executable code as well - with its trust manager. These exploits are bugs, and Foxit was actually vulnerable to the most recent PDF bug that Acrobat was - Adobe just took two weeks longer to fix it (but then they had 25+ more languages they had to test the patch on).
Real operating systems have real jails.