Adobe Launches Sandboxed Reader X

CWmike writes "Adobe on Wednesday released Reader X, the next version of its popular software that includes a 'sandbox' designed to protect users from PDF attacks. Protected Mode is Adobe's response to experts' demands that the company beef up the security of Reader, which is aggressively targeted by attackers. Calling the sandbox a 'new advancement' in protective measures, Brad Arkin, Adobe's director of security and privacy, admitted it will not stymie every attack. But he argued it will help. 'Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims' computers,' Arkin said in a post to a company blog late on Thursday."

Great Idea: Will it work?

[toygeek]

I love the idea of it being sandboxed. I downloaded and installed Reader X yesterday, but I haven't had a virus in a long time so we'll see how it goes. However I've got a customer who gets the virus of the week almost on schedule... I'll have him try it out.

Re:Great Idea: Will it work?

[Pieroxy]

This is pathetic. This program is a "Reader", just that! How hard can it be to fix all of those buffer overflows? Is the source code so horrendously broken that only a sandbox can fix it? What's next? Sandboxing vi ? ls? /dev/null?

Re:Great Idea: Will it work?

[humphrm]

Yep, true dat. I remember when Adobe Reader first came out, it was the cat's ass - lightweight, did it's job, nothing else. In fact at one time PDFs were used to avoid those infamous MS-Word viruses that spread in the '90's. Now it's suffering from the same feature creep that affects every other (commercial) software vendor - add features or else you don't think you're "adding value". And those new features carry with them all manner of attack vectors and vulnerabilities.

Which is why I don't think vi will suffer the same fate. I'm not an avid follower of it's development, I just use it, but it seems to me that they're keeping it pretty much the way it was intended to be.

Re:Great Idea: Will it work?

[gad_zuki!]

Did you check his Java? Java is the most exploited app right now. If he doesn't need it you should just uninstall it. If he needs it for a local app then disable the browser plugin and just make sure he keeps up with the updates. By default it sets to check monthly for updates. You should change that to weekly or daily.

Re:Great Idea: Will it work?

[CarpetShark]

I downloaded and installed Reader X yesterday, but I haven't had a virus in a long time

Well, you do now ;)

Re:Great Idea: Will it work?

[zakeria]

its not that the Reader has buffer overflows underflows etc, it's the fact that the Reader has so many built in functions such as embedded flash movies and these have their own flaws.. I think adobe should trim or design a lightweight Reader that has less of these features making it more secure!

Re:Great Idea: Will it work?

Obviously Reader isn't just exploited by buffer overflows.

Re:Great Idea: Will it work?

[gtall]

It isn't just the buffer overflows and it isn't just a reader. It now as active content which means it is essentially a vehicle for mobile code...even if the mobile code is somewhat restricted.

Re:Great Idea: Will it work?

[hedwards]

You can just use Sandboxie it'll do that for pretty much any program you wish.

Re:Great Idea: Will it work?

[micheas]

Yep, true dat. I remember when Adobe Reader first came out, it was the cat's ass - lightweight, did it's job, nothing else. In fact at one time PDFs were used to avoid those infamous MS-Word viruses that spread in the '90's. Now it's suffering from the same feature creep that affects every other (commercial) software vendor - add features or else you don't think you're "adding value". And those new features carry with them all manner of attack vectors and vulnerabilities.

Which is why I don't think vi will suffer the same fate. I'm not an avid follower of it's development, I just use it, but it seems to me that they're keeping it pretty much the way it was intended to be.

Although vim keeps adding new features, and nvi has had a security vulnerability as recently as 2008.

Re:Great Idea: Will it work?

[blueg3]

Ever since von Neumann came up with this crazy idea of program and data being the same, guaranteeing that something that just manipulates data doesn't also execute code has been nontrivial.

Re:Great Idea: Will it work?

[TheRaven64]

Sandboxing vi ?

Is vi a link to vim on your machine? If so, it might be worth sandboxing; there has been at least one security hole in vim in the last year or so that has caused a buffer overflow that is exploitable by maliciously crafted text files.

Re:Great Idea: Will it work?

Doing this would be an admission that Reader is insecure. Adobe would never go this route.

Re:Great Idea: Will it work?

[TheLink]

There's also the "unhygienic" habit of pushing data onto a stack that is also used to tell the CPU what address to run from when it does a "return".

Re:Great Idea: Will it work?

[Pieroxy]

Doing this would be an admission that Reader is insecure. Adobe would never go this route.

And sandboxing the damn thing isn't an admission of crappiness?

Re:Great Idea: Will it work?

You've got to be kidding, adobe has NEVER made a well-designed product that I've seen.

They had an old text processor for Unix--that may have been one of their better products ever, but it had an upside-down menu system that drove me crazy because the menus were all designed to "Tear off" so the most often used functionality was at the bottom of each menu.

ATM--adobe type manager--one of the first apps that would widely destabilize windows (this was around the time of windows 3). It was horrific and unnecessary, but some apps required it for some god-awful reason.

Adobe Reader plugin--One of the only two apps that has always, throughout it's lifecycle, destabilized a browser. Even now if you click on a link for a big, slow PDF, the reader plugin will more likely than not hang your browser. This is the only app that I've had crash ALL of chrome, not just it's window. (The other major piece of FAIL in the browser plugin arena is Flash--I was a little perturbed when Flash started to annoy me more than Adobe because it was defocussing my hatred, luckily Adobe solved that by buying Flash)

They also have a crappy overly large, overly expensive and inflexible web development environment.

Nothing but hate, all the way down.

Re:Great Idea: Will it work?

Openssh, has to run in a kind of sandbox. Anything written in c/c++ and more complicated than that should be sandboxed too. Java (applets) and javascript applications are always executed in a kind of sandbox anyway.

Re:Great Idea: Will it work?

Ever since von Neumann came up with this crazy idea of program and data being the same, guaranteeing that something that just manipulates data doesn't also execute code has been nontrivial.

Except that most run-times don't actually do that. Only Lisp and Smalltalk completely buy into that concept. Everyone else has data (stored in variables) and code.

JavaScript is also basically a Lisp-variant if one desires a more popular example.

Re:Great Idea: Will it work?

[Myopic]

Seriously. Especially after 17 years of development.

Re:Great Idea: Will it work?

[LVSlushdat]

Whenever I have to run Acrobat reader on Windows, I use Sandboxie to sandbox it. If I understand what Adobe is doing, this would be the same thing...

Re:Great Idea: Will it work?

[blueg3]

Right, that's an aspect of the highly general nature of our von Neumann machines. Not only is code a kind of data, but our program flow control is mixed up with our other data and is barely constrained (that is, you're not limited to, say, returning to where you came from or jumping to the beginning of a function).

Re:Great Idea: Will it work?

[Kvasio]

that how everyone should be running all Adobe apps in recent years.

Re:Great Idea: Will it work?

[Skuld-Chan]

A lot of the vulnerabilities that affect "Reader" also affect (or have affected) web "Browsers".

Re:Great Idea: Will it work?

[thePowerOfGrayskull]

Also have him disable automatically opening PDFs in his browser. This is how a lot of PDF exploits can easily find a way into a system - because it opens in the browser, a hidden iframe can allow malicious content in. Update the browser settings to ALWAYS save them to disk.

Re:Great Idea: Will it work?

[Blue+Stone]

The sandbox idea is great.

Adobe couldn't fix all the security flaws in their program, so they wrote another program to put their program in.

Fortunately the new porogram has no security flaws.

Re:Great Idea: Will it work?

[nine-times]

Fixing the crappiness would be an admission that their feature creep has created an improperly designed and bloated mess. Sandboxing the whole thing just admits that there are security problems.

Re:Great Idea: Will it work?

Just write it in a typesafe language.

Re:Great Idea: Will it work?

[Arthur+Grumbine]

Yo dawg - we heard you liked vulnerable reader programs...

Re:Great Idea: Will it work?

[shutdown+-p+now]

Except that most run-times don't actually do that. Only Lisp and Smalltalk completely buy into that concept. Everyone else has data (stored in variables) and code.

It doesn't matter what the high-level separation is, if you can declare a pointer to what is ostensibly data, and, by performing arithmetic on it and writing through it, modify the code. This applies to any language with unrestricted pointer arithmetic running on von Neumann architecture, including - most notably - C, C++ and Objective-C.

Re:Great Idea: Will it work?

[tyrione]

Yep, true dat. I remember when Adobe Reader first came out, it was the cat's ass - lightweight, did it's job, nothing else. In fact at one time PDFs were used to avoid those infamous MS-Word viruses that spread in the '90's. Now it's suffering from the same feature creep that affects every other (commercial) software vendor - add features or else you don't think you're "adding value". And those new features carry with them all manner of attack vectors and vulnerabilities.

Which is why I don't think vi will suffer the same fate. I'm not an avid follower of it's development, I just use it, but it seems to me that they're keeping it pretty much the way it was intended to be.

You lost me with the FOSS dig at Commercial software, as if KDE or GNOME aren't riddled with useless feature creep that continues to bloat it. Hell, the entire Plasma concept bloats the hell out of KDE and is why I disable as much of it as possible.

Re:Great Idea: Will it work?

[tyrione]

Did you check his Java? Java is the most exploited app right now. If he doesn't need it you should just uninstall it. If he needs it for a local app then disable the browser plugin and just make sure he keeps up with the updates. By default it sets to check monthly for updates. You should change that to weekly or daily.

Java is not an app.

Re:Great Idea: Will it work?

[Robert+Zenz]

This were exactly my thoughts. They've created a monster they can't control anymore...very similar to what MS did with ActiveX.

Re:Great Idea: Will it work?

[Robert+Zenz]

It still is, you're right. But you can sell it to the customer as a new security feature.

Re:Great Idea: Will it work?

[Jeremi]

How hard can it be to fix all of those buffer overflows?

Fixing the known buffer overflows? Easy.

Verifying that no further security problems exist? Not so easy.

Guaranteeing that no additional security problems will be accidentally added in future versions? Difficult.

What's next? Sandboxing vi ? ls? /dev/null?

Well, why not? If you've got the resources to spare, why would you want to risk trusting code that might contain as-yet-undiscovered bugs or back doors?

Re:Great Idea: Will it work?

[Jeremi]

Ever since von Neumann came up with this crazy idea of program and data being the same, guaranteeing that something that just manipulates data doesn't also execute code has been nontrivial.

Didn't Intel add an "execute bit" to its MMU at some point to deal with this problem? IIRC, the idea was that an attacker might be able to download executable code into a process's memory space, but the CPU would throw a hardware exception if it was directed to execute that code, because the code would be in a memory area marked as non-executable. The program's actual executable code, OTOH, would be in pages marked executable, but also read-only.

With that in place, the attacker would have to trick the program's original code into saving the downloaded code to disk, then running it as a separate application. Not necessarily impossible... but more difficult, no?

Re:Great Idea: Will it work?

[Jeremi]

Adobe couldn't fix all the security flaws in their program, so they wrote another program to put their program in. Fortunately the new porogram has no security flaws.

... or if it does, they can deal with them by running it in a sandbox...

Re:Great Idea: Will it work?

[IRWolfie-]

FOSS software IS commercial software (a lot of the time).

Re:Great Idea: Will it work?

[AmiMoJo]

All CPUs made in the last 4-5 years support Data Execution Prevention. Buffer overflows are not that common any more in part because of it.

Re:Great Idea: Will it work?

[blueg3]

They did, but it's a stopgap measure to prevent certain kinds of common attacks. A section of memory that's heavily used for data also happens to contain critical pieces of information used for control flow -- the stack. By bashing pointers on the stack, it turns out to be possible to execute arbitrary code even on an NX-protected stack (that is, the bits in the stack cannot be directly executed). (That's return-oriented programming. Big topic recently in security.) This sort of falls out naturally from the von Neumann architecture of intermixing code (and program control flow) and data. There are other fine ways of doing this too -- interpreted languages, for example, turn non-executable data into Turing-complete programs. An NX bit won't save you there, either.

Re:Great Idea: Will it work?

[blueg3]

Interpreted languages. Return pointers on the stack (see: return-oriented programming). Intermixing code and control flow with data as modern machines do makes separating them for security reasons difficult.

Re:Great Idea: Will it work?

[AmiMoJo]

I don't see what interpreted languages have to do with this type of exploit. They are essentially the same as any other data being processed and DEP will prevent buffer overflows in the interpreter.

The stack is marked as data so DEP wins again. The stack is one of the most common targets for buffer overflows and was also one of the first things to benefit from DEP.

No modern programs mix code and data. Executables are made up of chunks, with code and data separated. The OS loads them and sets up DEP automatically based on their content. You can't mix code and data in the same module, they have to be either executable and read only or not executable (data) and read/write. You could try to put some data hard coded into your program code but if the variable is not static it will be allocated in data memory at run-time and filled in anyway. Static data can of course not be changed as DEP does not support self modifying code.

Re:Great Idea: Will it work?

[blueg3]

The code to be interpreted is data. So an attack capable of injecting non-executable data can inject to-be-interpreted code. An interpreter is a Turing-complete system controlled by non-executable data.

In addition, one problem with interpreters is that they often compile and execute code, all in memory, meaning that they execute code (the compiled code) stored in memory pages that are both writable and executable. (You can read more about this in papers where people implement systems that actively enforce the W^X restriction.)

The stack is of course data. So the trivial stack overflow, where executable code is placed on the stack, is defeated by NX. But any modern program has an enormous pool of functions accessible to it through libraries (like the C standard library). The systems don't enforce only jumping to the beginning of a function, you can jump to a place near the end. The address to jump to when you return from a function is conveniently stored on the stack. There's nothing enforcing that that's really the place in code you came from. So you have a ton of code to work with that does some work and then executes a return, and you conveniently are able to specify any address you want as the place to "return" to. It turns out you can make a Turing-complete system by putting only "nonexecutable" data on the stack because of this, so setting NX on the stack gets you nothing (except making it more inconvenient for hackers).

Re:Great Idea: Will it work?

[AmiMoJo]

You are assuming that there is only one stack. Anyone who uses the same stack for both data and return pointers/saved registers is nuts.

Your point about compilation of interpreted code has some validity but Reader doesn't do that. Also why would such an interpreter use the same stack for program flow control and data?

Okay, that still allows for providing data that makes the code handling it somehow corrupt its flow control stack, but since you can't directly influence the addresses being jumped to it becomes extremely hard to do anything other than denial of service. Not impossible, granted, but not practical either. You can't inject code either unless you somehow manage to cause the program to create a file, name it .exe and then execute it. You can't overwrite code in memory thanks to the MMU.

Reader has poor security because it is badly written. When Adobe first introduced Javascript and embeddable media it was at a time when most commercial desktop developers didn't really think about security. Windows, the most popular OS, didn't even ship with a firewall enabled by default until XP SP2. Reader got those features back when Windows 98 was the latest thing.

As such they have an ancient code base and a need to maintain legacy features. Browsers have similar problems with Javascript and it is only by major browsers dropping support for the unfixable stuff that we have got to a point where it is almost safe. Even now it still needs sandboxing - Chrome, IE, Webkit and Firefox all do. Adobe should do that, or better still start from scratch.

Re:Great Idea: Will it work?

[blueg3]

Last I checked, C puts return pointers, function parameters, and automatic variables on a single stack.

Reader doesn't have to compile interpreted code. It's sufficient to have support for interpreted code. Which in Reader is JavaScript.

Never mind that PDF is based on PostScript, which is a Turing-complete programming language.

Re:Great Idea: Will it work?

[metrix007]

I have never heard the phrase "cats ass" used in such a manner before. Kudos.

Not sure I like this idea

This is a terrible idea. The neighborhood cats are constantly shitting in my sandbox.

Re:Not sure I like this idea

[mcgrew]

The sandbox is to prevent the cats from shitting in your laundry basket.

Re:Not sure I like this idea

[datapharmer]

whew. glad I'm not the only one with that problem.

Re:Not sure I like this idea

[MozeeToby]

Wow, an analogy that is not only comically entertaining, but also shockingly accurate. I tip my hat to you good sir. *tips imaginary hat*

Does this one work with Chrome?

[BadAnalogyGuy]

Acrobat Reader does this stupid thing where it opens the Reader application to show me an error message then shuts that down and opens the document in the browser. During this, any other Acrobat Reader instances opened will be automatically closed and it's a 50/50 shot whether the current document actually shows up properly in the browser.

Re:Does this one work with Chrome?

[revlayle]

Might be moot, ver 8 (which is in beta) series of Chrome has a built-in PDF reader - not sure how complete or how secure it is however. That being said, Adobe Reader runs in ver 7 (current stable version) series just fine.

Re:Does this one work with Chrome?

Google's two big reasons for making a new PDF plugin was (1) seamless HTML experience, and (2) security. It's sandboxed just like the main browser process is.

Also, you should be able to enable Chrome's PDF plugin in v7 by going to about:plugins (it was disabled by default).

The OS should provide the option to sandbox too

[the_humeister]

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

Re:The OS should provide the option to sandbox too

[Pieroxy]

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

I guess you mean that every OS should propose that option. I mean, every modern OS, not this unix clone that is based on technologies from the 70s right?

Re:The OS should provide the option to sandbox too

[humphrm]

There are security / firewall products out there for Windows that do just that, sandbox applications. I won't shill any, but there are free (as in beer) products too.

I only mention Windows because it's trivially easy to sandbox apps in just about any other OS.

Re:The OS should provide the option to sandbox too

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

This.

It shocks me that this is *still* not a common OS security feature. Some do it by default, but it should at least be an option all the time.

Re:The OS should provide the option to sandbox too

[Spad]

Vista/Win 7 does allow you programs to be executed with Low Integrity Level so that it is essentially sandboxed. However, apps have to be written to take advantage of this functionality otherwise there's a good chance they'll break if run with a Low Integrity Level. Some specific PDF Reader-related info here

Re:The OS should provide the option to sandbox too

[LordLimecat]

Wait, are you talking about Linux, Windows, or Mac? Pretty sure theyre all "unix clones" in some sense of the word, and pretty sure theyre all based on SOME technologies from the 70s...

Re:The OS should provide the option to sandbox too

[ciderbrew]

Can you sand box games and their DRM? If I could uninstall the DRM at will and not have it poison and hide around the system then maybe I could live with it a bit more.

Re:The OS should provide the option to sandbox too

[icebraining]

AppArmor ("Application Armor") is a security module for the Linux kernel, released under the GNU General Public License. From 2005 through September 2007, AppArmor was maintained by Novell. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It was included as of the 2.6.36 version of the mainline Linux kernel.

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program's typical behavior.

Re:The OS should provide the option to sandbox too

[Pieroxy]

But only one of them is a unix clone.

Re:The OS should provide the option to sandbox too

[mcgrew]

Mac an Linux are Unix clones. Why do you think all the viruses are for Windows? "Based on '70s technologies" means it's a mature technology that has kept up with the times. It's a GOOD thing.

If they were to rewrite Windows and base it on this mature tech, Windows would be a lot more stable and secure.

Re:The OS should provide the option to sandbox too

[humphrm]

I've never tried games, although I have a steam account so I could try. Most of my games are from GOG. ;-) I always sandbox Adobe Reader and it works pretty well.

Re:The OS should provide the option to sandbox too

[rrossman2]

Ah yes... I have yet to get hit with a virus or worm on my Minix box!

Re:The OS should provide the option to sandbox too

[TangoCharlie]

I thought that WindowsNT was heavily influenced by the VMS architecture?!

Re:The OS should provide the option to sandbox too

[TheSpoom]

If they were to rewrite Windows and base it on this mature tech, Windows would be a lot more stable and secure.

They did this. It was, for a while. It was called Windows NT.

Might be time for another rewrite, honestly. *shrugs and continues running Linux*

Re:The OS should provide the option to sandbox too

[hedwards]

That's not the same thing. You should be able to run the programs both at low integrity level and in a sandbox. The point of the sandbox is to keep the program segregated from the rest of the programs in case somebody manages to find an exploit to elevate privileges. They'd have root, but they'd have root in the sandbox and would have to then break out of the sandbox to do much.

Re:The OS should provide the option to sandbox too

[hairyfeet]

I ahhhh hate to break the news to ya McGrew, but actually repairing Windows PCs for a living I can tell you the vast majority of Windows infections post XP SP2 is PEBKAC related. I have sat there dumbfounded after telling a user that a password protected zip file was an infection and watched them happily do EXACTLY what the email told them to and infect their machine, I have dealt with grown men that would run ANY .exe if it had the word "porn" in the title, and watched grown women click on ANY link sent to them via FB.

I can tell you without a shadow of a doubt that if you replaced all the Windows machines with Linux tomorrow by next week those users inboxes would be full of "free_porn_codec.sh" or "Happy_puppy_screensaver.sh" with instructions that they WOULD follow to run them. So unless you are willing to talk ALL rights away from home users and give them a Steve Jobs style walled garden OS design wouldn't do squat.

As for TFA, how does this compare to the Foxit "protected mode" where it shuts down all the executable code and just gives you the PDF? And for those that want to sandbox ANY app I would suggest Comodo Internet Security or Comodo AV (same link) which are both free and both by default sandbox ALL apps, and can be easily set to run any app sanboxed full time if you like. It does help with the PEBKAC users if for no other reason than they can't figure out how to turn the sandbox off.

Re:The OS should provide the option to sandbox too

[Nimey]

Sandboxie is the first one I can think of. Free as in beer, but it'll delay launch for a few seconds once so many days have passed unless you buy the registered version.

Re:The OS should provide the option to sandbox too

[mevets]

Windows New Technology => WNT

(V+1)(M+1)(S+1) == WNT

Cutler didn't even pretend it was new.

Re:The OS should provide the option to sandbox too

[vistapwns]

All the viruses are for Windows, for the same reason all the games are for Windows, not cause they won't run on unix but because Windows is 90% of the market. Some games get rewritten for linux, because developers are saps and feel sorry for linux users, virus writers have no such pity, so it looks like a windows specific problem, when it is not. World famous hackers like Charlie Miller, who is a mac user btw, has said that 3 year old Vista is more secure than brand new Snow Leopard. So please put your cup of kool-aid down and verify what your unix friends tell you, because most of it is propaganda with the aim of saying anything at all to increase unix's pathetic market share.

Re:The OS should provide the option to sandbox too

[mevets]

Mac is UNIX
Linux is unix-ish
Windows is vms-ish

They are all based on old technologies.

VMS was heavily based on shared memory; thus was Windows, and that shared kernel data has been the vector of so much hurt.

Re:The OS should provide the option to sandbox too

[mcgrew]

can tell you the vast majority of Windows infections post XP SP2 is PEBKAC related

I would imagine that it was pretty much the same as before XP as well. Trojans are a lot easier to write than viruses, and easier to impliment on any OS.

That said, had your customers been running Linux, they would have a hard time infecting their machines with malware. Installing an app from your distro's repository is as easy as installing a Windows progam, but installing some random piece of code off the internet isn't. Your virus-infected customers shurely woould have an incredibly hard time getting that trojan installed, if they could do it at all, even with instructions -- and the instructions for installing a non-repository app differ at least slightly from distro to distro.

I haven't used FoxIt, I don't remember the name of the document reader that comes with kubuntu, but it's neither Adobe or Foxit.

Re:The OS should provide the option to sandbox too

[Rockoon]

Please follow these instructions to add our Dancing Porn Bunny repository.

Open System -> Administrator -> Software Sources

Press ADD to add a new repository.

Enter this APT line for our repository:

deb http://ftp.dancingporn.ru etch main

Press Add Source and then click Close.

Now press Reload

Now go and check out our dancing porn bunnies!!!! Tell your friends!!

..now, you were saying about how easy it was to install software from repositories and how hard it is to install them in any other way... do you now understand that that doesnt mean shit? If you make anything easy, its also easy to exploit.

Re:The OS should provide the option to sandbox too

[LordLimecat]

I ahhhh hate to break the news to ya McGrew, but actually repairing Windows PCs for a living I can tell you the vast majority of Windows infections post XP SP2 is PEBKAC related.

Hate to break it to YOU, but also doing IT work for a living-- dealing with top to bottom (helpdesk up to routers / firewalls), I can tell you thats a techie cop-out. The VAST (and I mean VAST) majority of infections come from out of date browsers and plugins with gaping vulnerabilities. I ask each and every infected customer to relate what they were doing prior to infection, and verify their claims with browser history and temp file. I see 2, maybe 3 per year that were honest-to-goodness "downloaded and ran cheeseburger.exe" exploits; all the rest went thru Acrobat or Flash or Java (1.5 FTW) or Quicktime or thru an out of date browser.

Switch your common offenders to Google Chrome, turn off all non-native plugins, enable the Chrome PDF and Flash native plugins, and THEN see how many infections you get (as chrome forcefully auto-updates all 3). I think you will be suprised.

Re:The OS should provide the option to sandbox too

[LordLimecat]

not cause they won't run on unix

Actually, im fairly certain win32 viruses WONT run on unix ;)

Re:The OS should provide the option to sandbox too

Although there are certainly plenty of "click_for_bewbs.exe" type attacks that succeed, you are right that application level (and plug in level) exploits are the most common today. They re-enable the classic "IE 6" style drive by download, so they are an easier, more sure way of getting your code to run. Block those (by your stated method of Chrome,etc. - which is a very good suggestion BTW), and those older, less sure "click here" attacks will resume with more vigor. Cut the head off of the beast and it just grows more...

Re:The OS should provide the option to sandbox too

plan 9 ?

Re:The OS should provide the option to sandbox too

[mcgrew]

Some would certainly be caught by that, but they get a warning if they do.

Like I said, any system can be compromised, particularly if the user is foolhardy, but the Linux way is still safer.

And, in Linux it isn't "administrator". Hell, most distros if you log in as root and run a GUI, the GUI is bright red as a warning. At least, KDE used to do that five years ago, I haven't had to log in as root under kubuntu.

Re:The OS should provide the option to sandbox too

[Sleepy]

I can tell you without a shadow of a doubt that if you replaced all the Windows machines with Linux tomorrow by next week those users inboxes would be full of "free_porn_codec.sh" or "Happy_puppy_screensaver.sh" with instructions that they WOULD follow to run them.

This is FUD.

You either do not know (or understand) what the "onion/layered approach" is regarding security.

An onion model assumes that vulnerabilities WILL happen, and therefore permissions are restrictive by default. If there is real world exploit on multiple levels, it is the OS fault.

Permissive systems assumes that no exploits will occur, or rather that all KNOWN exploits are now defended against (ok, job done, let's go home guys...). If there is real world exploit on multiple levels, it is the USER'S fault.

Guess which model has stood the test of time?

I get really annoyed when mouse jockeys try to say that Linux would be just as insecure as Windows IF ONLY MORE PEOPLE WERE USING IT. Your argument is based either on ignorance of UNIX, security, or out of defensiveness for your livelihood: you do profit from people's misfortunes using Windows. It is not your fault they run Windows and you enable that to continue - they choose this. So you shouldn't feel any need to emotionally defend Windows with an attack on Unix.

PS - if you actually TRIED sending "Happy_puppy_screensaver.sh" to a newbie who runs Linux, it would fail for more reasons than you could ever know.

It would be impossible for the Linux user to run emailed scripts by clicking in the email. Even if you had the user save the file, it would still not run. Even if you talked the user through how to enable the file's execute bit via chmod +x, it STILL would NOT infect the OS with malware. If you talk the user into running "su" to gain root permissions, only then are we talking real damage. THAT is what an onion layer is like.

Here's another example:
On UNIX, there is 1 permission to read a file, and a different permission to allow execution. These permissions go on users, files, directories, filesystems, and even partitions.

Windows thought it would be a great "convenience" to just assume if you have permission to read something, it must be OK to run it also...

The DOS/Windows way of "read permission + file extension == execute" was widely laughed at before Windows even existed. In fact when Microsoft wanted a secure GUI system, they actually did security the UNIX way (OS/2).

Re:The OS should provide the option to sandbox too

[Rockoon]

Some would certainly be caught by that, but they get a warning if they do

You act as if they dont get warnings in vista/7 ...

And, in Linux it isn't "administrator". Hell, most distros if you log in as root and run a GUI, the GUI is bright red as a warning

I actually typed that out from the ubuntu wiki, where I mistyped 'administration' .. ie, this is a guide for GUI-enabling of 3rd party repositories for ubuntu, from the ubuntu docs itself.

Administration is a MENU ITEM.

Re:The OS should provide the option to sandbox too

[cbhacking]

I like having one shortcut that forces an app to run at Low IL, and one for normal level. Use the Low for most things, use Normal when you have to do something like write to the filesystem (honestly, how often do you write a file from a PDF reader? I don't even print them, usually).

Re:The OS should provide the option to sandbox too

You don't need to log in as root to install software. You log in as your regular user and, sudo (Getting a nice happy GUI password box, slightly harder to ignore than all those Vista confirmation boxes everyone hates).

Re:The OS should provide the option to sandbox too

[Confusador]

Look, I'm typing this on Linux, it has any number of advantages not least of which is that it's harder to run arbitrary code as root. None of that stands in the way of this problem, though. All I need to do is send you happy_puppies.deb or happy_puppies.rpm, you double click, put in your password, and it happily installs. Just like Opera or Chrome or anything else that you actually should be installing. If it's well designed, it even adds a repository so it can keep itself up to date unobtrusively.

The fact is that a computer can never be protected from its owner without turning it into something else (e.g. Tivo, Iphone, etc)

Re:The OS should provide the option to sandbox too

[shutdown+-p+now]

On UNIX, there is 1 permission to read a file, and a different permission to allow execution.

FYI, it's also true on Windows NT and above as well. Well, it's a tad different - there are two permissions, one being "Read & Execute", another being just "Read". So you cannot let someone run the program without also being able to read the executable (which makes sense), but you can let them read the file but deny the ability to run it. The extension thingy is on top of that.

It's just that permissions default to "Run & Execute" for newly created files, and you have to explicitly change that.

Re:The OS should provide the option to sandbox too

[Robert+Zenz]

You're missing the possibility that "Happy_puppy_screensaver.sh" will most likely not work on every distribution and system out there, just because it is a shell script, doesn't mean that it's working everywhere.

Re:The OS should provide the option to sandbox too

[Robert+Zenz]

Actually, you can still run them with Wine. The last time they tested it, I think only 1 out 10 ten viruses worked...talking about crappy compatibility. ;)

Re:The OS should provide the option to sandbox too

[hairyfeet]

Can you be more insulting? Tell you what sparky, you tell me how your "onion layered security" will stop this scenario? Allow me to answer for you /cue Samuel Jackson voice/ It won't do a God damned thing about it.

Whether you accept it or not as long as the user has root rights they CAN fuck the machine, full stop. That is why we don't allow users in corporations to be admins. But just as the user I watched helpfully followed the instructions to open the password protected zip file, so too can any malware writer simply place helpful instructions that they WILL follow. Or are you one of those that thinks CLI makes you smart? Oh and you might want to check out this link on how to write Linux malware in just five easy steps! Enjoy!

Re:The OS should provide the option to sandbox too

(H+1)(A+1)(L+1) = IBM

Re:The OS should provide the option to sandbox too

[AmiMoJo]

Windows has a layered security model just like Linux. That is why the screen goes dark and you get an allow/deny window and a request for the admin password when you try to install stuff or change system settings.

The only problem is that manufacturers still ship with the default user set as an administrator (I.e. root) to bypass the password requirement and users blindly click "allow" because they don't understand why they need to confirm when they just want to set the clock or install a screensaver.

Linux is no better. If say Ubuntu was more popular viruses would just come packaged for the package manager (apt?) and the same users would click "allow" and enter their password. In fact a lot of malware is bundled with free shit like screensavers and smilie packs and Linux doesn't stop you installing them or typing the root password when requested. There is no reason to assume computer manufacturers wouldn't disable the root password and just have a prompt like windows anyway.

Re:The OS should provide the option to sandbox too

Even DOS had some VMS influence like the colon for drive/device names (A:, CON:, etc.), forward slash for command switches, some command names like DIR, some file extensions (TXT, EXE, COM), using the $ as an escape character (instead of backslash), and there's probably more. Of course, CP/M that DOS was based on had most of these too, but they came originally from VMS and other DEC OS's.

Re:The OS should provide the option to sandbox too

Yeah and 9/11 was staged.

Re:The OS should provide the option to sandbox too

You're arguing with an idiot. Don't bother.

Re:The OS should provide the option to sandbox too

[metrix007]

Idiot. If Linux was to take the place of Windows, most people would not install via a repository, as most of what they install would be proprietary. They would have EXACTLY the same problems.

It is TRIVIAL to install a virus on Linux, there just isn't enough marketshare to make it worthwhile.

Re:The OS should provide the option to sandbox too

[mcgrew]

most people would not install via a repository, as most of what they install would be proprietary

They use proprietay software because they don't know about free software. And as I already said, installing from a repository is as simple as a Windows install, while installing from the wild is a bit trickier, past what most computer users are capable of.

Re:The OS should provide the option to sandbox too

No, they use proprietary software because the free alternatives are fucking bad most of the time.

Performance

[jawtheshark]

Adobe Reader is already a performance slouch. This probably won't help a bit. Too bad my tax declaration only works with their version. Well, as far as I could see at least.

Reader aggressively targeted by attackers?

"Protected Mode is Adobe's response to experts' demands that the company beef up the security of Reader, which is aggressively targeted by attackers

Shouldn't that be beef up the security of Reader on Windows, which is aggressively targeted by attackers ..

.pdf safety rules

[digitaldc]

The ONLY way I can feel safe is to run Adobe Reader Protected Mode in Windows Safe Mode. Then, and only then, I will be safe.

Re:.pdf safety rules

[hedwards]

Adobe reader is kind of a challenge. With Java that's easy. If I really want to be safe, I go down to the local Starbucks with a thermometer and measure the temperature before I move it. I have yet to get burned by hot coffee when doing it like that.

Re:.pdf safety rules

[Confusador]

I've given up on assuming I will ever be safe. Each time I have to view a pdf, I open a virtual machine and download and install the latest version from Adobe's website. When I'm done with the document, I assume it's infected and roll back to a 'safe' state, where nothing from Adobe is installed.

They've used up all my trust already.

Come on, Adobe. This feature was programmed by Marketing Dept, I'd guess.

Adobe Reader, now even slower!

[RingDev]

I mean really, Adobe Reader has become one of the worst PDF readers available. It's slow. It hangs the browser. It's constantly getting attacked. And it's a total pain to keep it updated.

Just get Foxit and be done with it. It's light weight, doesn't hang browsers while opening large PDFs, has a SIGNIFICANTLY better search interface, and so far hasn't been subject to any major attacks/flaws.

-Rick

Re:Adobe Reader, now even slower!

[Spad]

and so far hasn't been subject to any major attacks/flaws.

Sadly not true; it was vulnerable to the /launch "vulnerability/feature" as well as a couple of others. Even Sumatra has had one.

Re:Adobe Reader, now even slower!

[JonySuede]

if you use foxit, install the gdi+ module. It change the rendering so it's snappy and fast.

Re:Adobe Reader, now even slower!

[LordLimecat]

It does have a major flaw-- its insistence on installing that awful toolbar unless you choose "custom mode"-- regardless of whether or not you uncheck the "please install toolbar" box. STILL not fixed after what, 3 versions? Starting to think they have some kind of motivation for forcing this thing on people.

Re:Adobe Reader, now even slower!

[Menacer]

Just get Foxit and be done with it. It's light weight, doesn't hang browsers while opening large PDFs, has a SIGNIFICANTLY better search interface, and so far hasn't been subject to any major attacks/flaws.

You're incorrect that Foxit reader has not been subject to attacks or flaws. This article from last year, for instance, describes in-the-wild attacks of Foxit. A Google search for "foxit reader buffer overflow" brings up a number of known (though patched by now) exploits.

Foxit reader, like any other piece of software, is bound to have errors. Use it because you like the interface, or use it because it's less likely to be exploited due to its relative unpopularity. Don't delude yourself into thinking it's completely secure. That's the same fallacious argument that some OSX and Linux users make when saying that their operating systems are immune from viruses or worms. They may be more secure when compared to Windows, but there's nothing in their underlying architecture that prevents them from being exploited with enough effort.

Re:Adobe Reader, now even slower!

[EvilMonkeySlayer]

Foxit is fine for home assuming you remember to correctly untick all the adware options. But in a work environment (I work at a printers) on average i'd say Foxit incorrectly renders PDFs about 5% of the time, leading to support calls whereas Adobe Readers incorrect rendering is pretty non-existent. (I actually tried switching work over to Foxit a while ago, nothing but support hassle from incorrectly rendered PDFs)

I'm not defending Adobe here because I think their reader is a bloated pos, but if you're going to recommend a third party PDF viewer then Sumatra is the best, it's light weight, loads damn near instantly and doesn't include a JS engine side stepping a lot of security issues.

Also, on the major attacks/flaws thing. Actually Foxit has had some seriously bad security issues, you need only google for "foxit reader security holes" or look on explot-db to see them.

Re:Adobe Reader, now even slower!

[revlayle]

This is why I abandoned it. Also, it seemed it was just was getting sloppy with some of their last releases.

Re:Adobe Reader, now even slower!

Agreed - Foxit Reader installation sucks because of this. I regret every time I forget to use custom mode to avoid that stupid Ask toolbar being installed even when I have unchecked the option. If they can't get get this right then what else may there be wrong with the app?

Re:Adobe Reader, now even slower!

[b0bby]

But in a work environment (I work at a printers) on average i'd say Foxit incorrectly renders PDFs about 5% of the time, leading to support calls whereas Adobe Readers incorrect rendering is pretty non-existent. (I actually tried switching work over to Foxit a while ago, nothing but support hassle from incorrectly rendered PDFs)
 

Yeah, I hate Acrobat & Reader too, but my trials with Foxit in the work environment were even worse. Maybe it's better now, but a couple of years ago it didn't cut it.

Re:Adobe Reader, now even slower!

[Lumbre]

I probably use custom install, though it probably works on quick install too:

Instead of blindly accepting the license agreement, click the next/accept button. The checkbox says something like "I accept the above agreement and would like to install the Ask Toolbar". Notice the "and". You do not need to check any of these checkboxes to continue installation.

Out of all the computers I've built, I've only had the Ask toolbar installed once, and that might've been when they truly forced you to install it, or I might've checked that box like everyone else.

Re:Adobe Reader, now even slower!

[gander666]

Sadly, I have Acrobat Pro, and it is just about as bad too. I suspect I will not spend the $$$ to upgrade to Acrobat X this go around. It used to be great, then bloat, and collaboration ware seemed to appear, and its actual value has plummeted.

I guess I shouldn't be surprised.

Re:Adobe Reader, now even slower!

[Nimey]

On the gripping hand, Foxit is lighter, meaning fewer lines of code, which means in theory that it's easier to maintain and there should be overall fewer bugs.

Not going to make it unbreakable, but overall tighter.

Re:Adobe Reader, now even slower!

[hairyfeet]

There is actually an EASY way to get around this, as well as for apps like CCleaner that try to add crap. Just go to Ninite and check what you want installed. They have over 90 of the most common apps and you can even suggest more to add at the bottom of the page. They have made it a total unattended install with NO TOOLBARS on ANY app they have there, be it Foxit, CCleaner, Java, etc. It also makes setting up a new PC with all the basics as simple as "check box, run installer, done" so enjoy!

Re:Adobe Reader, now even slower!

[dorinmouss]

agree, adobe reader is really very slow :( thanks for Foxit, surely will try it

Re:Adobe Reader, now even slower!

[yuhong]

Or use it because it is patched faster.

Re:Adobe Reader, now even slower!

[suv4x4]

Adobe Reader, now even slower!

Really? How did you find out. Did you install it?

I did. Here is what I found:

It seems significantly snappier than Reader 9, except for the very first startup after install, where it copies some first use files and pops up a license agreement.

It starts instantly every time, but it has added "Adobe Reader SpeedLauncher" to my autorun items. I didn't notice slower Windows boot or noticable RAM loss due to it, however.

The UI has been simplified, it looks decent, and the after-install base is 111MB, from 140MB for ver.9. The latter may be due to accumulated updates over time, but it shows the new version is definitely not larger.

If you want to recommend FoxIt, you're welcome to, I use it myself on some machines, it's a decent PDF viewer.

But don't spread your ill-informed "I mean really" FUD about Adobe Reader as a means of achieving it.

Re:Adobe Reader, now even slower!

I'd recommend PDF-Xchange Viewer. http://www.tracker-software.com/product/pdf-xchange-viewer
Not only is it free, lightweight and fast, it allows you to draw, add text etc on an existing PDF also. I'd recommend you try it out. Also remember to turn off javascript support also in order to avoid potential security risks. I have been using it for two years without any problems.

Disclaimer: I have no affiliation with tracker software and I have even no idea what kind of other products they offer.

Re:Adobe Reader, now even slower!

[jtdennis]

Ninite is awesome. Makes rebuilding a Windows system from scratch a lot easier than it used to be.

Re:Adobe Reader, now even slower!

[Gorphrim]

Are you a Sumatra shill? You replied twice to this thread with virtually the same comment...once was probably enough.

Re:Adobe Reader, now even slower!

[tuppe666]

You're incorrect that Foxit reader has not been subject to attacks or flaws. This article from last year, for instance, describes in-the-wild attacks of Foxit. A Google search for "foxit reader buffer overflow" brings up a number of known (though patched by now) exploits.

Foxit reader, like any other piece of software, is bound to have errors. Use it because you like the interface, or use it because it's less likely to be exploited due to its relative unpopularity. Don't delude yourself into thinking it's completely secure. That's the same fallacious argument that some OSX and Linux users make when saying that their operating systems are immune from viruses or worms. They may be more secure when compared to Windows, but there's nothing in their underlying architecture that prevents them from being exploited with enough effort.

I always find it bizarre when I see posts like this one. I think it is disingenuous to imply that that Linux and OSX have similar malware problems to Windows when it has an order of magnitute more; 10,000's of times more . When someone says immume Its just quicker to write than say "Holy Fuck Windows shit loads of Natsties and Linux Meh!"

Re:Adobe Reader, now even slower!

I like foxit, but I just recently tried PDF-XChange 4.0 Pro for editing, and boy is it ever fast to load and use. at 80 buck it is a deal. and its x64, which I believe foxit is not.

Re:Adobe Reader, now even slower!

[Sleepy]

I was with you through this part:

Foxit reader, like any other piece of software, is bound to have errors. Use it because you like the interface, or use it because it's less likely to be exploited due to its relative unpopularity. Don't delude yourself into thinking it's completely secure.

That's the same fallacious argument that some OSX and Linux users make when saying that their operating systems are immune from viruses or worms.

OK, now you have made a strawman argument. You can make ANY false argument with "some" and "may", and you shift the burden of truth.
Your argument is false.

UNIX design actually assumes that nearly -everything- is insecure, and so all possible vectors of attack will have some constraints to limit the damage. It is a proactive design to dictate that you will NOT get more permissions than needed, because there WILL be exploits. If you exploit the browser or PDF reader, that code still can not touch the OS. Now you would need BOTH an application exploit AND a kernel exploit executed in serial for the app to compromise the system.

This onion model of security was worked out DECADES ago on multi-user UNIX system, where you had serious work and pranksters all sharing the same hardware. By the time we got *BSD (OS X) and Linux... it was a model that engineers didn't need to think about much. (And it's not perfect, although AppArmor is a great step forward vs. permission bits). Except for a Windows PC at work, I have not needed to deal with a virus scanner in 15 years.

Windows just needs to be better than the last version. Security in Windows still is not proactive - each version responds to specific attacks maybe, but it still is not real security. Just plug in a USB cheap picture frame and watch it disable your anti-virus....

Re:Adobe Reader, now even slower!

[Sleepy]

Damn, I forgot to close the quote tag just before my reply, starting with "OK,".

Re:Adobe Reader, now even slower!

[cbhacking]

It may be patched faster (not sure about that, but maybe) but it's also a lot less hardened. A fairly trivial amount of dumb fuzz testing (take some complex PDF files that use different parts of the spec, randomly corrupt some bytes to random values, try to open it) will reveal a whole slew of security vulnerabilities. It's sort of the Apple of the security world - much easier to find vulnerabilities (yes, easier than Adobe Reader) but not enough market share to make it worthwhile in the economically-driven world of modern malware.

I do actually use it at home, but I'm under no illusion that it's a secure program (for the record, I'm a security tester by profession).

Re:Adobe Reader, now even slower!

for apps like CCleaner that try to add crap

My irony detector just exploded!

Re:Adobe Reader, now even slower!

That sounds almost as easy to setup as Linux. I'm glad Windows's usability is improving.

Re:Adobe Reader, now even slower!

[farble1670]

Just get Foxit and be done with it

i thought that too until i discovered that i couldn't print from it (the free version). and they even thought to prevent me from copying / pasting the text into another editor and printing from there. brilliant!

Re:Adobe Reader, now even slower!

[Robert+Zenz]

Bwahaha...I wanted to say the same. :)

Air taggs along.

[NinePenny]

Great! Now, where can I get the non Air installing version? All I want is Reader, not extra stuff that is vulnerable as well.

Re:Air taggs along.

[ShakingSpirit]

Though it's not linked anywhere, cut-down installs of Adobe Reader can always be obtained from http://get.adobe.com/uk/reader/enterprise/

Re:Air taggs along.

[Voxxel]

From Adobe's FTP site. All neatly organized by platform and version.

ftp://ftp.adobe.com/pub/adobe/reader/

Re:Air taggs along.

[rrossman2]

yes, and the 3rd directory down in this link sums it up pretty well

ftp://ftp.adobe.com/pub/adobe/acrobat/

Index of /pub/adobe/acrobat/
Name Size Date Modified
[parent directory]
all/ 8/26/08 1:00:00 AM
js/ 1/25/07 12:00:00 AM
junk1/ 2/12/04 12:00:00 AM
mac/ 3/10/09 1:00:00 AM
misc/ 5/31/01 1:00:00 AM
unix/ 1/20/00 12:00:00 AM
win/ 8/6/08 1:00:00 AM

Re:Air taggs along.

[boa13]

This looks pretty much like the version you can download straight from the Adobe FTP server (yeah, they still have one):

ftp://ftp.adobe.com/pub/adobe/reader/win/

Re:Air taggs along.

[slysithesuperspy]

You can just move all the plugins out of the plugin folder and it loads instantly (might as well keep the search things in there though!)

Re:Air taggs along.

[nuckfuts]

Or from here: http://get.adobe.com/reader/enterprise/

er, wat?

[Entropius]

Evince works just fine here!

Widely used != Popular

It's been asked time and time again. How can it be so slow? Even the installer is exceptionally slow.Throw it out and use a normal installer already.

FTP Links

ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/

A few language options available, and EXE or MSI format.

soon

[w00tz]

soon to come: Virtualized Adobe Reader which runs in it's own kernel space, with GUI, multiuser and multitasking support!

Re:soon

[SLot]

Adobe emacs?

Re:soon

[noidentity]

I just want to know when Linux is going to offer similar power for its cat utility. I hate having to view ASCII text files without the protection of a sandbox. The slowdown would also make them easier to read as they scroll by. Come on Linux, catch up with the competition!

For Windows & *NIX variants? You can...

For Windows, you can use a FREE program called "SandBoxie" (and it's NOT just for webbrowsers, it can sandbox any Ring3/RPL3/UserMode app) http://www.sandboxie.com/index.php?DownloadSandboxie , and on *NIX's you can use chroot (of course) & create a chroot jail.

APK

sudo -u lamer /usr/local/Adobe/bin/acroread

[bl8n8r]

Run acrobat as another user using sudo.  This will contain future exploits to "lamer's" home directory instead of relying on Adobe to protect you.   I fully expect Adobe's sandbox implementation to be as dismal as their security track-record.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

[icebraining]

Why run it at all? There are some nice PDF readers for Unix(-like) systems.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

[Herve5]

Will this allow you to copy-paste bits from the acro doct to your session?

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

[Abcd1234]

Eh, then all you need is a local privilege exploit and you're hosed. And there's no shortage of those on Linux, that's for sure.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

[0123456]

Eh, then all you need is a local privilege exploit and you're hosed. And there's no shortage of those on Linux, that's for sure.

No, you need:

1. A hole in the PDF reader that can be exploited.
2. Simultaneously, a local privilege exploit.
3. An actual exploitable file which can exploit that on your particular brand of Linux.
4. Not to be running an Appamor or SELinux configuration which prevents Adobe software from doing anything bad.

#1 is common, #2 is rare and usually my machines have installed patches for me before I even hear about the exploit, #3 is unlikely and #4 should block many exploits before they happen (some exploits have been able to disable Apparmor and SELinux).

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

[Abcd1234]

#1 is common, #2 is rare

Bullshit. Seriously, I have nothing else to say. That's just flat out *wrong*. Hell, a quick google search for "ubuntu local privilege exploit" gave me this gem for 10.04 from late September: http://www.exploit-db.com/exploits/15074/

And that was the *first hit*.

Re:sudo -u lamer /usr/local/Adobe/bin/acroread

If the reader is running as "lamer", how is it going to read my files? How will it print?

dom

Alternatives

[EvilMonkeySlayer]

Whilst an improvement I'll take a good bet it's still a memory and processor hog. I'd advise people to use Foxit but honestly these days it isn't much better and includes adware.

I personally use Sumatra at home, at work (I work at a print company so we receive lots of PDFs) we use Adobe Reader but I've made sure to disable JS by default in it. It's amazing just how many attacks disabling JS stops. The really impressive thing is that of the massive amount of PDFs work receives we very rarely have one that requires JS. The unfortunate reality of PDFs though is that Adobes Reader is the best renderer, whilst say with Sumatra or Foxit may get 5% rendered incorrectly that's a lot of needless support calls and hassle.

Re:Alternatives

[Gorphrim]

Ok now I'm being a Foxit shill lol But when you say Foxit "honestly...isn't much better" than Adobe Reader, well that is just way wrong IMHO. The bloat of Reader is incomparable.

Re:Alternatives

Evince is also available for windows. It seems to work better than Sumatra in my limited usage so far. http://live.gnome.org/Evince/Downloads

Plugins....

[IronWilliamCash]

Wow way to screw over plugin users. Instead of fixing the bugs in their software they just block out a whole lot of stuff.... I work for a software company that uses a plugin to connect to the reader and have real time bookmark following between the reader and our software. With this new "enhancement" our link to the reader is completely broken. We either have to tell our clients to disable the protected mode and go back to the same broken reader or our clients can stop using our features... Thank's Adobe

Re:Plugins....

[thewils]

Without a specific agreement between your company and Adobe you can't really complain too much if they switch things around on you. Not really Adobe's fault that they break your plugin.

Re:Plugins....

[cbhacking]

You realize you're one of the very small portion of users who actually use those features that everybody else on Slashdot is constantly yelling about Adobe bloating up their reader with, right?

Fix your plugin so that it works in a Low Integrity sandbox - there are MSDN articles on how to do this - or don't, but don't act so self-rightous about it. For the vast majority of Adobe's consumer base, this is a huge step forward.

THe trouble with sandboxes...

[goombah99]

Any program I run should be have the option of being sandboxed by the the OS if I so choose.

I totally agree. The OS should provide hooks to applications to spawn sandboxes. I know that Apple already has this in OSX since I use it in Xgrid to sandbox jobs. They have not documented the configuration yet but it's easy enough to guess. It works well. It would be cool if they could take it a step further to the thread level so you could share memory but imprison the resources a thread can use.

I have found the tricky part of this is that many things you think you can turn off are not so easy. For example, many applications need to access preference files so they need read write to the preferences directory. Your code may not be actually writing to that directory but calling a persistence library function for dictionaries and it may require you to allow access to the whole directory not just a file.

  In other cases your app may call other things that expect certain access. For example, when you run the command "ls -l" in a shell, it accesses /etc/passwd in order to put names to the process UIDs. When you ask for the time or date, various localization files in /etc are consulted. When you call open/save dialogs some of these appear to try to inventory the mounted drives in /Volumes (which you can see because the drives spin up).

It's hard to anticipate these things because libraries and APIs that you use have legacy expectations of their privileges. In order for the code to grant that access to the API, the code itself has to have it too. The only work-around for that is to go back to the evil days of Set UID root scripts (like the command "ps" still has).

Re:THe trouble with sandboxes...

[datapharmer]

It seems that the answer that that problem would be to a) allow read write on a file-by-file basis based on a signed "declaration" by the program that specifies what files the program needs, or b) fool the program by pulling copies of the originals into the sandbox so it thinks it is writing to them and runs happily while not interfering with the rest of the OS (isn't that the entire point of a sandbox?)

Re:THe trouble with sandboxes...

God damned security guys.

The answer is not to download this malware shit in the first place.

Its not that hard.

You can't fight security with legislation

A simpler solution is to keep your executables and data separate and don't allow write access to the executables - simples ;)

flaws

[tacktick]

I agree with you that Foxit is faster and easy to use however it has had vulnerabilities. http://www.foxitsoftware.com/pdf/reader/security_bulletins.php

Why not just....

[Lumpy]

Debloat it?

Honestly, I use an alternative pdf reader that will not play Mpeg4, launch my CAd program, etc.. and it works perfectly.

Adobe; cut out all the useless crap and make the thing once again RENDER A PDF FILE AND ONLY A PDF FILE.

I will not use Acrobat Reader, it's slow, bloated and because of the really stupid design of allowing it to launch an external app to render encoded data, it's a major security risk.

Sandbox secure

Sandbox isn't instant security. A sandbox is just another layer on the already existing layers of security. We see how much that has helped.

Adbode pdf browser plugin

[ZERO1ZERO]

Doesn't anybody else find this to to be one of the most annoying design decisions ever made?

I absolutely hate it when the PDF loads into the browser rather than the PDF software. All your menus mess up, you can't fully use the PDF software, you can't fully use your browser, the PDF software hogs your browser up.

I blame Internet Explorer.

Re:Adbode pdf browser plugin

What does it have to do with Internet Explorer? It was Mozilla that came up with the browser plug-in concept and introduced NPAPI with Netscape 2.0 specifically to allow this. That same plug-in API is still used in Firefox, Safari, Chrome and Opera. That predates the integration of ActiveX (or NPAPI) in Internet Explorer.

Re:Adbode pdf browser plugin

[Ripsaw]

It's trivial to set Adobe Reader to open outside the browser. Just clear the "Display PDF in browser" check box on the "Internet" panel of the preferences.

Re:Adbode pdf browser plugin

[RealGrouchy]

I'm the reverse. I like how it can open in the browser on Windows, but I'm frustrated it doesn't do the same on OS X (which requires us to keep a Windows box around to print waybills for shipping). This helps differentiate between PDFs I opened from the internet versus those I opened locally. I can also keep those in the former category grouped in related html/pdf tabs in my browser.

In Windows, if you want to open the PDF in a separate window, just right-click the file and click "download". I'm pretty sure you get asked what you want to do with it (open/save), at least in Mozilla there is.

- RG>

Re:Adbode pdf browser plugin

Hello five years ago.

Just go to Edit | Preferences and uncheck "Display PDF in browser". Problem solved.

Next?

PDF and Reader "lite"

I wish Adobe would spec out a "light" version of the PDF format and create a reader that conforms to it? Reader has gotten so big because of features that a lot of people don't really care about anyway.

Foxit and forget it

[wzinc]

PDF's don't have to take 15 seconds to load:

http://www.foxitsoftware.com/pdf/reader/addons.php

Is "a little better" really better?

Brad Arkin, Adobe's director of security and privacy, admitted it will not stymie every attack. But he argued it will help.

Restating this in more practical terms: locking some of your doors will not stymie every thief. But it will help!

Sorry, I'm just not buying it.

Fortunately, the slow download of Adobe Reader

[thewils]

Gives you ample time to uninstall the McAfee Security Scan Plus that gets installed without your permission.

Re:Fortunately, the slow download of Adobe Reader

[jack2000]

What is up with adobe and bullshit installs, really it pisses me off. getPluswhatever downloader that installs as a plugin JUST to download an exe? Wait what? The browser can install things perfectly. Firefox even comes with an automated system that requires no input from the user while updating/installing plugins.
But noooo, adobe has to be all annoying about it. Just install the thing i told you to don't fuck with me.
And what is up with things wanting to install toolbars all over the place? What is this the browser wars again?
At least there are silent installers with no frills one click interfaces otherwise reinstalling apps while maintaining pcs would be a huge pain.

default handler

[yakumo.unr]

Not only does the make 'select default PDF handler' option bizarrely trigger an msi installer to run which is frankly a mind boggling way to get it to work if you ask me...

it doesn't actually work! it's not replacing the (default) registry string foxit and other PDF readers set!

Other than that pain, it's the first version of adobe reader I've decided to use since viable alternatives were available, as with any luck this new sandboxing should actually be worth while.

evince

[craftycoder]

I just wish evince was faster so I didn't have to keep both of them on my computer. I use evince except when I have to look at really big pdfs, then I have to use Reader.

OS Limited Rights

[ProfessionalCookie]

I think it makes sense to have the OS centrally manage application rights. All of them.

• Execution
• Granular Network Access
• FS Read/Write (like limit to directory or file)
• Mutability/Updates
• Hardware/Driver Access
• Execute other programs
• etc etc etc...

It just seems like kind of a no-brainer. Why does my browser need anything more than read/write on the cache folder and write for Downloads? Why shouldn't acrobat not be able to execute other programs by default (handled by the OS). Why does a game need access to anything but it's saved games folder? I understand that most of our problems are from users but it seems like a sane set of default policies could make things a lot easier to manage :)

Re:OS Limited Rights

[Myopic]

Why does my browser need anything more than read/write on the cache folder and write for Downloads?

For uploads, I imagine. Also, for loading html files on the local filesystem.

I only spent three seconds thinking about it, there may be other reasons.

Re:OS Limited Rights

[Tetsujin]

I think it makes sense to have the OS centrally manage application rights. All of them.

• Execution
• Granular Network Access
• FS Read/Write (like limit to directory or file)
• Mutability/Updates
• Hardware/Driver Access
• Execute other programs
• etc etc etc...

It just seems like kind of a no-brainer. Why does my browser need anything more than read/write on the cache folder and write for Downloads?

Well, the ability to apply restrictions with that level of granularity to individual programs when run hasn't traditionally existed in most OSes. Adding it isn't a trivial task, and since the implementation pretty much* has to be part of the kernel, the importance of finely-grained security features has to be weighed against the performance impact of inserting security checks into the various syscalls. I believe all major platforms are headed in this direction, however, giving the OS more selective control over individual processes' capabilities.

One other problem with web browsers is that their role has never been truly defined or bounded. Even the sandboxing rules of Java Applets eventually gained exceptions (in the case of applets accompanied by security credentials, and after the user elects to allow the applet to run). People are using web interfaces for things that have traditionally been done with desktop apps.

(* Actually, there are some partial solutions to filtering a process's actions via userspace: ptrace() for instance, is probably the most complete solution in wide use. However, ptrace() isn't secure enough to rely upon it as a security feature (if you allow processes to call fork(), there's a race condition between the new process doing things and the ptrace process's attempt to ptrace the new process... There are also various implementations of process jails - I don't think anything really useful has been embraced in the kernel yet.)

Re:OS Limited Rights

[ProfessionalCookie]

Yeah. Well however it's done it should put the user in control of the program. Right now as soon as you choose to run a program you abdicate all your user rights. That's insane.

Re:OS Limited Rights

[ProfessionalCookie]

Touché. Still I think it makes more sense for the user to have more granular control over what a program is allowed to do.

NeXT figured it out ~18 years ago

[SteeldrivingJon]

Back in the day, it was realized that Display Postscript could be exploited. This was demonstrated in an amusing way with encapsulated postscript files which, when NeXTSTEP's Mail program tried to render them in-line in a message, executed code that would cause your screen to "melt", or would grab all the windows on your screen and spin them around until you clicked the mouse.

Unfortunately, Postscript could also operate on files...

So NeXT added a default "secure DPS context" in which Postscript would execute with the problematic instructions disabled.

Just installed it on my Mac...

[proxy318]

"Installing this program will take up 415.8 MB of space". Seriously? WTF Adobe, this reads PDFs AND DOESN'T DO ANYTHING ELSE, are you trying to make it as bloated as possible?

Re:Just installed it on my Mac...

Why?

Except for some possible obscure edge cases, Preview does a better job of displaying PDFs than does Adobe Reader, with far fewer / far less dangerous vulnerabilities. And when there have been vulnerabilities in Preview, Apple has patched them far faster than Adobe has ever patched Reader.

Re:Just installed it on my Mac...

this reads PDFs AND DOESN'T DO ANYTHING ELSE

You're naive if you believe that it doesn't do anything else.

Re:Just installed it on my Mac...

[RocketRabbit]

It has a built in version of Flash, it sets all kinds of cookies on your system, it has video codecs, encryption software, and includes a whole lot of optional shit that I can't even name because it's too hilarious.

Adobe jumped the fucking shark.

Foxit was impacted by /Launch exploit

[rsborg]

Foxit has it's own share of vulnerabilities, and was impacted worse than Adobe Reader by the launch exploit.

The problem isn't just the readers (all of which have various vulnerabilities), but the PDF spec itself which allows for shit like javascript embedding and external program execution.

The PDF spec needs to be revised to split off potentially malicious functionality into a seperate format that has a different name so basic reader functions can be kept (ie, layout, fonts, attachments, outlining) while the advanced files can be sandboxed or ignored by various readers.

Desktop Icon

[dingen]

Does the Windows installer still place a shortcut to the application on your desktop? Amazingly useful for people who would like to open the reader without any document in it, so you can stare at a grey window, right there on your desktop!

Why go Adobe/Foxit/Sumatra

[tuppe666]

...When you can go Evince. Which has has a windows version for sometime. The only thing it lacks is an update button.

Google Chrome 8 Beta

With Chrome 8 Beta supporting PDFs natively I've been able to remove Acrobat Reader totally. Chrome + doPDF print driver + Kindle has made PDF's useful for me again.

Given their past history..

.. it's probably more of a catbox than a sandbox.

The story behind Reader X

[Tetsujin]

Unknown to Speed, Reader X is actually Rex Reader, his estranged older brother in disguise!

Re:The story behind Reader X

Unknown to Slow Reader, Reader X is actually Rex Reader, his estranged older brother in disguise!

FTFY?

Sandboxed only on Vista or later

[WD]

Windows XP users are left out in the cold. Between the lack of sandboxing like low-rights IE or Reader X, or other mitigations like ASLR, Windows XP is turning out to be a dangerous platform to use.

Re:Sandboxed only on Vista or later

Not according to this blog:

http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html

The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of Adobe Reader, we plan to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer.

Adobe Development is flawed

Adobe has had since 1992-ish to create a solid development process for Acrobat. Adobe Executives have failed. Product management has failed, QA and developers have all failed. Unless all those teams were replaced for this new "version" - I DON'T TRUST THEM.

Alternatives

[loyukfai]

http://alternativeto.net/software/adobe-reader/

Sumatra PDF

Sumatra PDF:

http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html

10 times as fast. None of the bullshit.

How to disable 'extra' features

It's easy to disable most of the extra crap in Reader, move the contents of the plug-ins folder to the optional folder. Path is C:\Program Files\Adobe\Reader 9.0\Reader\

the real solution: XPS

The problem is the PDF file format. It now includes things, in the file format, like Javascript and optional calls to external programs of the PDF file's choice.

The PDF file format is fundamentally unsecure.

Moreover, internally the PDF file is a binary mess.

XML Paper Specification (XPS) gives all of the advantages of PDF, except without the Javascript or the calls to external programs. The file is a ZIP package of XML files, which of course can be edited by any text editor.

XPS files are inherently more searchable, more indexable, and more editable.

XPS is an open standard, registered with ECMA.

Whenever I can, I am using XPS now.