With the release of the 10.1 update, Acrobat X for Windows provides a sandbox called Protected View. Protected View is another defense-in-depth feature that is tightly integrated with the existing Enhanced Security feature. Protected View in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.
If you are already familiar with what Protected View is, jump to What Developers Need to Know
Acrobat’s Protected View sandbox is similar to Reader’s Protected Mode sandbox and provides equal protection. Just like Reader, Acrobat strictly confines the execution environment of untrusted PDF files and the processes they invoke. Based on user preferences when Protected View is enabled, Acrobat assumes either all PDF files or just PDF files loading from untrusted locations are potentially malicious and confines processing to a restricted sandbox.
Designing Protected Mode in Adobe Reader was pretty simple: we needed to put Reader in a sandbox and allow only controlled access to the local machine. When we designed Protected View in Acrobat, we had a lot more to think about because there’s a lot more to Acrobat. We didn’t want to break the tasks and workflows that our customers rely on Acrobat to help them with. The following is a list of our design principles for Protected View.
- PDF files viewed in a browser using Acrobat with Protected View on are more functional than PDF files in Reader’s sandbox: For Protected View in a browser, the UI provides access to all of the features provided by Reader as well as the features that are available for any rights enabled document when viewed in Reader.
- As secure as Reader running in Protected Mode: Acrobat leverages the same technology and implementation as Reader and is just as secure.
- Transitioning out of Protected View should be simple: In Protected View, exiting the read-only mode is as simple as choosing “Enable All Features”.
- Disabled features should not be hidden: If a feature is not enabled in the sandbox, the UI still displays the disabled feature in the menu as a grayed out item.
Trust can be assigned to documents so that they bypass Protected View restrictions: Because of its integration with Enhanced Security, users can specify files, folders, and hosts as privileged locations
that are not subject to Protected View trust restrictions. PDF files originating from a privileged location will not open in Protected View.
Protected View is disabled by default to ensure compatibility with existing workflows… but Protected View should be enabled all the time for casual users who interact with PDF files in unsecured environments. Protected View can be enabled for all PDF files or just those that are from potentially unsafe locations. Web browsers and email programs typically mark documents such as downloaded internet files and attachments, including PDF files, with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. This is the recommended setting. In this state, many of Acrobat’s features that allow you to interact with and change the document or its state are disabled and the associated menu items are grayed out in order to limit your interaction. If “All files” is selected, even PDF files that you just created will open in Protected View.
Acrobat’s behavior with Protected View enabled is slightly more complex than Reader’s. Protected View was designed for two types of scenarios: viewing PDF files with the standalone application and viewing PDF files in a browser. This distinction preserves usability and provides the right level of functionality in each mode.
Protected View in Standalone Acrobat
In the standalone application, behavior is simple and parallels the Protected View provided by Microsoft Office 2010. The view is essentially read-only, and the disabled features prevent any embedded or hidden malicious content from tampering with your system. Once you’ve decided to trust the document, choosing “Enable All Features” exits Protected View, re-enables all commands, depending on the document permissions, and provides permanent trust for the PDF file by adding it to Enhanced Security’s list of privileged locations. The document is now open in a full, unsandboxed Acrobat process.
Protected View in a Browser
When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDF files provide an Adobe Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, and other tasks that modify the document if the document permissions allow these.
In this respect, a PDF file in the browser’s Protected View is more capable than a PDF file in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.
Note: Because Windows Explorer leverages the Acrobat browser plug-in to create thumbnails for PDF files, Windows Explorer Preview displays PDF files using Protected View even if the file is already trusted.
What Developers Need to Know
Note: The following applies to Acrobat with Protected View enabled for “Files from potentially unsafe locations.” Protected View turned on for “All files” is only recommended where trust cannot be established for any files or domains.
Protected View is always on for untrusted documents when being viewed in the browser and there is no Yellow Message Bar available so users can’t exit out of Protected View. However, plug-ins that load in Adobe Reader X and function in Protected Mode will also function in Acrobat’s Protected View in the browser.
Because the browser-based Protected View leverages the same technology as Adobe Reader X, plug-in developers will need to modify their installer code to add their Reader plug-in to the same folder as the Acrobat X plug-ins even if Adobe Reader is not installed on that system if they want their plug-in to function in Protected View.
Documents opened in the browser from trusted domains function in Acrobat X’s normal mode and have full access to all Acrobat X features. Your plug-ins should function normally.
To ensure the least amount of disruption to existing workflows that require the use of 3rd party plug-ins while maintaining the more secure environment that Protected View provides, I highly recommend that developers educate their customers on the proper use of Privileged Locations rather than running Acrobat X with Protected View off.
Direct end users of your plug-ins to Specify privileged locations for trusted content in the online version of the Acrobat X help files.
Direct IT Managers or anyone responsible for deploying your plug-in broadly to the Enterprise Administration documentation to learn how to set Privileged Locations prior to deployment and manage the Acrobat X registry settings post deployment. The Customization Wizard, shown below, can make setting up Privileged Locations quick and easy.
For more information about this and other Application Security features, see the Application Security Library and watch Brad Arkin, Sr. Director of Product Security and Privacy discuss Adobe’s strategy in the security space.