With the release of the 10.1 update, Acrobat X for Windows provides a sandbox called Protected View. Protected View is another defense-in-depth feature that is tightly integrated with the existing Enhanced Security feature. Protected View in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.
Acrobat’s Protected View sandbox is similar to Reader’s Protected Mode sandbox and provides equal protection. Just like Reader, Acrobat strictly confines the execution environment of untrusted PDF files and the processes they invoke. Based on user preferences when Protected View is enabled, Acrobat assumes either all PDF files or just PDF files loading from untrusted locations are potentially malicious and confines processing to a restricted sandbox.
Designing Protected Mode in Adobe Reader was pretty simple: we needed to put Reader in a sandbox and allow only controlled access to the local machine. When we designed Protected View in Acrobat, we had a lot more to think about because there’s a lot more to Acrobat. We didn’t want to break the tasks and workflows that our customers rely on Acrobat to help them with. The following is a list of our design principles for Protected View.
- PDF files viewed in a browser using Acrobat with Protected View on are more functional than PDF files in Reader’s sandbox: For Protected View in a browser, the UI provides access to all of the features provided by Reader as well as the features that are available for any rights enabled document when viewed in Reader.
- As secure as Reader running in Protected Mode: Acrobat leverages the same technology and implementation as Reader and is just as secure.
- Transitioning out of Protected View should be simple: In Protected View, exiting the read-only mode is as simple as choosing “Enable All Features”.
- Disabled features should not be hidden: If a feature is not enabled in the sandbox, the UI still displays the disabled feature in the menu as a grayed out item.
Trust can be assigned to documents so that they bypass Protected View restrictions: Because of its integration with Enhanced Security, users can specify files, folders, and hosts as privileged locations
that are not subject to Protected View trust restrictions. PDF files originating from a privileged location will not open in Protected View.
Protected View is disabled by default to ensure compatibility with existing workflows… but Protected View should be enabled all the time for casual users who interact with PDF files in unsecured environments. Protected View can be enabled for all PDF files or just those that are from potentially unsafe locations. Web browsers and email programs typically mark documents such as downloaded internet files and attachments, including PDF files, with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. This is the recommended setting. In this state, many of Acrobat’s features that allow you to interact with and change the document or its state are disabled and the associated menu items are grayed out in order to limit your interaction. If “All files” is selected, even PDF files that you just created will open in Protected View.
Acrobat’s behavior with Protected View enabled is slightly more complex than Reader’s. Protected View was designed for two types of scenarios: viewing PDF files with the standalone application and viewing PDF files in a browser. This distinction preserves usability and provides the right level of functionality in each mode.
Protected View in Standalone Acrobat
In the standalone application, behavior is simple and parallels the Protected View provided by Microsoft Office 2010. The view is essentially read-only, and the disabled features prevent any embedded or hidden malicious content from tampering with your system. Once you’ve decided to trust the document, choosing “Enable All Features” exits Protected View, re-enables all commands, depending on the document permissions, and provides permanent trust for the PDF file by adding it to Enhanced Security’s list of privileged locations. The document is now open in a full, unsandboxed Acrobat process.
Protected View in a Browser
When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDF files provide an Adobe Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, and other tasks that modify the document if the document permissions allow these.
In this respect, a PDF file in the browser’s Protected View is more capable than a PDF file in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.
Note: Because Windows Explorer leverages the Acrobat browser plug-in to create thumbnails for PDF files, Windows Explorer Preview displays PDF files using Protected View even if the file is already trusted.
Registry configuration enables pre and post deployment configuration via the Customization Wizard, scripts, GPO, and other IT-centric methodologies. Additional functionality also provides more granular control than is provided by the user interface alone. Protected View can be enabled or disabled via the registry for the following:
- Unsafe file locations only
- Protected View for all files
- Temporary files in the Temporary Internet Files directory
- Outlook email attachments
To configure Protected View, add the following keys to…
bProtectedViewForUnsafe – Specifies whether Protected View is invoked for files originating from an untrusted location.
bProtectedViewForAll – Specifies whether Protected View is invoked for all files.
bDisableTemporaryFile – Specifies whether Protected View is turned off for temporary files located within “Temporary Internet Files” directories.
bEnableAlwaysOutlookAttachment – Specifies whether Protected View is turned off for all Microsoft Outlook attachments.
Note: Earlier versions of Outlook (Office 2003 and 2007) do not append origin information to files they download to its temp directory. As a result, there is no way of knowing if the file came from trusted source. Such files do not automatically open in Protected View.
For more information about this and other Application Security features, see the Application Security Library and watch Brad Arkin, Sr. Director of Product Security and Privacy discuss Adobe’s strategy in the security space.