Introducing Adobe Reader Protected Mode

In May 2009, I announced the major Adobe Reader and Acrobat security initiative that was already underway. The three main areas of focus of that initiative were code hardening, incident response process improvements, and a shift to a regular security update schedule. From our rapid incident response in urgent situations to the new Adobe Reader Updater, our investments in these areas are helping to keep our users safe.

As part of our commitment to product security, we are always investigating new technologies and approaches. Today, I’m very excited to share an example of a new mitigation technology and to start the public conversation around the next major step Adobe is taking to help protect users from attacks in a rapidly evolving threat landscape: Adobe Reader Protected Mode.

Scheduled for inclusion in the next major version release of Adobe Reader, Protected Mode is a sandboxing technology based on Microsoft’s Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. Adobe has been working closely with David LeBlanc, Dan Jump and other members of the Microsoft Office security team, Nicolas Sylvain and the Chrome team at Google, as well as third-party consultancies and other external stakeholders to leverage their sandboxing knowledge and experience. We greatly appreciate the input and support from all of our partners and friends in the community who helped with this effort.

With Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.

The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of Adobe Reader, we plan to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer.

Adobe Reader Protected Mode represents an exciting new advancement in attack mitigation. Even if an exploitable security vulnerability is found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files, changing registry keys or installing malware on potential victims’ computers.

This post is just the beginning of our public conversation around Adobe Reader Protected Mode. We look forward to continuing the conversation — in person at upcoming security conferences or via this blog. Watch for more details as work progresses.