Inside Adobe Acrobat Protected View

Kyle Randolph here, along with the security team for the Adobe Acrobat family of products. This post will discuss the technical details of the new Protected View added in the Acrobat 10.1 release announced today. Even more technical details are available in the Application Security Library.Protected View builds on Adobe Reader Protected Mode discussed previously in a series of technical posts on the ASSET blog. With Protect View, Acrobat users will benefit from the protection provided by a sandbox when they open untrusted PDF files.

Design Principles

The high-level security design principles for Protected View include the following:

  • As secure as Adobe Reader Protected Mode: Acrobat leverages the same sandbox technology and implementation as Adobe Reader.
  • PDFs in a browser offer Adobe Reader Protected Mode functionality and protection, along with “rights-enabled” features: Protected View in a browser offers a similar experience to Adobe Reader Protected Mode, plus the features that are available in Adobe Reader for rights-enabled documented are always available for Acrobat Protected View users.
  • Trust can be assigned to documents so that they bypass Protected View restrictions: Because of its integration with Enhanced Security, users can specify files, folders and hosts as privileged locations that are not subject to Protected View trust restrictions. PDFs originating from a privileged location will not open in Protected View.

Standalone Application

In the standalone application, behavior is simple and parallels the Protected View provided by Office 2010. During a file download and/or save, Web browsers and e-mail programs typically mark downloaded files and attachments with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. In this state, many of the Acrobat features that interact with and change the document are disabled, and the associated menu items are greyed out in order to limit user interaction.

The view is essentially read-only, and the disabled features prevent any embedded or tag-along malicious content from tampering with your system. Once you’ve decided to trust the document, choosing Enable All Features exits Protected View, enables all menu items, and provides permanent trust for the file by adding to Enhanced Security’s list of privileged locations. The document is now open in a full, unsandboxed Acrobat process.

Browser

When a PDF file is opened in a browser, Acrobat Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDF files provide an Adobe Reader-like experience for documents that have been “rights-enabled.” That is, all of the Adobe Reader features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Adobe Reader users. These features include signing existing form fields, adding new signature fields, saving form data, etc.

Table 1 Protected View: Standalone versus Browser Functionality

Feature Standalone Browser
Drag-drop PDF files to the reading or navigation pane No Yes
Printing No Yes
Advanced Printing No No
Saving No Yes
Pan and Zoom No No
Loupe Tool No No
Reading Mode No Yes
Full Screen Mode No Yes

 

Integration with Enhanced Security

Acrobat Protected View is integrated with Enhanced Security both in the user interface as well as at the registry level. When a user chooses “Enable All Features,” the current file is added to the user’s list of privileged locations, thereby granting a level of trust which allows it to bypass the Enhanced Security restrictions. Those restrictions include such things as cross-domain access, data injection, silent printing, etc. For this reason, you should only enable all features for documents you absolutely trust.

The application stores information about privileged location trust in the registry. Once a file is trusted, a unique identifier is added to each of the cabs under the cTrustedFolders registry key. Conversely, if a file is trusted at the registry level manually or via some other feature like the Options button on the Yellow Message Bar, that file becomes exempt from Protected View from that point on.

It’s all a matter of what you trust: Protected View, Protected Mode, and Enhanced Security provide restrictions to safely open documents that you do not trust; however, you can also bypass those restrictions for files, folders and hosts you that deem trustworthy. You control the level of security you need.

Conclusion

The Acrobat Protected View sandboxing solution is a great way for protecting users from malware PDF attacks. In the protected view the user will have very limited access to the Acrobat functionality as such, but it’s just enough to make an informed decision as to whether he/she wants to trust the document or not. And its design allows the user to read the contents of a PDF file received from untrusted sources without having to worry about a system compromise due to malware infection. The yellow bar indicator at the top allows transition into the normal editing mode of Acrobat once the document has been explicitly trusted by the user. Sandboxing adds another layer of defense to the overall Acrobat product security. It’s not a silver bullet, but it can go a long way in protecting our customers and users from most of the commonly known attacks out there.

-Kyle Randolph, Ben Rogers, Suchit Mishra