Q&A: Sandbox for Adobe Reader

Didier Stevens is an IT security consultant well-known for his research into malicious PDF files. Since Adobe announced a sandbox for Adobe Reader, it was a perfect opportunity to hear his opinion on the subject.

What are the pros and cons of Adobe’s sandboxing approach?
I believe it is good enough to block most malicious PDF files found in the wild for the moment. I’ve my doubts about some lesser-known PoCs, but that needs to be tested once Adobe releases its software.

A major con is that for the moment, it’s a write-sandbox. Only “write” operation are sandboxed, to prevent system alteration by malware. However, unrestricted reading is allowed in this first phase. Therefore it is possible to write info-stealing shellcode and let that happily run in the sandbox and exfiltrate all your secrets.

Is this the “magic bullet” that’s going to solve most Adobe Reader security woes?
No, and Adobe acknowledges this. Phishing attacks is one example they gave that won’t be mitigated by the sandbox.

Is it possible for the Protected Mode to introduce new issues for end users?
It could. The Broker Process has to be very reliable. If I can mislead the Broker Process, it will give we access.

Think of the bug in the blacklisting function for the /Launch action. Extension .EXE is blacklisted, but using extension .EXE” allows me to bypass this process. If there are similar bugs in the Broker Process, researchers will soon find them. Also, the Broker Process also has to fail gracefully. If it goes down (for example due to an attack), the mechanism has to fail closed: deny all access.