We continue our technical tour of Adobe Reader Protected Mode with a closer look at the sandbox process. (Check out part one of this series, if you missed it.) In today’s blog post we will look at all of the different ingredients the Windows operating system provides for a sandbox and see how those ingredients are used in the sandbox process to restrict access.
Process Level Granularity
For a sandboxed process, adhering to the principle of least privilege means that in many cases, the process can’t do much besides talk to the broker process. On Windows, code cannot perform any form of input-output task (I/O) to disk, keyboard, or screen without making a system call. Most system calls cause Windows to perform some sort of security check. The Adobe Reader sandbox process runs in an environment where these security checks fail for restricted actions.
The security check point of failure acts like a security fence, containing the sandboxed code. For Adobe Reader, that means limiting the code’s functionality by imposing a well-defined set of restrictions provided by the Windows security model. These include:
...|
The flaw remains exploitable through the Flash interpreter included in Adobe Reader and Acrobat, which are set to receive updates during the week of |
|
of Acrobat that allow you to change around words and graphics in PDF documents (the free Adobe Acrobat Reader only lets you view PDFs, not edit them). |
|
However, given that Adobe Shockwave is not as widespread as Adobe Flash Player, Adobe Reader, Java or other commonly targeted applications, this exploit |
|
And being able to electronically sign a document in Adobe Reader finally closes one of the last holes in going paperless. Instead of printing, signing, |
Windows Picture and Fax Viewer and Adobe Reader courtesy of ioMedia software. The main system requirements include Windows 7/Vista/XP and a USB port.
|
