Sandboxed Adobe Reader to Ship Next Month

Adobe announced that the next major version of its PDF products, which includes the much awaited sandboxed Adobe Reader, will be released next month.

Dubbed Acrobat X, the new product family will include Adobe Reader X, Acrobat X Suite, Acrobat X Pro, and Acrobat X Standard.

From a security perspective the release will be very important, because of the new sandboxing technology enabled by default in the products.

Adobe Reader can be found on most of the world's computers, but because of this ubiquity, the program is one of the preferred targets of criminals, who exploit it to infect users with malware.

And Adobe Reader was never in short supply of critical arbitrary code execution vulnerabilities, bringing the company a lot of criticism from the security community for failing to secure its code.

In May 2009, Adobe announced a code hardening effort, which involved reviewing old portions of code dating since before the Secure Product Lifecycle (SPLC) was introduced.

Fast-forward one year and nothing's changed. The zero-days are still there and the security updates continue to cover an impressive number of critical flaws.

It's clear that an entirely different and more aggressive approach was needed and the new "Protected Mode" in Adobe Reader and Acrobat X is just that.

The idea behind the technology is for PDF content to be parsed in a secure container, which interacts with the operating system through a tightly controlled brokering process.

In this way, maliciously crafted PDF documents, will not be able to install malware, because their rogue code will be executed inside a very restricted environment.

Adobe's Protected Mode is built based on the highly successful Chrome sandbox, which is one of the reasons why Google's browser has not seen significant attacks so far.

Bottom line, the vulnerabilities will still be there, but attackers will have a much harder time exploiting them to infect systems. It's not impossible, but it's significantly harder.

Unfortunately the availability of this technology will not change the state of things immediately. Some time will have to pass until enough people upgrade to Adobe Reader X, in order for it to make a difference in the threat landscape.