Adobe has revealed that it will strengthen the security controls in the Adobe Reader application by adding sandboxing in the next release. With malicious attacks targeting Adobe products more frequently, it is definitely a move in the right direction, but there are also more secure PDF reader alternatives you can start using today.
Adobe plans to add a Protected Mode--borrowing the name from the security feature in Microsoft Internet Explorer. The Protected Mode will provide a sandboxing capability, confining processes such as JavaScript and image parsing in separate areas to prevent malicious--or even legitimate--software from modifying core files, accessing other running processes, or installing or deleting files.
The sandboxing feature will not be available until the next major release of Adobe Reader, which Adobe expects to be release by the end of 2010. Adobe specified that the sandboxing security control will not be included in the Mac version of Adobe Reader, as the vast majority of threats exploiting Adobe products are aimed at Windows systems.
According to Andrew Brandt, threat research analyst at Webroot, "The old advice remains true: Turn off Javascript in Acrobat unless you actually have a PDF file that needs it, and unhook the embedded Acrobat plugin from your browser. There are still tons of exploit kits in the wild targeting old Adobe products, and those exploits will still work so long as there are old versions of Adobe Reader floating 'round. It'll be a while before the majority of users upgrade, and in the meantime, all those old exploits are still effective."
Users don't have to wait for the Adobe Protected Mode, though. Alternative PDF reader applications like FoxIt Reader and Nuance PDF Reader have similar security controls and then some, and these products are available now.
Brandt also recommends that users take a look at FoxIt Reader. He explains that FoxIt "released their 4.0 product a few weeks back and it has a whole slew of new security features, including sandboxing, which I was really impressed with. I've also found that it reduces the problem of a vulnerable software monoculture."
"Foxit is also far less bloated than Adobe, offers more features in its free product than does Adobe, and doesn't require the use of an annoying download manager to do its updates." Brandt concluded.
Nuance PDF Reader is also available for free. It allows you to fill in and save PDF forms, and annotate PDFs. It can also convert PDF files to other formats like Microsoft Word, Excel, or RTF, and it takes up about a quarter of the hard drive real estate as Adobe Reader. Most importantly, though, it contains security measures vital to protecting your system from malicious PDF files.
I commend Adobe for recognizing the persistent and growing threat that Adobe Reader represents for many organizations, and taking proactive steps to develop a more secure release. In the meantime, though, I recommend that IT admins and business professionals take a look at alternatives to work with PDFs more securely now rather than waiting until the end of the year.
You can follow Tony on his Facebook page, or contact him by email at tony_bradley@pcworld.com. He also tweets as @Tony_BradleyPCW.