back to article Adobe (finally) adds security sandbox to Reader

At long last, Adobe Systems has added a new security protection to Windows versions of its ubiquitous document reader that's designed to lock down one of the world's most exploited applications. The so-called sandbox, isolates Reader from sensitive Windows operations, such as the changing of operating system registry settings …

COMMENTS

This topic is closed for new posts.
  1. Michael Johnson 1
    FAIL

    Um... It's already out

    From Adobe's website: (http://kb2.adobe.com/cps/837/cpsid_83708.html)

    Acrobat and Reader X products

    Latest release: Acrobat Pro and Standard X for English, French, German, and Japanese, November 15 2010, Reader X November 18.

    Date Ver. Type Focus

    Nov 2010 10.0 Major A major release with new and improved features. Reader and support for other languages have a phased rollout. Acrobat EFGJ: Nov 15, Reader EFGJ: Nov 18, Acrobat and Reader for all other languages: Mid December.

    All I had to do is click on the help menu and then select Check for updates...

  2. Kanhef

    Enabled by default

    which is good, but should it even be an option? I can't immediately think of any situation where you'd need to turn it off, so why not have it permanently enabled? I doubt it will be too long before someone finds an exploit that lets them turn off the sandbox.

  3. Anonymous Coward
    Anonymous Coward

    About frickin' time... sheesh.

    What took 'em so long? Well, kudos for finally doin' it, anyway.

  4. Aaron Em

    $5 says root exploit in the wild within a week

    This *is* Adobe Reader we're talking about, after all.

  5. Llanfair
    Grenade

    How big?

    But how much extra size will Adobe X be compared to 9? How much extra junk is included?

  6. Christian Berger

    Wont this break most PDF applications?

    I mean if a PDF file cannot change registry settings it'll have to be rewritten to use the new method of doing so. This will cause lots of old unsupported PDF applications to break.

    1. Mark 65
      FAIL

      PDF applications?

      Man, that just sounds sooooo wrong.

    2. Chad H.
      WTF?

      U

      Call me dumb, but why does a document need to change my registry?

  7. Da Weezil
    FAIL

    Sumo Software.

    So.... even more bloat??? No thanks I'll stick with Foxit! Smaller and seems less prone to the issues that plague Adobe - Like Microsoft - they need to accept that this tired old pile of code needs a ground up re-write to remove the bloat and improve security

  8. Gert Selkobi

    chroot

    That's all.

  9. Steen Hive
    FAIL

    Monumental? Complex?

    "Adding the technology to an existing piece of software is a monumental task,"

    No doubt, but deleting 95% of the source tree and leaving a proper, simple, secure PDF viewer could be done in a day by the tea-lady.

  10. Andy Livingstone

    Strange?

    No responses so far at the time of writing?

    Weekend? Or no-one left using Adobe products?

    All they have to do now is sort the others and keep them all secure for a while.

    Any bets?

  11. This post has been deleted by its author

  12. Anonymous Coward
    Grenade

    Firefox IS Already Sandboxed. Also Is Evince. Also Is Apache

    Because Linux does have a generic solution called AppArmor. Apply it to whatever software you choose.

    http://en.wikipedia.org/wiki/AppArmor

    Oh, you want to run on Windows ? My condolences.

    1. Ken Hagan Gold badge

      Sandboxing on Windows

      Windows also has a generic solution, through the "Protect my PC" check-box in the RunAs dialog. It certainly breaks apps that expect to be able to write to the user's own profile (file system and registry) but I've never seen a precise description.

      Of course, the problem is that your average user *wants* some random PDF to be able to "do whatever it needs to do" to their system. There's no protection against that.

    2. Al Jones

      Evince - pity it doesn't work

      I tried to make Evince the default .PDF handler here. It worked nicely until people tried to print the PDF files created by out document scanner. It turns out that Evince won't reliably print images in documents.

      Just why they want to make a paper copy of a document that we had scanned so that we could get rid of the paper copy (or at least put it in cold storage) is a conversation for another day. Today's conversation is about that "crappy open source software that IT are trying to force us to use".

  13. John Tserkezis
    Thumb Down

    Too little too late.

    I've always been pro-Adobe reader, even if it was bloated.

    But since 9.x, it's beyond a joke. Even by my jokey standards.

    And I haven't even started on Adobe DLM. What the hell were they thinking?

    Google it, not one freaking bloody good word about it.

    Thanks Adobe, for making my choice that much easier by stopping me from getting it in the first place.

    And no, I don't use FoxIt. Tried it, vomited, and kept looking.

    1. Anonymous Coward
      Heart

      Sumatra pdf

      @John Tserkezis

      You may want to try Sumatra PDF. Fast and simple, does one thing only: displays pdfs.

  14. Jay Clericus
    Happy

    foxit works

    find foxit is better, less likely to cause me hassles :)

  15. Kurgan
    FAIL

    Yes, sure, sandbox the bloatware!

    That's really a nice idea. First, create a reader that works. Then, add bloat. Then, more bloat. Then, download manager, toolbars, spyware, and so on. Then, a little more bloat.

    In the end, add even more bloat to keep the bugs inside.

    TOTAL FAILURE!

    I use Linux, so I don't care. But when I have to use Windows, I use something else to read PDF files.

  16. Ken Hagan Gold badge
    WTF?

    Re: Too little too late

    "And no, I don't use FoxIt. Tried it, vomited, and kept looking."

    In my experience, FoxIT displays the text and diagrams of any PDF you feed it and I can't think of anything else I'd *want* an application to do with a PDF.

    What is it that you want your PDF viewer to do, the absence of which is sufficiently nauseating that you throw up? I'm genuinely curious.

  17. s. pam Silver badge
    FAIL

    Oh happy fucking day

    yet another pile of cr4p from Adobe I get to update all the computers in the house with.

    Adobe, prepare for a boot in your bum -- you're about to leave my building -- you're no better than MSFT and equally virus ridden.

    1. Anonymous Coward
      Stop

      @s.pam

      My feeling is that MS is actually much better than Adobe, despite the fact that MS is vastly inferior to Linux.

      Just have a look a the Adobe Flash Manager, which lets you choose update checking intervals. The shortest time interval is SEVEN days. MS and Linux can push a patch in a matter of hours, Adobe needs at least a week.

      Certainly enough time for the bad guys to distribute a Flash virus via Doubleclick et al.

  18. Dan 55 Silver badge
    Thumb Down

    Sandboxing, worse icons, and flogging online services

    Well one out of three isn't bad...

  19. Al Jones

    Reader X - 33% extra free!

    AdbeRdr940_en_US.exe [Sep 23 12:42] 27634824

    AdbeRdr1000_en_US.exe [Nov 11 00:43] 36791704

This topic is closed for new posts.

Other stories you might like