Advice Request Adobe Acrobat Reader DC - remaining attack vectors after hardening

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
With

- JavaScript- not enabled
- Protected Mode at Startup enabled
- Protected view for All files
- Run in AppContainer enabled
- No automatic trusting of any docs
- Unless explicitly permitted pdf files cannot send information to the internet
- Uncheck allow opening non pdf with external applications

What attack vectors remain for Adobe Acrobat Reader DC.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
With

- JavaScript- not enabled
- Protected Mode at Startup enabled
- Protected view for All files
- Run in AppContainer enabled
- No automatic trusting of any docs
- Unless explicitly permitted pdf files cannot send information to the internet
- Uncheck allow opening non pdf with external applications

What attack vectors remain for Adobe Acrobat Reader DC.
PDF documents can have the embedded attachments. I am not sure if the external applications which open those attachments (if allowed), will run fully in AppContainer. If not, then those applications can be exploited by the weaponized PDF attachments.
There are some other possibilities:
  1. Phishing tricks, which can instruct the user to open the document outside the AppContainer or allow the Internet connection.
  2. AppContainer exploits.
  3. Some Windows Exploits.
The AppContainer feature is still experimental, so it can have some vulnerabilities. Generally, Adobe Acrobat Reader is a very popular, complex and universal application, so it will always be exploited by the malc0ders. Any other PDF viewer (especially in AppContainer) is much safer.
 
5

509322

PDF documents can have the embedded attachments. I am not sure if the external applications which open those attachments (if allowed), will run fully in AppContainer. If not, then those applications can be exploited by the weaponized PDF attachments.
There are some other possibilities:
  1. Phishing tricks, which can instruct the user to open the document outside the AppContainer or allow the Internet connection.
  2. AppContainer exploits.
  3. Some Windows Exploits.
The AppContainer feature is still experimental, so it can have some vulnerabilities. Generally, Adobe Acrobat Reader is a very popular, complex and universal application, so it will always be exploited by the malc0ders. Any other PDF viewer (especially in AppContainer) is much safer.

A lot of people falsely assume AppContainer is a sandbox to contain. It isn't. It is a boundary to prevent injection.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I’ve blocked opening anything non pdf with external applications - I don’t know if they would run in AppContainer or not, this is a good point, but with the above config it can’t happen.

Exploits in AppContainer or windows are the remaining attack vector then, this is true for all applications - as an extra layer of mitigation for this hitman Pro or Windows exploit guard or another AV suite anti exploit can be used - but I’d say this setup deweaponises pdf docs that target adobe reader
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
A lot of people falsely assume AppContainer is a sandbox to contain. It isn't. It is a boundary to prevent injection.
Yes, that can be a potential danger in Adobe Acrobat Reader DC. Yet, the PDF readers from the Microsoft Store (tested by me), do not allow the active content and attachments embedded in PDF files. That differs the popular PDF Reader from Microsoft Store as compared to any desktop PDF Reader.
The same is true for Word Mobile, Excel Mobile, and PowerPoint Mobile from Microsoft Store.
If the user gets the document with the attachment, then he/she can be infected when clicking on the attachment icon, when the document is opened in Libre Office, SoftMaker Office, WPS Office, etc. But, not when opening it in Word Mobile, etc.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
...
Exploits in AppContainer or windows are the remaining attack vector then, this is true for all applications...
That is much more true for Adobe Acrobat Reader, because it is much more popular (especially in organizations). Exploits for Adobe Acrobat Reader, can hardly work for other PDF Readers.
Anyway, what is the point of using such restricted Adobe Acrobat Reader, if it will probably work very similarly to the popular PDF Reader from Microsoft Store?
 
  • Like
Reactions: Jack and notabot

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Yes, that can be a potential danger in Adobe Acrobat Reader DC. Yet, the PDF readers from the Microsoft Store (tested by me), do not allow the active content and attachments embedded in PDF files. That differs the popular PDF Reader from Microsoft Store from any desktop PDF Reader.
The same is true for Word Mobile, Excel Mobile, and PowerPoint Mobile from Microsoft Store.
If the user gets the document with the attachment, then he/she can be infected when clicking on the attachment icon, when the document is opened in Libre Office, SoftMaker Office, WPS Office, etc. But, not when opening it in Word Mobile, etc.

But Acrobat has a config to block opening attachments

My only issue with Adobe’s in store pdf reader is that it looks like they’re not maintaining it - which readers did you try from the store ?

Regarding what can be done with Acrobat Reader running with AppContainer, adobe has this:

Sandbox Protections — Acrobat Application Security Guide

Btw - That’s a good point regarding in-store office, I plan to make a separate thread on this over the next couple of days. Let’s contain this to PDF and I’ll make a similar one for Office.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
That is much more true for Adobe Acrobat Reader, because it is much more popular (especially in organizations). Exploits for Adobe Acrobat Reader, can hardly work for other PDF Readers.

The same argument could be made for using a less popular browser but it’s security but obscurity - I always tend to use a top 1-3 software in terms of user base, it’s morw targeted that’s why hardening them may be a good idea but even if you don’t agree with the premise the original question is a valid one because, by definition, most people use the top 1-3 pieces of software in terms of user base
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Also regarding non Adobe Readee apps in the store: I could not find a setting to block JavaScript/Active content - it doesn’t support JavaScript in the first place ( better for what I’d use it for) or it does but JavaScript can’t be blocked
 
5

509322

The most effective and smartest method to avoid application exploits is not to use the application in the first place.

IT Security 101. You keep calling it security by obscurity. It isn't. It is called attack surface reducation... a first principle in IT security.

Adobe can add all the protection mechanisms its engineers can dream-up, and it is still going to be targeted and exploited. They have a huge team on it, and still it gets routinely smashed.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
The most effective and smartest method to avoid application exploits is not to use the application in the first place.

IT Security 101. You keep calling it security by obscurity. It isn't. It is called attack surface reducation... a first principle in IT security.

Adobe can add all the protection mechanisms its engineers can dream-up, and it is still going to be targeted and exploited. They have a huge team on it, and still it gets routinely smashed.

Sure but this is a topic on hardening Adobe Reader
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
But Acrobat has a config to block opening attachments

My only issue with Adobe’s in store pdf reader is that it looks like they’re not maintaining it - which readers did you try from the store ?

Regarding what can be done with Acrobat Reader running with AppContainer, adobe has this:

Sandbox Protections — Acrobat Application Security Guide

Btw - That’s a good point regarding in-store office, I plan to make a separate thread on this over the next couple of days. Let’s contain this to PDF and I’ll make a similar one for Office.
I tested Adobe Reader Touch and Foxit MobilePDF.
As I said before, what is the point of using something complex but extremely restricted, when you get finally, very similar thing to that from Microsoft Store?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
  • Like
Reactions: upnorth

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I tested Adobe Reader Touch and Foxit MobilePDF.
As I said before, what is the point of using something complex but extremely restricted, when you get finally, very similar thing to that from Microsoft Store?

If Adobe Touch were maintained I’d go with Touch but it is unmaintained - Foxit looks interesting but free version has ads and why pay for functionality Adobe gives for Free
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Sure but this is a topic in hardening Adobe Reader
True.
Lockdown tries to signalize, that hardening Adobe Acrobat Reader DC (with much effort) can be finally less secure, than using another (already restricted) application with the same functionality.
When you have to use Adobe Acrobat Reader DC for some tasks, then it is better to use by default another application for a daily work, and use Adobe Acrobat Reader DC only for the safe documents (but not as a default viewer).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
If Adobe Touch were maintained I’d go with Touch but it is unmaintained - Foxit looks interesting but free version has ads and why pay for functionality Adobe gives for Free
I do not see the adds, do you?
 
  • Like
Reactions: notabot

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
True.
Lockdown tries to signalize, that hardening Adobe Acrobat Reader DC (with much effort) can be finally less secure, than using another (already restricted) application with the same functionality.
When you have to use Adobe Acrobat Reader DC for some tasks, then it is better to use by default another application for a daily work, and use Adobe Acrobat Reader DC only for the safe documents (but not as a default viewer).

I don’t agree with his argument for various reasons ( patch frequency for popular software , I find more scrutiny a good thing etc ) but this is a discussion for a different thread , I’m happy to participate in a topic like that but it can’t be that the answer to Harding xyz is don’t use it, use abc instead because it’s less of target due to less use and this is a pattern that’s consistent
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
One thing I found interesting is

Sandbox Protections — Acrobat Application Security Guide

I’ll write a policy when I get some free time as this is perhaps too much but I’d like to only allow reads from mystored PDFs folder and writes only to Downloads - this can be done by other means too but it’s interesting to see it as an in-application feature
 
Last edited:
  • Like
Reactions: Andy Ful
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top