Advice Request Adobe Acrobat Reader DC - remaining attack vectors after hardening

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
With

- JavaScript- not enabled
- Protected Mode at Startup enabled
- Protected view for All files
- Run in AppContainer enabled
- No automatic trusting of any docs
- Unless explicitly permitted pdf files cannot send information to the internet
- Uncheck allow opening non pdf with external applications

What attack vectors remain for Adobe Acrobat Reader DC.
 
  • Like
Reactions: upnorth and Handsome Recluse
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
notabot said:
With

- JavaScript- not enabled
- Protected Mode at Startup enabled
- Protected view for All files
- Run in AppContainer enabled
- No automatic trusting of any docs
- Unless explicitly permitted pdf files cannot send information to the internet
- Uncheck allow opening non pdf with external applications

What attack vectors remain for Adobe Acrobat Reader DC.
Click to expand...
PDF documents can have the embedded attachments. I am not sure if the external applications which open those attachments (if allowed), will run fully in AppContainer. If not, then those applications can be exploited by the weaponized PDF attachments.
There are some other possibilities:
  1. Phishing tricks, which can instruct the user to open the document outside the AppContainer or allow the Internet connection.
  2. AppContainer exploits.
  3. Some Windows Exploits.
The AppContainer feature is still experimental, so it can have some vulnerabilities. Generally, Adobe Acrobat Reader is a very popular, complex and universal application, so it will always be exploited by the malc0ders. Any other PDF viewer (especially in AppContainer) is much safer.
 
  • Like
Reactions: upnorth, notabot and Handsome Recluse
5

509322

Andy Ful said:
PDF documents can have the embedded attachments. I am not sure if the external applications which open those attachments (if allowed), will run fully in AppContainer. If not, then those applications can be exploited by the weaponized PDF attachments.
There are some other possibilities:
  1. Phishing tricks, which can instruct the user to open the document outside the AppContainer or allow the Internet connection.
  2. AppContainer exploits.
  3. Some Windows Exploits.
The AppContainer feature is still experimental, so it can have some vulnerabilities. Generally, Adobe Acrobat Reader is a very popular, complex and universal application, so it will always be exploited by the malc0ders. Any other PDF viewer (especially in AppContainer) is much safer.
Click to expand...

A lot of people falsely assume AppContainer is a sandbox to contain. It isn't. It is a boundary to prevent injection.
 
  • Like
Reactions: boutthatlife, mlnevese, Andy Ful and 3 others
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I’ve blocked opening anything non pdf with external applications - I don’t know if they would run in AppContainer or not, this is a good point, but with the above config it can’t happen.

Exploits in AppContainer or windows are the remaining attack vector then, this is true for all applications - as an extra layer of mitigation for this hitman Pro or Windows exploit guard or another AV suite anti exploit can be used - but I’d say this setup deweaponises pdf docs that target adobe reader
 
  • Like
Reactions: upnorth and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
Lockdown said:
A lot of people falsely assume AppContainer is a sandbox to contain. It isn't. It is a boundary to prevent injection.
Click to expand...
Yes, that can be a potential danger in Adobe Acrobat Reader DC. Yet, the PDF readers from the Microsoft Store (tested by me), do not allow the active content and attachments embedded in PDF files. That differs the popular PDF Reader from Microsoft Store as compared to any desktop PDF Reader.
The same is true for Word Mobile, Excel Mobile, and PowerPoint Mobile from Microsoft Store.
If the user gets the document with the attachment, then he/she can be infected when clicking on the attachment icon, when the document is opened in Libre Office, SoftMaker Office, WPS Office, etc. But, not when opening it in Word Mobile, etc.
 
Last edited:
  • Like
Reactions: boutthatlife, upnorth, Jack and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
notabot said:
...
Exploits in AppContainer or windows are the remaining attack vector then, this is true for all applications...
Click to expand...
That is much more true for Adobe Acrobat Reader, because it is much more popular (especially in organizations). Exploits for Adobe Acrobat Reader, can hardly work for other PDF Readers.
Anyway, what is the point of using such restricted Adobe Acrobat Reader, if it will probably work very similarly to the popular PDF Reader from Microsoft Store?
 
  • Like
Reactions: Jack and notabot
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Andy Ful said:
Yes, that can be a potential danger in Adobe Acrobat Reader DC. Yet, the PDF readers from the Microsoft Store (tested by me), do not allow the active content and attachments embedded in PDF files. That differs the popular PDF Reader from Microsoft Store from any desktop PDF Reader.
The same is true for Word Mobile, Excel Mobile, and PowerPoint Mobile from Microsoft Store.
If the user gets the document with the attachment, then he/she can be infected when clicking on the attachment icon, when the document is opened in Libre Office, SoftMaker Office, WPS Office, etc. But, not when opening it in Word Mobile, etc.
Click to expand...

But Acrobat has a config to block opening attachments

My only issue with Adobe’s in store pdf reader is that it looks like they’re not maintaining it - which readers did you try from the store ?

Regarding what can be done with Acrobat Reader running with AppContainer, adobe has this:

Sandbox Protections — Acrobat Application Security Guide

Btw - That’s a good point regarding in-store office, I plan to make a separate thread on this over the next couple of days. Let’s contain this to PDF and I’ll make a similar one for Office.
 
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Andy Ful said:
That is much more true for Adobe Acrobat Reader, because it is much more popular (especially in organizations). Exploits for Adobe Acrobat Reader, can hardly work for other PDF Readers.
Click to expand...

The same argument could be made for using a less popular browser but it’s security but obscurity - I always tend to use a top 1-3 software in terms of user base, it’s morw targeted that’s why hardening them may be a good idea but even if you don’t agree with the premise the original question is a valid one because, by definition, most people use the top 1-3 pieces of software in terms of user base
 
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Also regarding non Adobe Readee apps in the store: I could not find a setting to block JavaScript/Active content - it doesn’t support JavaScript in the first place ( better for what I’d use it for) or it does but JavaScript can’t be blocked
 
5

509322

The most effective and smartest method to avoid application exploits is not to use the application in the first place.

IT Security 101. You keep calling it security by obscurity. It isn't. It is called attack surface reducation... a first principle in IT security.

Adobe can add all the protection mechanisms its engineers can dream-up, and it is still going to be targeted and exploited. They have a huge team on it, and still it gets routinely smashed.
 
  • Like
Reactions: Eddie Morra and Handsome Recluse
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Lockdown said:
The most effective and smartest method to avoid application exploits is not to use the application in the first place.

IT Security 101. You keep calling it security by obscurity. It isn't. It is called attack surface reducation... a first principle in IT security.

Adobe can add all the protection mechanisms its engineers can dream-up, and it is still going to be targeted and exploited. They have a huge team on it, and still it gets routinely smashed.
Click to expand...

Sure but this is a topic on hardening Adobe Reader
 
Last edited:
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
notabot said:
But Acrobat has a config to block opening attachments

My only issue with Adobe’s in store pdf reader is that it looks like they’re not maintaining it - which readers did you try from the store ?

Regarding what can be done with Acrobat Reader running with AppContainer, adobe has this:

Sandbox Protections — Acrobat Application Security Guide

Btw - That’s a good point regarding in-store office, I plan to make a separate thread on this over the next couple of days. Let’s contain this to PDF and I’ll make a similar one for Office.
Click to expand...
I tested Adobe Reader Touch and Foxit MobilePDF.
As I said before, what is the point of using something complex but extremely restricted, when you get finally, very similar thing to that from Microsoft Store?
 
  • Like
Reactions: upnorth and Handsome Recluse
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
  • Like
Reactions: upnorth
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Andy Ful said:
I tested Adobe Reader Touch and Foxit MobilePDF.
As I said before, what is the point of using something complex but extremely restricted, when you get finally, very similar thing to that from Microsoft Store?
Click to expand...

If Adobe Touch were maintained I’d go with Touch but it is unmaintained - Foxit looks interesting but free version has ads and why pay for functionality Adobe gives for Free
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
notabot said:
Sure but this is a topic in hardening Adobe Reader
Click to expand...
True.
Lockdown tries to signalize, that hardening Adobe Acrobat Reader DC (with much effort) can be finally less secure, than using another (already restricted) application with the same functionality.
When you have to use Adobe Acrobat Reader DC for some tasks, then it is better to use by default another application for a daily work, and use Adobe Acrobat Reader DC only for the safe documents (but not as a default viewer).
 
  • Like
Reactions: Handsome Recluse and notabot
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,111
notabot said:
If Adobe Touch were maintained I’d go with Touch but it is unmaintained - Foxit looks interesting but free version has ads and why pay for functionality Adobe gives for Free
Click to expand...
I do not see the adds, do you?
 
  • Like
Reactions: notabot
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Andy Ful said:
True.
Lockdown tries to signalize, that hardening Adobe Acrobat Reader DC (with much effort) can be finally less secure, than using another (already restricted) application with the same functionality.
When you have to use Adobe Acrobat Reader DC for some tasks, then it is better to use by default another application for a daily work, and use Adobe Acrobat Reader DC only for the safe documents (but not as a default viewer).
Click to expand...

I don’t agree with his argument for various reasons ( patch frequency for popular software , I find more scrutiny a good thing etc ) but this is a discussion for a different thread , I’m happy to participate in a topic like that but it can’t be that the answer to Harding xyz is don’t use it, use abc instead because it’s less of target due to less use and this is a pattern that’s consistent
 
  • Like
Reactions: upnorth and Andy Ful
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
One thing I found interesting is

Sandbox Protections — Acrobat Application Security Guide

I’ll write a policy when I get some free time as this is perhaps too much but I’d like to only allow reads from mystored PDFs folder and writes only to Downloads - this can be done by other means too but it’s interesting to see it as an in-application feature
 
Last edited:
  • Like
Reactions: Andy Ful
Status
Not open for further replies.

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
21,597
Hard_Configurator Tools
South Park
South Park
M4RT1NE2
    • Like
Advice Request A real alternative to Adobe Acrobat Pro DC
Replies
7
Views
1,153
Other software
MuzzMelbourne
MuzzMelbourne
Andy Ful
    • Like
    • +Reputation
    • Thanks
Safe PDF viewers.
Replies
30
Views
6,016
Office, email and business apps
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top