Adobe: no known malware has escaped Adobe Reader X sandbox

http://nakedsecurity.sophos.com/201...nd-reader-security-interview-with-brad-arkin/

 

I wonder how long it took them to throw ALL the Known millions of nasties at it, since day one right up to when they tested ?

I can't see them doing ALL that So what do we Actually believe ?

Kudos for making it better, took them looooooooong enough though

 

It's been this way for a while now. I believe they have a legitimately secure sandbox. It's definitely good enough for dealing with legacy malware.

 

Now if they can do this with the rest of their products I would be very pleased. As would everyone, I assume.

 

Chrome can do it with Flash so I don't know why other browsers can't or why Adobe can't make it secure by default.

 

Well, for one thing, no other browser has the kind of sandbox Chrome does. For another, I'm not sure how Adobe could sandbox their plugin or Active-X control themselves and have it work. Other security enhancements are very welcome, but I think the sandbox idea, for Flash at least, can't be done.

 

But Chrome does run it as a sandboxed process.

 

*Sigh* I continually forget that Flash itself is simply a player, and Flash files are nothing more than a format. So, you're probably right, they might possibly be able to have the player sandbox files. If so, that could be a tremendous security boost. Thinking about that, if it is actually correct, one wonders why they haven't done that yet.

 

I honestly don't know. I guess because it would be incompatible with other browsers? Or it would take some tweaking?

Google does it though... and NPAPI is already in every browser.

 

Does Google simply force Flash to run in Chrome's sandbox, or does Google have it's own lab-tweaked Flash? If it's simply Flash inside another sandbox, like you and I would do with Sandboxie (albeit on a much more technical level perhaps), then we can still question if Adobe can sandbox files themselves, and, if so, why they haven't. If Google has it's own Flash "fork", I guess you'd call it, then it makes a bit more sense and gives Chrome a heck of a leg up.

 

I believe Google modifies it but I may just be confused.

Not sure.

 

Google is your friend.

 

All I know is this:
http://www.google.com/support/forum...38&fid=0ceb35c556df52380004aa2c07a8fb0f&hl=en

Which naturally leads me to believe that they tweak it.

 

Not really, flash in IE runs within protected mode since IE7, so you can't say that Chrome's version is the only "customized" version. Obviously protected mode has been improved since then though.

Also, Adobe had help from Microsoft and their expertise with protected mode when designing v10.

 

Has protected mode improved? I thought that it was just running at LowIL. I'm not saying Google is the only one to tweak it, just that they have seemingly changed something.

 

Yes it has improved in IE8 and IE9, along with many other factors relating to security, like ActiveX, etc. In IE10 it goes further by using the new sandboxing functions of Win8 (for the Metro version), beta/RC/release will reveal more about the desktop version ofcourse. It's quite possible possible we see a situation with Win8 that every app (such as reader) starts opting in to using the new sandboxing functions. Perhaps even plugins such as flash? Who knows.