Adobe: no known malware has escaped Adobe Reader X sandbox

Discussion in 'other security issues & news' started by MrBrian, Oct 6, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I wonder how long it took them to throw ALL the Known millions of nasties at it, since day one right up to when they tested ?

    I can't see them doing ALL that :p So what do we Actually believe ?

    Kudos for making it better, took them looooooooong enough though :D
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's been this way for a while now. I believe they have a legitimately secure sandbox. It's definitely good enough for dealing with legacy malware.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Now if they can do this with the rest of their products I would be very pleased. As would everyone, I assume.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome can do it with Flash so I don't know why other browsers can't or why Adobe can't make it secure by default.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, for one thing, no other browser has the kind of sandbox Chrome does. For another, I'm not sure how Adobe could sandbox their plugin or Active-X control themselves and have it work. Other security enhancements are very welcome, but I think the sandbox idea, for Flash at least, can't be done.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    But Chrome does run it as a sandboxed process.
     
  8. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    *Sigh* I continually forget that Flash itself is simply a player, and Flash files are nothing more than a format. So, you're probably right, they might possibly be able to have the player sandbox files. If so, that could be a tremendous security boost. Thinking about that, if it is actually correct, one wonders why they haven't done that yet.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I honestly don't know. I guess because it would be incompatible with other browsers? Or it would take some tweaking?

    Google does it though... and NPAPI is already in every browser.
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Does Google simply force Flash to run in Chrome's sandbox, or does Google have it's own lab-tweaked Flash? If it's simply Flash inside another sandbox, like you and I would do with Sandboxie (albeit on a much more technical level perhaps), then we can still question if Adobe can sandbox files themselves, and, if so, why they haven't. If Google has it's own Flash "fork", I guess you'd call it, then it makes a bit more sense and gives Chrome a heck of a leg up.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I believe Google modifies it but I may just be confused.

    Not sure.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Google is your friend. :)
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    All I know is this:
    http://www.google.com/support/forum...38&fid=0ceb35c556df52380004aa2c07a8fb0f&hl=en

    Which naturally leads me to believe that they tweak it.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Not really, flash in IE runs within protected mode since IE7, so you can't say that Chrome's version is the only "customized" version. Obviously protected mode has been improved since then though.

    Also, Adobe had help from Microsoft and their expertise with protected mode when designing v10.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Has protected mode improved? I thought that it was just running at LowIL. I'm not saying Google is the only one to tweak it, just that they have seemingly changed something.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yes it has improved in IE8 and IE9, along with many other factors relating to security, like ActiveX, etc. In IE10 it goes further by using the new sandboxing functions of Win8 (for the Metro version), beta/RC/release will reveal more about the desktop version ofcourse. It's quite possible possible we see a situation with Win8 that every app (such as reader) starts opting in to using the new sandboxing functions. Perhaps even plugins such as flash? Who knows.
     
    Last edited: Oct 7, 2011
Loading...
Thread Status:
Not open for further replies.