Protected Mode (PM) was introduced with Reader 10.0 on Windows. It transparently protects users against attacks by sandoxing application processes. Protected Mode is one of the most powerful features in Reader’s security arsenal. Note that many dot releases have NOT included a Reader update for Windows because the application is not subject to many vulnerabilities when Protected Mode is enabled.
In Reader 11.0, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.
What is a “sandbox” and Protected Mode?
For application developers, sandboxing is a technique for creating a confined execution environment for running untrusted programs. In the context of Adobe Reader, the “untrusted program” is any PDF and the processes it invokes. When Reader sandboxing is enabled, Reader assumes all PDFs are potentially malicious and confines any processing they invoke to the sandbox.
Sandboxes are typically used when data (such as documents or executable code) arrives from an untrusted source. A sandbox limits, or reduces, the level of access its applications have. For example, creating and executing files and modifying system information such as certain registry settings and other control panel functions may be prohibited.
If a process P runs a child process Q in a sandbox, then Q’s privileges would typically be restricted to a subset of P’s. For example, if P is running on a system, then P may be able to look at all processes on the system. Q, however, will only be able to look at processes that are in the same sandbox as Q. Barring any vulnerabilities in the sandbox mechanism itself, the scope of potential damage caused by a misbehaving Q is reduced.
The Reader sandbox leverages the operating system’s security controls, and processes execute under a “principle of least privileges.” Thus, processes that could be subject to an attacker’s control run with limited capabilities and must perform actions such as reading and writing through a separate, trusted process. This design has two primary effects:
Sandboxing is relatively new for most enterprise applications because it is difficult to implement in mature software (e.g. millions of lines of code) that is already deployed across an almost limitless number of environments. A few recently shipped products that demonstrate the sandboxing proof of concept include Microsoft Office 2007 MOICE, Google Chrome’s rendering engine, and Office 2010 Protected View. The challenge is to enable sandboxing while keeping user workflows functional and without turning off features on which users depend. The ultimate goal is to proactively provide a high level of protection rather than just fixing bugs and vulnerabilities as they appear.
Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored to each environment. The current release includes support for the following:
|10.0||Protected Mode introduced in Reader.|
|10.x-11.0||Many changes and improvement were made for dot releases as described at http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader.html|
|11.0||See Read policy changes for 11.0|
While different users will have different security needs, casual users who interact with PDFs in unsecure environments should enable Protected Mode all the time.
There are a limited number of cases where you might want to disable Protected Mode:
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged] "bProtectedMode"=(0 = off; 1 = on)
Protected Mode preference
The application uses an internal key. The actual key does not exist by default and so does not appear until the key is manually created.
None. PM is designed to protect users transparently and without impacting other features.
While Protected Mode can be disabled for PDFs viewed with the product, Adobe continues to protect you when 3rd party software invokes a Reader process; that is, Protected Mode sandboxing cannot be disabled for shell extensions. For example, when you use Windows Explorer to preview a PDF in the Preview Pane, it starts a Reader process to display the preview. In such cases, Task Manager shows that two AcroRd32.exe processes spawn and that the operation is occurring with Protected Mode enabled.
Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
In addition to enabling logging via the UI (above), you can turn on logging and configure a log file location via the registry.
To enable logging, specify a log file location:
Policy logging for a policy violation:
[08:12/13:46:16] real_path: \BaseNamedObjects\ZonesCacheCounterMutex [08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY [08:12/13:46:16] NtCreateMutant: STATUS_ACCESS_DENIED [08:12/13:46:16] real_path: \BaseNamedObjects\ZonesLockedCacheCounterMutex [08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY [08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED [08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY [08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED [08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY
Protected Mode can be locked as enabled or disabled as follows:
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown.
Right click and choose New > DWORD Value.
Right click on the key and choose Modify.
Set the value as follows:
- 0: Disables the feature.
- 1: Enables the feature.
There are two ways to verify if the application is running in Protected Mode:
Protected mode prevents a number of actions which IT can bypass by creating a white list of allowed actions. The component that reads these policies is called a “broker.” The broker performs actions based on those policies, and when an admin provides a properly configured policy file, the broker can bypass the application’s default restrictions.
The broker first reads and applies all custom policies prior to applying the default policies. Since custom policies take precedence, they are useful for fixing broken workflows, supporting third party plug-ins, and cases where unsupported machine configurations cause the Protected Mode to impair required functionality.
Configurable policies have two requirements:
To allow the application to read and use a policy file, registry configuration is required. To enable policy files:
Once you’ve enabled policies as described in Enabling custom policies, you can write and deploy a policy file. A policy file is a set of policy-rules. There can be one per line, empty lines, or full-line comments that begin with a semi-colon. Each policy rule (one on each line) has the format:
POLICY_RULE_TYPE = pattern string
Pattern strings denote file names, registry locations, exe paths, etc. These strings support the following:
*: Matches zero or more characters. Only one in series allowed. For example:
- FILES_ALLOW_ANY = c:temp
- REG_ALLOW_ANY = HKEY_CURRENT_USERSoftware(SomeProgram)
- SECTION_ALLOW_ANY = imejp
?: Matches a single character. One or more in series are allowed.
Environment variables: For example, %SystemRoot% could be used in:
PROCESS_ALL_EXEC = %SystemRoot%\system32\calc.exe
Adobe-provided policy rules include those shown below.
|FILES_ALLOW_ANY||Allows open or create for any kind of access that the file system supports.|
|FILES_ALLOW_DIR_ANY||Allows open or create with directory semantics only.|
|REG_ALLOW_ANY||Allows read and write access to a registry key.|
|PROCESS_ALL_EXEC||Allows the creation of a process and return fill access on the returned handles.|
|NAMEDPIPES_ALLOW_ANY||Allows creation of a named pipe.|
|EVENTS_ALLOW_ANY||Allows the creation of an event with full access.|
|MUTANT_ALLOW_ANY||Allows creation of a mutant with full access (MUTANT_ALL_ACCESS)|
|SECTION_ALLOW_ANY||Allows creation/opening of a section with full access|
|FILES_ALLOW_READONLY (11.0 and later)||Allows read access to a specific path.|
Policy configuration file
; Files Section FILES_ALLOW_ANY = c:\temp\* FILES_ALLOW_ANY=%APPDATA%\Citrix\* ; Processes PROCESS_ALL_EXEC = %SystemRoot%\system32\calc.exe ; Registry REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\(SomeProgram) ; Mutants MUTANT_ALLOW_ANY = *imejp* ; Sections SECTION_ALLOW_ANY = *imejp*
While Protected Mode in Reader 10.x prevented arbitrary writes to file locations in the user’s profile area such as My Documents, Pictures, Downloads folder, %AppData%, etc., it did not prevent the reading of files. In 11.0, Reader’s Protected Mode does prevent the sandbox from reading arbitrary files in these locations. This enhancement makes it harder for malicious PDFs to steal user’s confidential information.
In Reader 11 Protected Mode, the sandboxed AcroRd32.exe process only has read access to those files and folders under the %USERPROFILE% for the following:
While %USERPROFILE% is protected, the actual implementation is not based on folder names but rather on the ACL (access control entry) of the folders. Any folder or file that grants Everyone or BUILTIN\Users groups read access is not protected with read-restrictions. Other folders such as the per-user profile folder that don’t grant such an access are protected. Note that many user-account protected network shares don’t grant access to everyone. So, again, those would be protected.
There is no UI to turn read-restrictions on or off: this feature is an enhancement to the existing Protected Mode feature and is always enabled as part of it.
Like Protected Mode generally, the new behavior should be transparent to users except for new confirmation dialogs that may now appear under certain scenarios. A few confirmation dialogs are necessary for workflows that required Reader in Protected Mode to read arbitrary files. These files include files that were neither explicitly opened by the user nor required by Reader to store its preferences and so weren’t white-listed for access. In such cases, the broker is forced to check with the user before granting the Protected Mode sandbox read access to those files. As the feature evolves in the course of A11 development, it is expected that users will rarely encounter situations where they will see these dialogs.
A confirmation dialog is shown for the following cases:
Note that these are restricted to access to the user’s disk or network share, not an HTTP(S) URL. So these dialogs almost never appear in the browser. For example, in a browser situation, an FDF or PDF in cases 3 or 4 above will be on a HTTP(S) server, and so will not be impacted. Also, most “interdoc PDF links” in the web will be to PDF on the web, not the user’s machine or network share.
Finally, it is impossible to securely support the index search and Reader’s desktop search features via Edit > Advanced Search > Show more options with read-restrictions enabled. So if the user tries to use any of the following features, a warning is thrown: “The operation you are trying to perform potentially requires read access to your drives. Do you want to allow this operation?”.
If the user allows the operation, read-restrictions are temporarily disabled while that Reader process is running. In this case, Protected Mode is ON, but it will temporarily grant the sandbox read access to all of the user’s files. Once the user restarts the Reader process, Protected Mode read-restrictions will again be in place. The idea is that rather than having the user turn Protected Mode completely off to use these index-search or desktop-search features, it is better to turn off just read-restrictions temporarily.
The dialog appears in the following scenarios:
The new read policy includes the new FILES_ALLOW_READONLY rule that works just like the FILES_ALLOW_ANY rule, but grants read-only access to a specific path. Admins can use the FILES_ALLOW_READONLY rule of the config policy to grant read-only access to certain areas of the user’s disk.
For complete details, see http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader.html.
Limitations with Protected Mode enabled include the following:
When a screen reader like JAWS or Window-Eyes is already running when Reader is started for the first time on XP systems, a warning is shown instructing the user to turn Protected Mode off manually. On Vista and Windows 7, screen readers do work normally.
When Protected Mode cannot launch due to an unsupported configuration, Reader displays a dialog alerting the user of the incompatibility and provides the user with the option to disable Protected Mode.
“Adobe Reader cannot open in Protected Mode due to a problem with your system configuration. Would you like to open Adobe Reader with Protected Mode disabled?”
Unsupported configurations for Reader running in Protected Mode change across releases as the product evolves. For example, Protected Mode supports Citrix and Windows Terminal Services deployments with 10.1.
Protected Mode: Unsupported configuration dialog
Does Adobe have plans for Protected Mode in Acrobat?
Yes. With the release of 10.1, Acrobat’s Protected View is a sandbox mode similar to the Protected View feature in Microsoft Office 2010.
Is there a reason why Acrobat X is not sandboxed vs. Reader X?
In order to reduce our attack surface, and most effectively thwart malicious activity, we always follow the common security strategy of protecting the greatest number of end-users as expediently as possible.
Is Reader X on Mac OSX less vulnerable?
While Protected Mode is not available for Macintosh, Adobe has not seen any targeted attacks against Unix and Mac Reader so far.
Is Adobe Reader X sandboxed on Unix and Mac?
While sandboxing technologies do exist on the Unix and Mac platforms, we have not seen targeted attacks against Unix and Mac Reader so far and therefore it’s not a priority at this point in time.
What configuration are not supported?
For a current list of issues, see http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader.html.
Does the fact that Protected Mode invoke two Reader processes affect updating and patching?
No. The patching mechanism will remain the same as before. Broker and sandboxed processes do not get patched separately.
Is the Reader Sandbox similar to the low integrity Protected Mode of Internet Explorer?
No. Despite the name similarities, Reader’s Protected Mode the sandbox we have implemented is a more effective at mitigating threats in applications on desktop windows than just running a process at low integrity. While our sandbox indeed runs at at low integrity, it is a much more constrained computing environment.
Is Remote Desktop Services supported?
Yes. Remote Desktop Services (formerly known as Terminal Services) is supported.
What is the difference between Microsoft’s Application Virtualization Sandbox technology and Reader X’s Protected Mode?
Sandboxing leverages the Operating System’s security model to sandbox an application. Virtualization uses another software program to segregate the application from the host operating system. With virtualization the end users have to deal with the overhead of managing and patching the OS and the application separately and there is also the performance impact of rendering the application in a virtualized environment. For more information please refer to our technical blog posts.
What is the difference between Protected Mode in Microsoft IE browser and Reader X Protected Mode?
The sandbox we have implemented is more effective at mitigating threats in applications on desktop windows than just running a process at low integrity. While our sandbox runs at a low integrity, it is a much more constrained computing environment. For more information please refer to our technical blog posts.
What effect does Protected Mode have on a PDF viewed in Citrix?
Citrix is not supported. When Protected Mode cannot launch due to an unsupported configuration, Reader displays a dialog alerting the user of the incompatibility and provides the user with the option to disable Protected Mode.
What is the percentage increase in memory footprint because of Protected Mode?
Will Protected Mode have any effect on viewing LC Reader-Extended PDFs?
It should work fine out of the box.
Is there any special status for certified documents so that one can disable Protected Mode only with certified documents?
Can the security policies for the broker be configured through Customization Wizard or downloaded from a server?
No. Custom policies should be tailored to meet your business requirements and deployed by an administrator.
Are there any unforeseen major issues with the rich PDF types containing content e.g. interactive multimedia, geo, and 3D with Reader X?
Not many. The feature is designed to be transparent.
Do plug-ins have read and write permissions to things like config files that maybe stored on the user’s system?
Plug-ins will not be able to write log files to non-whitelisted locations. They can continue to write logs to the Temp directory (as returned by GetTempPath() Windows API or equivalent Acrobat API). Another white-listed location is Adobe Reader’s own appdata area.
Does the Protected Mode impair a PDF’s ability to access trusted web sites?
Can I still save Acrobat forms on my own computer?
Yes. There is no change in behavior.
Is Protected Mode the reason why Reader X runs with two AcroRd32.exe processes?
Yes. One of the processes is the sandboxed process and the other one is the broker.
If multiple PDFs are open (either standalone or within the browser), is the number of spawned processes the same?
Yes. There will only be two processes. However, if PDFs are open in both the browser and standalone application, one process pair will be used for each.
Can my plug-in create and update a preference file in the ‘C:Documents and SettingsloggedinuserApplication DataAdobeAcrobat10.0Preferences’ folder?
Yes, Reader X allows writing to these type of locations.
Will plug-ins that access web services via an URL work?
Yes, it should work.
Will Protected Mode affect the functioning of URLs in a PDF?
Will the broker allow an embedded Flash Player 10.1 instance to access hardware features such as GPU acceleration and a system.capabilities object?
Will the broker in Reader X be initially setup with default locations approved for writing? Will plug-in developers be able to add “safe” locations to the broker’s list?
Plugins could leverage the broker white-list config file to extend the file/registry locations writable by the sandbox.
Do shell extensions work in Reader X?
Shell extensions run inside a sandbox when Reader is the default owner of PDFs. The shell extensions we support include Thumbnails, Properties, Preview, and they all operate as they did in 9.x, except that they will run sandboxed.
The iFilter shell extension has a limitation with Microsoft Desktop Search and is not installed with Reader X.
Does the Reader X need to go through the broker if we are saving a Reader extended document? Yes.
Are the policies in the broker process configurable by the users?
Custom policies can be setup by the administrator or plugin-installers.
Is PM a pure whitelisting mechanism to allow/deny access to the OS, or is it a mix of blacklisting and whitelisting policies working together in the broker?
If Reader X needs to make OS calls through the broker, is there additional overhead (such as more threads) which has a performance impact?
Performance of Reader X is comparable to Reader 9. There are no additional threads.
What is the user experience like for screen readers invoked via viewing a PDF in the browser?
Most accessibility features work. In some cases they do not work on XP. For a list of known issues, see http://kb2.adobe.com/cps/860/cpsid_86063.html.
Why do we see 2 Reader processes in the Task Manager with the same name?
The Reader X application now has 2 processes: one for the target (sandbox) and the broker.
What if I inadvertently kill one of the processes?
Killing any of the processes brings down the entire Reader X application.
When custom policies fail for certain workflows, what are the options other than disabling Protected Mode?
One option is to add custom policies to bypass protected mode restrictions.
Can plug-in developers write their own broker?
No, we do not currently provide the option for developers to write their own brokers, but we may do so for future releases.
Do the Broker and the Sandbox processes share both the WindowStation and the Desktop?