Unclear what security is provided by Adobe Reader’s “Enable Protected Mode at startup” function

Report · May 04, 2018

Adobe employees, please read: The only people who can possibly answer this question are Adobe programmers in charge of Adobe Reader’s security functions. Adobe programmers, If you could answer this question it would be much appreciated.

Protected Mode function is unclear from reading Adobe Acrobat Reader Learn & Support

Protected Mode function: Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Sandbox Protections

Very approximately 95% or more of PDF documents downloadable from the Internet are simple text documents.

It is unclear what security is provided by Adobe Reader's Enable Protected Mode at startup function. This function is available in Reader DC. Not sure about previous versions.

Example: For simple text documents such as found here (http://gahp.net/wp-content/uploads/2017/09/sample.pdf), if the document contains malicious code, will the Protected Mode function alone stop the malicious code, or must the Protected View function also be enabled?

This is an important thing to know. Because if you download a PDF document from an Internet source (e.g., from a PDF document exchange website) of which you are unsure as to whether you can trust or not the author of the PDF document, you can only use the document in Protected View mode — unless you want to put your PC at risk. And that renders unusable any third-party add-on tools that use JavaScript.

Thank you very much,

Daniel Guibord

Report · May 04, 2018

You may find this Help file helpful:

Protected View feature for PDFs (Windows), Adobe Reader

Because PostScript is a programming language and PDF is derived from it, it can be misused. I think here's the take-away:

"provide an added layer of security. In protected mode, malicious PDF documents can’t launch arbitrary executable files or write to system directories or the Windows Registry."

Report · May 04, 2018

Steve,

I’m not sure if I can trust Adobe’s information on this: "provide an added layer of security. In protected mode, malicious PDF documents can’t launch arbitrary executable files or write to system directories or the Windows Registry." Because, if you put the same question in a different way, you’ll see the ambiguity; here it is:

For a simple PDF document comprised of text only such as http://gahp.net/wp-content/uploads/2017/09/sample.pdf, and which document would have malicious code embedded into it, what malicious functions can Protected View stop, that Protected Mode alone cannot stop?

Report · May 04, 2018

A malicious document would of course LOOK ENTIRELY INNOCENT. These are to protect against future undiscovered threats, not current malicious files. It’s about making it harder for the bad guys in future. Sandbox is standard programming practice these days, look it up in Wikipedia. No need to hear from Adobe programmers, who you also say you don’t trust.

Report · May 04, 2018

I never said that I do not trust Adobe programmers.

It is precisely because I trust Adobe programmers that I said, at the very beginning of my post: "Adobe employees, please read: The only people who can possibly answer this question are Adobe programmers in charge of Adobe Reader’s security functions. Adobe programmers, If you could answer this question it would be much appreciated."

You did not answer my question, nor can you answer it, because the only people who can answer it are Adobe programmers: For a simple PDF document comprised of text only such as http://gahp.net/wp-content/uploads/2017/09/sample.pdf, and which document would have malicious code embedded into it, what malicious functions can Protected View stop, that Protected Mode alone cannot stop?

Report · May 04, 2018

What is special about a "simple PDF document composed only of text"? Do you think a malicious document will have special graphics or a warning sign? Malicious stuff would be hidden inside a PDF, using a kind of attack not yet imagined (because if it was imagined it would be prevented). Nobody can answer your question because the malicious functions are theoretical.

Report · May 04, 2018

What's special about a "simple document composed only of text" is that it contains no field to fill out or buttons that the reader can click on, and other interactive features that can be part of PDF documents.

Hence, if such simple documents containing malicious code can be completely neutralized with only the Protected Mode function — regardless of malicious code —, then for such simple documents the Protected View function is not necessary. Then, it is possible to use third-party add-on tools with these type of simple documents.

Otherwise, Protected View must be used to stop malicious code that may, as an example, read files on the user's PC and send these files over the internet to criminals (e.g., pirates located in foreign countries).

So, not knowing the capabilities of Protected Mode in stopping malicious code for simple documents, third-party add-on tools cannot be used with some simple documents downloaded from the Internet, unless the user is willing to put his PC at risk. (Text removed by moderator).

Report · May 05, 2018

PDF files are not like text documents. It makes absolutely no difference if a PDF contains "only text". In the background it can have a bunch of other things that are hidden from view, unlike with a plain-text file. Attacks that come from PDF files don't rely on interactive objects like form fields, but on flaws in the application and/or the file structure to sneak in code that does things that it should not be doing. It might abuse things like a Flash component, or JavaScript code, but those can exist even if there's only text on the screen.

Anyway, no Adobe programmer is going to reply to your question. First of all, because they don't hang around on these forums, and also because they're not going to say to those who try and cause harm what will and won't work...

Report · May 05, 2018

Ok, I’m reasonably certain you know what you’re talking about, and hence agree with you.

Nonetheless, I sure would like to know which malicious functions Protected View can stop, that Protected Mode alone cannot stop.

Who can answer this question? Only Adobe software development engineers, because only they know which malicious functions Protected View can stop, that Protected Mode alone cannot stop.

If users of Adobe Reader DC have to use Protected View, then users of third-party add-on tools — e.g., such as yours — are going to have to spend an enormous amount of time manually doing what third-party add-on tools can do. For people who are entrepreneurs, time is money, a lot of money.

What’s needed is Adobe to fix its Reader software such that, say as an example in Protected Mode, it will not execute any code other than display the text and images of PDF files and execute JavaScript code in Privileged Locations defined by the user (e.g., Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Privileged locations).

This is how I have Adobe Reader DC set up now. It can use third-party add-on tools, but what guarantee do I have that some malicious code in PDF files will not be executed? None whatsoever.

Report · May 05, 2018

Your classification of “simple dicuments“ as less threatening is flawed for the reasons I have said. I will not repeat myself. I recommend you employ maximum security if it works for you.

I don’t think you appreciate either that we are dealing with possible futures. There are no known weaknesses that any document can use.

Report · May 05, 2018

If only protecting software was possible by just choosing not to do stuff. A history of hackers shows us that hackers are, if nothing else, ingenious. For example back in 2004 we have this report on a JPEG-based attack: JPEG exploit could beat antivirus software - CNET . Now, JPEG files are pictures, and JPEG viewers are written only to view pictures. But the attack would allow bad people to overwrite part of the JPEG viewer with their own software, which could do other, bad, things.

Report · May 05, 2018

With the following settings, the add-on tools work, and I’m reasonably certain that no JavaScript can be executed, other than that of add-on tools and APIs. Reference: Acrobat XI Help | JavaScripts in PDFs as a securityrisk

See also: Application Security Overview — Acrobat Application Security Guide

1- Adobe Reader DC > Edit > Preferences... > JavaScript > Enable Acrobat JavaScript (unchecked)

That disables all JavaScript, except the one that Adobe Reader DC can access in Privileged Locations as per the last line below.

2- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Enable Protected Mode at startup (checked)

3- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Protected View (Off)

4- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Enable Enhanced Security (checked)

5- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Privileged locations > Automatically trust documents with valid certification (unchecked)

6- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Privileged locations > Automatically trust sites from my Win OS security zones (unchecked)

7- Adobe Reader DC > Edit > Preferences... > Security (Enhanced) > Privileged locations > Folder paths: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts

Report · May 07, 2018

Now that I have your attention

THIS POST IS FOR THE FORUM MODERATOR

RE: my post on May 4, 2018 4:18 PM.

Please delete the last sentence "In my case here. I'm looking at, ... 20 years" up to the end of the line. It is causing me problems.

Thank you for your understanding,

Dan Guibord

Unclear what security is provided by Adobe Reader’s “Enable Protected Mode at startup” function

1 Correct answer