Invincea's Document Protection, for safely opening, reading and printing PDFs, like its Web Protection, wraps the core program in a virtual machine to keep threats from touching the system.As if worrying about unsafe web sites and virus laden email wasn't bad enough, PDF documents still aren't safe, either.
According to Anup Ghosh, founder and chief scientist) of Invincea, Symantec's Internet Security Threat Report identified the PDF as the number one infection vector in 2009 of all Internet exploits, with Microsoft Internet Explorer placing second, third, and fourth, Adobe Flash in fifth place, and numbers 6 through 10 going to MSIE plugins.
And Kaspersky Lab's Information Security Threats in the First Quarter of 2010 Report echoes these findings: "Exploiting Adobe applications accounted for almost half of all reported security threats."
"Infected PDf files are a greater carrier of threats than web sites, making the programs used to read PDF files as potentially dangerous as web browsers," said Ghosh.
That's the bad news, joining the steady stream of bad news about insecurities and vulnerabilities in what seems like almost every type of file and every application used to work on them.
The good news: there is a steady stream of securing solutions.
In April 2010, for example, Invincea (previously known as Secure Command) introduced its Invincea Browser Protection, which uses a form of virtualization to insulate and isolate the user's computer from threats executing within the browser. Currently, according to a chat I had with Ghosh mid-November, Browser Protection runs on Windows, and supports Internet Explorer 6, 7 and 8, and will soon support FireFox.
More recently -- mid-November -- Invincea intro'd its Invincea Document Protection, using its virtualization technology here with Adobe Reader.
Given the ongoing onslaught of PDF vulnerabilities, this is the kind of tool we, sadly, need to be looking at, and using.
Adobe has been working on more secure versions of its Reader (as well they should!), using, according to Ghosh, Microsoft Practical Sandboxing, which is what Microsoft uses for Protect Mode in MSIE 8, as does Google for Chrome."
Practical Sandboxing in these browsers, according to Ghosh, "takes the browser's rendering engine, puts it in a separate process, and assigns a lower privilege to that process, and Adobe does the same for its rendering engine in its PDF reader." The rendering engine handles tasks like running JavaScript and Flash. "This means it can't write to certain system libraries," said Ghosh.
This is somewhat similar, Ghosh agrees, to running applications on Windows as a user rather than Administrator.
However, this sandboxing isn't sufficient, Gosh notes. "This still leaves all the other Adobe elements."
As I understand it, some of the PDF danger is from JavaScript, which free PDF readers like Foxit Reader can let you turn off/block.
However, as Ghosh points out -- and as anybody using a browser add-on like the NoScript extension to FireFox, there's a lot of places where you do want/need to let JavaScript run. According to Ghosh, there are a number of applications for Adobe today that require JavaScript, like browsers, ditto Flash content. Perhaps not so much with PDFs as web pages, but still, "Just say no," isn't always granular enough.
Also, the problem is not just with JavaScript.
"There are various ways to attack Adobe Reader besides JavaScript, including buffer overflow and Flash attacks," according to Ghosh. "Adobe works with system libraries, so Adobe attacks can use vulnerabilities in them."
So Invincea's putting a wrapper around Reader makes sense.
"Whenever you open a PDF, we do it in a fully virtualized secure environment using Adobe Reader," said Ghosh. By using Invincea Document Protection, "You're protecting against things escaping to the operating system, to the hard drive, to the working environment, or other places," said Ghosh.
According to Invincea, when a user opens, reads or prints a PDF file, "If any malicious application behavior is initiated -- execution of a suspicious script, a corrupt file, or a potentially damaging program-Invincea Document Protection automatically detects the threat in real time, terminates it, captures forensic data, disposes of the tainted environment, and quickly restores to a known good state -- providing the same exceptional protection as Invincea Browser Protection."
Selecting a secure PDF reader doesn't strike me as tricky as securing a web browser, where features vary among the browsers, and where many users have a carefully cultivated and configured ecosystem of add-ons and plug-ins. On the other hand, there is a range of features and usability even within PDF readers.
There's no shortage of other sandboxing/virtualization solutions out there, from Zone Alarm's ForceField for use with FireFox and Internet Explorer (included in Zone Alarm's full security suite, also available separately).
Other approaches include running a hypervisor like VMware, Xen or Microsoft Hyper-V, and running a separate virtual machine, OS instance and all, with the browser in that; possibly some an application virtualization tool like Altiris SVS (which "shims" the Windows Registry). Or a separate computer and a KVM switch...
FYI, I've been using ForceField for several years, since its original beta. Whether it -- and, to be fair -- whether any of the security software I'm running -- has protected me from anything, I don't know.
"FireFox is also a sandboxing technology," according to Ghosh. "Our approach is different. We don't run the Adobe Reader natively on the system, we run it on a separate [virtual] machine."
"There's a Federal and defense sector that understands the threat," says Ghosh, in terms of initial, ahem, target markets for Document Protection. Other likely sectors include financial services and health care... but ultimately, any Windows user is likely to encounter PDFs.
Somewhat like Dell KACE's free Secure Browser (see my July 19, 2010 blog post), Invincea is bundling a copy of the browser and its security wrapper.
Some important things to understand about Invincea's security products:
One: You can't use Document Protection as a browser plug-in, per se. According to Ghosh, if you open PDFs within Browser Protection, it will providing the security.
Two: End users can't add their own plug-ins. According to Scott Cosby, vice president of products and operations at Invincea, "Today, our product does allow IT to add plug-ins into their implementation of our browser, and they can customize that to their exact specs. Our customers have indicated that in the future they need more flexibility to allow certain users to add plug-ins directly and we will support that use case."
And, said Ghosh, "We ship [Browser Protection] with every plugin you need to render content on the web."
Both products work with Windows XP, Vista, and Windows 7.
Current pricing for Invincea Document Protection is $15/seat/year, and Invincea Browser Protection, $60/seat/year. (Volume discounting applies.)
PDF-wise, my two questions: How much of the PDF threat is NOT JavaScript-related? And does Document Protection let you copy (for pasting) text or other content from a PDF you're reading?
