Don't put yourself at risk by virtualizing Adobe Reader X

Adobe released a new security advisory for Reader and Acrobat 9 and X this week to address details of an upcoming fix to these versions for a 0 day vulnerability. Exploits for this vulnerability exist for Reader and Acrobat 9 and are currently active:

A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

Since the release of Reader and Acrobat X, there have been no malware that has been effective against the Protected Mode (sandbox) feature of version X. From Adobe’s blog post on this issue:

I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!

If you have any version of Adobe Reader other than X deployed, you should seriously consider migrating to the new version as a matter of priority. That’s not “lets consider doing this in the next month” - you should stop reading this post and get started deploying Reader X now.

Furthermore if are deploying or have deployed Reader X, I can’t recommend virtualizing it with application virtualization. The reason for this is that Protected Mode is not compatible and is not supported with application virtualization. It doesn’t work with Citrix App Streaming, Microsoft App-V or VMware ThinApp (it may be possible with the current version of ThinApp, but I haven’t confirmed).

[Update: thanks to prompting from Dan Gough, I’ve confirmed that Protected Mode in Reader X (10.1.1), works under App-V (Hotfix 4)]

[Update 2: Protected Mode in Reader X is confirmed to work under ThinApp 4.6.2 and 4.7. You’ll have to update your virtual applications and re-enable Protected Mode with the latest releases]

In short - leaving Protected Mode enabled will protect your users and devices and because Protected Mode has been incompatible with the isolation that application virtualisation introduces, I recommend that you do not deploy Reader X with application virtualization solutions unless you are using the very latest versions.

But.. what about those scenarios when a virtualized application needs to call a locally installed Reader X? Until the app virt vendors fully support Protected Mode, the best you can do is ensure that Protected Mode is only disabled when Reader runs within the virtualization environment (using a tool like PolicyPak) and is not completely disabled. Until then, the best we can do is cross our fingers and hope it doesn’t happen to us.