[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Choosing a different PDF writer - THE OFFICIAL BLOG OF THE SBS DIVA
Mon, Jan 18 2010 22:34 bradley

Choosing a different PDF writer

In the mailbox tonight I got this question...

"In the part of the presentation where you are talking about PDF passwords I noticed that you only talk about Adobe products. Would you not even consider using anything but Adobe products for pdf's ? If a third party PDF program had AES encryption would it be equally as safe as doing the encryption through a genuine Adobe product or is there something special about Adobe's products ?"

The reason?  Because I have a patch tool for it.  And I have a process to keep it up to date and knowledge of how to hack it up by turning off javascript to make it more secure.  The alternative to deploying something that I don't have a patch tool for is administrator rights.  That's not the right answer.  Thus sometimes the answer is that you stay with a product that has a bad rap for security just because you have a structure in place, it is making changes to it's software.

And yes, that also means I stick with IE as a browser because Firefox doesn't have the same level of sandbox protection.  And that same tool that I rely on to patch doesn't patch Chrome which has a better sandbox.

So sometimes you stick with the date who brought you to the dance and don't switch just because the tempo changes.

Do I make the same suggestions for home users?  Honestly I don't for one main reason -- Adobe acrobat 9 (the full product) is expensive and more often than not most folks get it via OEM when they bought the machine and never update it to a newer version. Thus for home users I don't have the same recommendation.  If you need a PDF writer and can't afford Adobe 9, do investigate an alternative. 

But as others have said, it's time to kill off completely IE6.

Filed under:

# re: Choosing a different PDF writer

Tuesday, January 19, 2010 12:07 PM by Dean

"The reason?  Because I have a patch tool for it"

OK I get that

"And I have a process to keep it up to date and knowledge of how to hack it up by turning off javascript to make it more secure"

Maybe the third party software doesn't use Javascript so that may not be an issue. Any third party program can be learned so that you can make it as secure as possible.

"The alternative to deploying something that I don't have a patch tool for is administrator rights"

OK I get that too but maybe we need to start pushing the patch tool vendors to start supporting other vendors of software that have very high quality stuff like maybe, oh, this one

http://www.docu-track.com/

so that we are not just stuck patching the crap because that's all we are able to patch.

"And yes, that also means I stick with IE as a browser because Firefox doesn't have the same level of sandbox protection"

IE DOES NOT have a sandbox. Let me repeat that. IE DOES NOT have a sandbox. NOT version 7 or version 8. Protected mode IS NOT a sandbox mode. It uses integrity levels but integrity levels are no more of a sandbox than NTFS file permissions are. If you want to browse in a sandbox you need something like this

http://www.mokafive.com/

# re: Choosing a different PDF writer

Tuesday, January 19, 2010 12:24 PM by bradley

IE7 introduced protected mode IE.  IE7 also runs extensions and plug ins inside this lower privileged process than the rest of the web browser.

Why do you say IE doesn't have a sandbox?

Chrome's sandbox is tighter but IE's sandbox is more encompassing placing flash extensions inside the sandbox.

# re: Choosing a different PDF writer

Tuesday, January 19, 2010 1:39 PM by Dean

"IE7 introduced protected mode IE.  IE7 also runs extensions and plug ins inside this lower privileged process than the rest of the web browser."

Again Protected Mode is not a sandbox. I thought is was also at first. Privileges are not sandboxing. In order to sandbox you need to virtualize. That is the ONLY way to sandbox.

"Why do you say IE doesn't have a sandbox?"

Because a real sandbox is a completely isolated environment running on the machine. Anything done within that environment stays in that environment. It's just like What Happens in Vegas Stays in Vegas.

If you are in a sandbox and you get infected with something that infection will never get in to the actual machine.

I'm going to do something I loathe and quote Wikipedia, cringe.

"In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users.

The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization."

en.wikipedia.org/.../Sandbox_(computer_security)

Protected Mode under IE just adds another layer of privileges on top of NTFS permissions. It's called Integrity Levels. It's another layer that the bad guys would have to break through to do bad stuff. It does not prevent them from doing it, it just makes it harder. It's like the difference between a cheap safe and a high quality safe. It takes longer to break through the high quality safe. When you run a browser in a virtual machine like under Hyper V it doesn't matter if the bad guys break through because they are not breaking into the real world. They are breaking into the sandbox. This of course implies that you are only browsing in the virtual machine and not running your entire real machine under the virtual machine.

See

msdn.microsoft.com/.../bb250462(VS.85).aspx

# re: Choosing a different PDF writer

Thursday, February 11, 2010 4:07 PM by Asa

Thanks Dean, that was a great and accessible breakdown of the sandbox concept - even without the Wikipedia quote!  :)