Adobe Reader Protected mode is a new security sandbox feature in Adobe Reader 10. For Reader plugin maintainers it’s can be a huge nightmare, I just wanted to share some of my findings with you in the hopes it saves someone a few hours of head scratching.
What’s allowed by default
The sandbox disables almost everything by default. The two major exceptions are that reading/writing to %TEMP% is allowed and reading from the registry is allowed. If this is all your plugin needs you are lucky :)
Fortunately it’s possible to customize the very restrictive default policies.
The Inside Protected Mode series indicates that there seems to be some sort of API to customize the sandbox rules (AddRule() examples), however it seems yet to be released or it doesn’t even exist (which kind of makes sense from a security point of view).
Fortunately there’s another way: ProtectedModeWhiteList.txt.
ProtectedModeWhitelist.txt must be in the same directory as AcroRd32.exe (HKLMSoftwareAdobeAcrobat Reader10.0InstallPath).
It must also be enabled by creating the following registry key bUseWhitelistConfigFile (type: DWORD, value: 0x1) under HKLMSOFTWAREPoliciesAdobeAcrobatReader10.0FeatureLockDown.
After enabling the usage of whitelist config we can define our own custom policies that allow the plugin to read/write to any location on the filesystem or any location in the registry.
Adding registry exceptions
REG_ALLOW_ANY = HKEY_CURRENT_USERSoftwareMyPlugin
Adding filesystem exceptions
FILES_ALLOW_ANY = %APPDATA%MyPlugindata.txt
There are actually a few more things that can be allowed using this file, see Adobe Application Security for more details.
Debugging Protected Mode
If you are having a problem with Reader X that doesn’t exist in Reader 9 or Reader 8 then Protected Mode is a very likely cause.
The first thing you should do is to try disable Protected Mode and see if the problem continues to exist. To do that uncheck Edit -> Preferences -> General -> Enable Protected Mode at startup.
When you have determined that the problem is really caused by Protected Mode the next thing you should do is enable Protected Mode Log file. To that check Edit -> Preferences -> General -> Create Protected Mode log file.
With this file enabled you can see most things being denied by Protected Mode and hopefully it will also recommend a rule to add to ProtectedModeWhitelist.txt.
Also there are a few things that I’ve found impossible to do with Protected Mode enabled.
First it seems to be impossible to use the Windows Help system. It seems that the call to HtmlHelp() wants to launch an external process and it gets denied silently by Protected Mode. Another thing that seems impossible is reading proxy settings stored by Internet Explorer.
I have tried creating ProtectedModeWhitelist.txt rules that allow almost anything (events, process exec, files, registry etc.) and have no ACCESS_DENIED lines in there – but it still doesn’t help. When disabling Protected Mode everything works fine so those things somehow get blocked silently.
The general rule seems to be: don’t try to talk to other processes :)
Last thing I would like to mention is that when creating ProtectedModeWhitelist.txt files (probably by your plugin installer) – be nice and leaving the existing rules there, don’t overwrite anything.
Hope this was useful to someone and don’t be shy to leave comments if you discover something more about Protected Mode :)