I get a lot of great questions regarding Adobe Acrobat and Reader security. Recently, a few have been asked more frequently than others. So, I thought I’d share those with you.
Q: What is the Adobe Acrobat and Reader update schedule?
About three years ago, we moved to a quarterly update schedule for Adobe Reader and Acrobat. It was part of a major initiative to strengthen the security of our products. At the time, three-month update cycles seemed like the right cadence given the threat environment and the pace we were adding new mitigation capabilities into the products. Fast-forward three years, and technologies like Protected Mode in Adobe Reader and Protected View in Acrobat (sandboxes) have provided effective layers of defense, reducing the need for the ongoing quarterly cadence.
So, recently we announced a closer alignment with the Microsoft Patch Tuesday model. Instead of delivering updates on a quarterly schedule, we will provide Adobe Acrobat and Reader updates on the second Tuesday of any given month as needed throughout the year to best address customer requirements and keep all of our users safe. We will also continue to publish a prenotification on the Adobe Product Security Incident Response Team blog three business days before we release a security update, and we will continue to be flexible and respond “out-of-cycle” to urgent needs, such as a zero-day attack.
Q: How is Flash content being handled in Adobe Acrobat and Reader?
Starting with Adobe Reader and Acrobat 9.5.1, we have classified Flash content into two categories, “known” and “unknown.” Known Flash content has been authored by Adobe and ships with the product. For instance, Portfolio Navigators and user interface elements are classified as known Flash content. Unknown Flash content has been authored outside of Adobe and does not ship with the product. For example, Custom Portfolio Navigators and Flash content embedded into PDFs are considered unknown. With this classification scheme, we are able to selectively render Flash content with different Flash Players. In 9.5.1 and later, we render known Flash content with an internal component embedded inside of Adobe Reader and Acrobat, and let the system Flash Player (NPAPI version) render the unknown content.
Since an attack would leverage unknown, as opposed to known, Flash content, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we update the Flash Player. This is particularly beneficial to customers in managed environments, because fewer updates means a lower cost of ownership, while maintaining a vigilant security posture. Keeping in mind that there is no silver bullet when it comes to security, we do follow a defense-in-depth security strategy. Therefore, even though we run all Flash content inside the sandbox in Adobe Reader and Acrobat X, where we’ve had great success thwarting attacks, we’ll still implement this new handling of Flash content into those products in the future. We’ll let you know when that happens.
Q: Can you explain the new security ratings?
In the past, security ratings were based on the worst-case scenario of a vulnerability without taking into account the presence or likelihood of an exploit. For a bit of background, a vulnerability is a code defect that can potentially be leveraged by an exploit to attack a system. Imagine the exact same code defect in two products. One product has a known exploit, while the other product has extra layers of defense that thwart the exploit from working. If you only consider the vulnerability, the security rating would look the same. But, if you consider the presence (or lack) of a functioning exploit as part of the security rating, you’ll get a different answer, and a better understanding of the threat, which in turn, provides better guidance on how quickly you should deploy the update.
This has happened with the introduction of new security mitigation technologies, like Adobe Reader Protected Mode (sandbox protections), which has made vulnerabilities much more difficult to exploit. Therefore, we’ve taken the degree of difficulty for exploit creation and included it in our new update priority ratings. We feel that this is the best way to clearly communicate real-world risk associated with the vulnerabilities addressed in any given security update.
Steve Gottwals, Group Product Manager, Adobe Acrobat Solutions Security