For more details please review the official security bulletin.

Universally-accepted file types – including PDF, unfortunately – are one of many ways these hackers gain entry to systems by embedding malicious code into the files. So choosing a PDF software application that fully uses modern mitigation techniques to reduce risk is obviously important. To help you understand the risks and evaluate a vendor’s approach to security, we have recently updated and published the white paper PDF Application Security – How to minimize your risk. It’s available for free from Adobe’s web site.

The white paper contains results of independent third-­party testing on the entire Acrobat family of products, specifically related to security. Adobe Reader X and Adobe Acrobat X produced excellent results in security testing by implementing what security experts call a “defense-in-depth” approach within the software and as offered by the operating system. Adobe Reader XI and Adobe Acrobat XI have improved security and sandboxing even further, and Adobe continues to invest in security. This investment has helped reduce the need for out-­of-­cycle security updates. Note in the diagram below, Adobe Acrobat X only had two out-­of-­cycle security updates, while Adobe Acrobat 9 had seven. Deploying a software patch is a timely and expensive process, so we want to help IT professionals minimize those costs by reducing the number of out-of-cycle patches for the Adobe Acrobat family of products.

If you are considering PDF software based on the licensing cost, please be careful. The days of making software choices based on the quoted price alone – without thorough consideration of security – are long gone. You should be asking vendors about operating system mitigations built into their PDF software, processes in place for addressing security threats, and even how involved the vendor is with the broader security community. To get more details about all the ways the Adobe Acrobat family helps organizations do more with PDF, while also providing advanced security, lower costs, and easier software management, download and read the free white paper, PDF Application Security – How to minimize your risk.

Adobe plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013. Adobe will continue to provide updates on these issues via the Security Advisory section of the Adobe website as well as the Adobe PSIRT blog. Please refer to these resources for any details.

The implications of this are enormous. Leaked sensitive information damages your competitive advantage and erodes your customers’ and partners’ trust in you. And that, of course, hits the bottom line. IT departments can choose a user-friendly, document-level security solution to protect the company’s documents, inside and outside the firewall. For their part, users need the ability to secure documents with a solution that can easily integrate into the existing IT environment. That way, everybody’s happy.

Adobe Acrobat customers deal with document-level security risks all day long. We all remember the embarrassing high profile cases in which law firms or government agencies thought they’d deleted sensitive content only to find it on the front page of the NYTimes. However, using Acrobat, Andrew Moir, a partner at international law firm Herbert Smith, says “we know that information we need to keep confidential, stays confidential.”

Adobe Acrobat lets you remove sensitive data from documents before sharing them with others. The PDF redaction tools permanently delete confidential information, while sanitization tools remove hidden information with one click. Acrobat’s Guided actions also help ensure that all team members prepare documents for distribution correctly and consistently.

You can further mitigate the risk of sensitive information being leaked by controlling access to documents. “We need to control who accesses documents and give people the assurance that the materials they receive have not been altered,” says Margaret M. DiBianca, Associate, Young Conaway Stargatt & Taylor

Young Conaway uses Acrobat to password-protect those documents with Acrobat’s 256-bit AES encryption technology to control access. The firm also sets file permissions to prevent editing, printing, or copying content. “With Acrobat, we can put controls on PDF files to limit access to information and restrict copying of data from files,” DiBianca adds. Acrobat also works with Adobe LiveCycle® Rights Management ES2 for extended rights management protection.

It’s also important to understand the role eSignatures play in security. Without an assurance that someone’s signature is the real deal, business could come to a screeching halt. That was one reason Adobe acquired EchoSign last year. With Adobe EchoSign eSignature and Web contracting services, you can send and receive digitally signed documents securely and quickly. EchoSign has been designed from the ground up for state-of-the-art ASP security. Electronic signatures are also protected by the federal ESIGN Act, which ensures that customers who sign contracts electronically are as protected as they would be had they opted for pen-on-paper agreements. You could argue the protections are even greater with digital contracts, since eSignature solutions can offer additional authentications from email, IP addresses, passwords, social network credentials and other safeguards that surpass anything possible with physical copies or fax transmissions.

What’s happening now is that Web contracting, which includes the automation of the entire contract process — from creation, collaboration, and execution to archiving and management — is quickly replacing the painful paper-based processes of the past with the advantages of working on the Web.

The main drivers of Web contracting and eSignatures are customers, partners, and internal users. Customers are increasingly comfortable conducting business via the Web and mobile devices, and they are demanding that companies move more of their customer-facing processes online. That, of course, adds a new dimension to security considerations.

So whether your security needs are redaction, rights management, access or secure e-signatures, Acrobat can provide a solution. There’s more information at the Acrobat IT Resource Center for insights into how to Acrobat can make your documents — and your IT operation — more secure.

Mark Grilli, senior director of Acrobat Solutions product marketing

Q: What is the Adobe Acrobat and Reader update schedule?

About three years ago, we moved to a quarterly update schedule for Adobe Reader and Acrobat. It was part of a major initiative to strengthen the security of our products. At the time, three-month update cycles seemed like the right cadence given the threat environment and the pace we were adding new mitigation capabilities into the products. Fast-forward three years, and technologies like Protected Mode in Adobe Reader and Protected View in Acrobat (sandboxes) have provided effective layers of defense, reducing the need for the ongoing quarterly cadence.

So, recently we announced a closer alignment with the Microsoft Patch Tuesday model. Instead of delivering updates on a quarterly schedule, we will provide Adobe Acrobat and Reader updates on the second Tuesday of any given month as needed throughout the year to best address customer requirements and keep all of our users safe. We will also continue to publish a prenotification on the Adobe Product Security Incident Response Team blog three business days before we release a security update, and we will continue to be flexible and respond “out-of-cycle” to urgent needs, such as a zero-day attack.

Q: How is Flash content being handled in Adobe Acrobat and Reader?

Starting with Adobe Reader and Acrobat 9.5.1, we have classified Flash content into two categories, “known” and “unknown.” Known Flash content has been authored by Adobe and ships with the product. For instance, Portfolio Navigators and user interface elements are classified as known Flash content. Unknown Flash content has been authored outside of Adobe and does not ship with the product. For example, Custom Portfolio Navigators and Flash content embedded into PDFs are considered unknown. With this classification scheme, we are able to selectively render Flash content with different Flash Players. In 9.5.1 and later, we render known Flash content with an internal component embedded inside of Adobe Reader and Acrobat, and let the system Flash Player (NPAPI version) render the unknown content.

Since an attack would leverage unknown, as opposed to known, Flash content, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we update the Flash Player. This is particularly beneficial to customers in managed environments, because fewer updates means a lower cost of ownership, while maintaining a vigilant security posture. Keeping in mind that there is no silver bullet when it comes to security, we do follow a defense-in-depth security strategy. Therefore, even though we run all Flash content inside the sandbox in Adobe Reader and Acrobat X, where we’ve had great success thwarting attacks, we’ll still implement this new handling of Flash content into those products in the future. We’ll let you know when that happens.

Q: Can you explain the new security ratings?

In the past, security ratings were based on the worst-case scenario of a vulnerability without taking into account the presence or likelihood of an exploit. For a bit of background, a vulnerability is a code defect that can potentially be leveraged by an exploit to attack a system. Imagine the exact same code defect in two products. One product has a known exploit, while the other product has extra layers of defense that thwart the exploit from working. If you only consider the vulnerability, the security rating would look the same. But, if you consider the presence (or lack) of a functioning exploit as part of the security rating, you’ll get a different answer, and a better understanding of the threat, which in turn, provides better guidance on how quickly you should deploy the update.

This has happened with the introduction of new security mitigation technologies, like Adobe Reader Protected Mode (sandbox protections), which has made vulnerabilities much more difficult to exploit. Therefore, we’ve taken the degree of difficulty for exploit creation and included it in our new update priority ratings. We feel that this is the best way to clearly communicate real-world risk associated with the vulnerabilities addressed in any given security update.

Steve Gottwals, Group Product Manager, Adobe Acrobat Solutions Security

In this co-presentation session titled “The Benefits of Digital Workflows: ROI and Beyond,” Bombardier manager of Web, social media, and eServices, Ken Knitter, and Adobe solutions consultant, Dave Weinberg, will discuss how Adobe technologies, in particular Adobe Acrobat X Pro, helped Bombardier increase process efficiencies, security and overall ROI.

Ken has been with Bombardier for more than 10 years and is responsible for day-to-day management of Bombardier’s customer portals while leading the creation of a common Web experience for customers. With his help, Bombardier has been able to protect confidential aircraft information, while allowing access to authorized customers and making sure they have updated information instantly when it becomes available.

You can learn more about Ken and Bombardier’s story here.

Still hungry for more? Don’t miss next week’s Tech Talk on Acrobat X and Protected View – learn how the sandbox works and how it can protect you from internet attacks, June 28, 10 a.m. PST. Learn more here.