Adobe Reader Blog
Stay up-to-date on Adobe Reader…

Archive for April, 2010

April 8, 2010

Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered by New Updater

On Tuesday, April 13, 2010, we are planning to release Adobe Reader and Acrobat 9.3.2 and 8.2.2 as part of our regularly scheduled quarterly updates.

As mentioned in a previous blog post titled Adobe Reader and Acrobat Updates Include New Security Improvements, we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way.

During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we’ve incorporated several positive changes to the end-user experience and system operation. Now, we’re ready for the next phase of deployment.
On Tuesday, April 13, 2010, as part of our quarterly update, we will activate the new updater for all users needing Adobe Reader and Acrobat 9.3.2 and 8.2.2 for Windows and Macintosh. As of yesterday, April 7, 2010, we have been activating our new updater for those users who are not yet up-to-date with our latest versions. During this phase of the process, we are utilizing users’ current update setting found in the Adobe Reader and Acrobat Preferences, under the “Updater” panel, as shown in the screen captures below.

Updater Preferences for Windows

pref_win.jpg

Updater Preferences for Macintosh

pref_mac.jpg

The new updater has been optimized for each platform, and as you will notice, on Windows offers an option called “Automatically install updates.” With this option, to avoid disturbing the user, the new updater favors a time when the system is not busy to install new updates without user intervention.

Honoring the user’s choice is important to Adobe. This includes the user’s update preferences. Adobe has no plans to activate the automatic update option by default without prior user consent. That said, the security of our users is a key priority for Adobe. The majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security fixes. We therefore believe that the automatic update option is the best choice for most end-users. We are currently evaluating options for the best long-term solution for users, which could involve presenting the user with an opt-in screen for the automatic update option as part of the next phase in the roll-out. As always, we will continue to communicate important details with you at the appropriate time.

Steve Gottwals, Group Product Manager, Adobe Reader

Bookmark and Share
9:34 AM Permalink
April 6, 2010

PDF “/Launch” Social Engineering Attack

Recently, Didier Stevens, a well-known security researcher, demonstrated a social engineering attack, which relies on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5. This is a good example of powerful functionality relied upon by some users that also carries potential risks when used incorrectly by others. The warning message provided in Adobe Reader and Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Furthermore, the default option within the dialog is to not execute.

Adobe takes the security of our products and technologies very seriously; we are therefore always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks. We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates.

As we investigate this, users can use the following method to further mitigate against this risk. For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications” as shown below.

trust_mgr_pref.jpg

For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0″.

Steve Gottwals, Group Product Manager, Adobe Reader

Bookmark and Share
5:07 PM Permalink