Adobe Reader Blog
Stay up-to-date on Adobe Reader…

Archive for July, 2012

July 23, 2012

“International Technology Upgrade Week:” A Global Initiative to Encourage Consumers to Ensure Their Software is (and Stays) Up-to-Date

Earlier today, Skype—joined by Norton by Symantec and TomTom—kicked off “International Technology Upgrade Week,” a global initiative to encourage consumers to regularly download and install software updates. We’d like to chime in and express our support for this important initiative. Keeping software up-to-date is probably the single-most important advice we can give to users—consumers and businesses alike.

In preparation for International Technology Upgrade Week, Skype commissioned a survey of American, British and German consumers, which revealed the following findings:

  • 40 percent of adults don’t always update software on their computers when initially prompted to do so.
  • Approximately one quarter of those surveyed said they don’t clearly understand what software updates do, and an equal percentage don’t understand the benefits of updating.
  • While 75 percent of adults receive update notifications from their software, more than half admitted that they needed to see a prompt between two and five times before downloading and installing the update.

These findings are not surprising. Why is it that most of us don’t think twice about getting our cars serviced regularly, giving our bikes the occasional tune-up or being vigilant about keeping our homes in top shape, yet we are hesitant when it comes to keeping our computers and software programs up-to-date? Why are software updates so painful for us? Are we still having flashbacks to the ‘90s and early 2000s, when software updates would rather frequently “mess up” our computers?

Like it or not, reality is that software updates are still perceived as a major pain point for a large percentage of consumers*.  (*Of course, I completely recognize that business users in managed environments face their own, unique challenges when it comes to software updates. However, I’d like to focus this particular blog post on the average consumer for a change.)  I just returned from my 25-year high school reunion (yes, really…). While we were reminiscing about all the things that have changed in the 25 years since we graduated, technology in particular, software updates pretty much immediately became a discussion point—with everything from “I turn my computer on once a week: to do updates” to “I hate getting update notifications every time I turn on my laptop” represented. Not a single call with my family goes by without us talking about software updates: “It’s asking me to update xyz. Should I click ok?” (“Yes!”) Or “why don’t I get update notifications for Adobe Reader? How do I know I’ve been updated?” (“Because I set Adobe Reader up to update you automatically” and “If you missed the little icon telling you that you were updated, click ‘Help’ and ‘Check for Updates.’”) Even Rainn Wilson (aka Dwight Schrute from The Office) asked during the opening of the Adobe MAX 2011 Sneak Peaks “How do I stop the thing that says I need to get my updates? It keeps popping up on my screen. I don’t need updates.” (“Yes, you do!”)

We hear you—loud and clear. The good news is that times have changed. Especially for consumers, software updates have become much easier and much more reliable than they once were. Software vendors continuously look for ways to make the update process less cumbersome. For consumers, most software programs offer automatic update notifications. Some software programs—including Adobe Reader and Acrobat¹—make it even easier for consumers by providing an automatic update option. If you are using Adobe Reader or Acrobat on Windows, you can literally “set it and forget it.” Once your update preferences are set to update your software automatically, Adobe Reader and Acrobat will automatically check for new updates, download and install available updates—you won’t have to think about it again. If only getting our cars serviced were so easy…..

Still, in case you are wondering…..

Why do I need those updates? From a security perspective alone, staying up-to-date on the latest security patches is critical. The vast majority of attacks (up to 99.8 percent according to a recent study²) are exploiting software installations that are not current with the latest security updates. So staying up-to-date on your software is the best thing you can do to protect yourself (and your information) from the bad guys.

Do I need all those updates because your software is less secure and therefore targeted more often than other products out there? While one might be tempted to draw this conclusion, reality is quite different. The bad guys go where most of the users are—for the same reasons why a bank robber goes where most of the money is. The more popular and widely used a software product is with users, the more likely that product will become a target for the bad guys. The threat landscape is constantly changing. Security mechanisms are constantly adapting. Staying up-to-date on your software will provide you with the latest protections against the bad guys.

Why are you sending me update notifications every few days? Why are you issuing so many updates? Chances are, your update preferences are currently set to notify you when new updates are available. If you choose not to install the update, Adobe Reader and Acrobat will notify you again three days later. Getting the update notifications again three days after the initial notification (and three days after that, and so on) does not mean a new update is available every three days. It generally means that you have not yet accepted to install an update that was made available when you were initially notified. Once you accept to install the update, the notifications will disappear until the next update becomes available—typically a few months later. Even better, to avoid the update notifications altogether, Windows users can choose to receive Adobe Reader and Acrobat updates automatically—no user interaction required.

How do I make sure I have automatic updates selected? From the Adobe Reader or Acrobat product menu, go to Edit > Preferences > Updater, and ensure “Automatically install updates” is selected.

How do I know that an update has actually been installed when I have automatic updates selected? You will receive a notification letting you know that an Adobe Reader or Acrobat update was installed successfully. If you missed it, you can also perform update checks manually by choosing Help > Check for Updates. If no new updates are available, you are all set!

But doesn’t installing updates automatically slow down my system if I am trying to get other work done quickly at the same time? Nope. The Adobe Reader and/or Acrobat update will run in the background without noticeably impacting your work.

So what are you waiting for?! Join Skype, Norton by Symantec, TomTom and Adobe during this International Technology Upgrade Week, and take the time to make sure your software is—and stays—up-to-date. Choose automatic updates, if your software offers this option; or if it doesn’t, install updates when you first receive the update notification. Your computer—and information—will thank you!

Wiebke Lips
Twitter: @WiebkeLips

P.S.: Don’t miss the following blog posts around International Technology Upgrade Week from participating companies:

¹ Adobe Reader and Acrobat 9.3.2 and 8.2.2 or later
² CSIS Study, September 2011, http://www.csis.dk/en/csis/news/3321

 

Bookmark and Share
3:07 PM Permalink
July 20, 2012

Three Common Adobe Reader and Acrobat Security Questions

I get a lot of great questions regarding Adobe Reader and Acrobat security. Recently, a few have been asked more frequently than others. So, I thought I’d share those with you.

Q: What is the Adobe Reader and Acrobat update schedule?

About three years ago, we moved to a quarterly update schedule for Adobe Reader and Acrobat. It was part of a major initiative to strengthen the security of our products. At the time, three-month update cycles seemed like the right cadence given the threat environment and the pace we were adding new mitigation capabilities into the products. Fast-forward three years, and technologies like Protected Mode in Adobe Reader and Protected View in Acrobat (sandboxes) have provided effective layers of defense, reducing the need for the ongoing quarterly cadence.

So, recently we announced a closer alignment with the Microsoft Patch Tuesday model. Instead of delivering updates on a quarterly schedule, we will provide Adobe Reader and Acrobat updates on the second Tuesday of any given month as needed throughout the year to best address customer requirements and keep all of our users safe. We will also continue to publish a prenotification on the Adobe Product Security Incident Response Team blog three business days before we release a security update, and we will continue to be flexible and respond “out-of-cycle” to urgent needs, such as a zero-day attack.

Q: How is Flash content being handled in Adobe Reader and Acrobat?

Starting with Adobe Reader and Acrobat 9.5.1, we have classified Flash content into two categories, “known” and “unknown.” Known Flash content has been authored by Adobe and ships with the product. For instance, Portfolio Navigators and user interface elements are classified as known Flash content. Unknown Flash content has been authored outside of Adobe and does not ship with the product. For example, Custom Portfolio Navigators and Flash content embedded into PDFs are considered unknown. With this classification scheme, we are able to selectively render Flash content with different Flash Players. In 9.5.1 and later, we render known Flash content with an internal component embedded inside of Adobe Reader and Acrobat, and let the system Flash Player (NPAPI version) render the unknown content.

Since an attack would leverage unknown, as opposed to known, Flash content, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we update the Flash Player. This is particularly beneficial to customers in managed environments, because fewer updates means a lower cost of ownership, while maintaining a vigilant security posture. Keeping in mind that there is no silver bullet when it comes to security, we do follow a defense-in-depth security strategy. Therefore, even though we run all Flash content inside the sandbox in Adobe Reader and Acrobat X, where we’ve had great success thwarting attacks, we’ll still implement this new handling of Flash content into those products in the future. We’ll let you know when that happens.

Q: Can you explain the new security ratings?

In the past, security ratings were based on the worst-case scenario of a vulnerability without taking into account the presence or likelihood of an exploit. For a bit of background, a vulnerability is a code defect that can potentially be leveraged by an exploit to attack a system. Imagine the exact same code defect in two products. One product has a known exploit, while the other product has extra layers of defense that thwart the exploit from working. If you only consider the vulnerability, the security rating would look the same. But, if you consider the presence (or lack) of a functioning exploit as part of the security rating, you’ll get a different answer, and a better understanding of the threat, which in turn, provides better guidance on how quickly you should deploy the update.

This has happened with the introduction of new security mitigation technologies, like Adobe Reader Protected Mode (sandbox protections), which has made vulnerabilities much more difficult to exploit. Therefore, we’ve taken the degree of difficulty for exploit creation and included it in our new update priority ratings. We feel that this is the best way to clearly communicate real-world risk associated with the vulnerabilities addressed in any given security update.

Steve Gottwals
Group Product Manager
Adobe Acrobat Solutions Security

Bookmark and Share
7:38 PM Permalink