Adobe Reader Blog
Stay up-to-date on Adobe Reader…

July 20, 2012

Three Common Adobe Reader and Acrobat Security Questions

I get a lot of great questions regarding Adobe Reader and Acrobat security. Recently, a few have been asked more frequently than others. So, I thought I’d share those with you.

Q: What is the Adobe Reader and Acrobat update schedule?

About three years ago, we moved to a quarterly update schedule for Adobe Reader and Acrobat. It was part of a major initiative to strengthen the security of our products. At the time, three-month update cycles seemed like the right cadence given the threat environment and the pace we were adding new mitigation capabilities into the products. Fast-forward three years, and technologies like Protected Mode in Adobe Reader and Protected View in Acrobat (sandboxes) have provided effective layers of defense, reducing the need for the ongoing quarterly cadence.

So, recently we announced a closer alignment with the Microsoft Patch Tuesday model. Instead of delivering updates on a quarterly schedule, we will provide Adobe Reader and Acrobat updates on the second Tuesday of any given month as needed throughout the year to best address customer requirements and keep all of our users safe. We will also continue to publish a prenotification on the Adobe Product Security Incident Response Team blog three business days before we release a security update, and we will continue to be flexible and respond “out-of-cycle” to urgent needs, such as a zero-day attack.

Q: How is Flash content being handled in Adobe Reader and Acrobat?

Starting with Adobe Reader and Acrobat 9.5.1, we have classified Flash content into two categories, “known” and “unknown.” Known Flash content has been authored by Adobe and ships with the product. For instance, Portfolio Navigators and user interface elements are classified as known Flash content. Unknown Flash content has been authored outside of Adobe and does not ship with the product. For example, Custom Portfolio Navigators and Flash content embedded into PDFs are considered unknown. With this classification scheme, we are able to selectively render Flash content with different Flash Players. In 9.5.1 and later, we render known Flash content with an internal component embedded inside of Adobe Reader and Acrobat, and let the system Flash Player (NPAPI version) render the unknown content.

Since an attack would leverage unknown, as opposed to known, Flash content, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we update the Flash Player. This is particularly beneficial to customers in managed environments, because fewer updates means a lower cost of ownership, while maintaining a vigilant security posture. Keeping in mind that there is no silver bullet when it comes to security, we do follow a defense-in-depth security strategy. Therefore, even though we run all Flash content inside the sandbox in Adobe Reader and Acrobat X, where we’ve had great success thwarting attacks, we’ll still implement this new handling of Flash content into those products in the future. We’ll let you know when that happens.

Q: Can you explain the new security ratings?

In the past, security ratings were based on the worst-case scenario of a vulnerability without taking into account the presence or likelihood of an exploit. For a bit of background, a vulnerability is a code defect that can potentially be leveraged by an exploit to attack a system. Imagine the exact same code defect in two products. One product has a known exploit, while the other product has extra layers of defense that thwart the exploit from working. If you only consider the vulnerability, the security rating would look the same. But, if you consider the presence (or lack) of a functioning exploit as part of the security rating, you’ll get a different answer, and a better understanding of the threat, which in turn, provides better guidance on how quickly you should deploy the update.

This has happened with the introduction of new security mitigation technologies, like Adobe Reader Protected Mode (sandbox protections), which has made vulnerabilities much more difficult to exploit. Therefore, we’ve taken the degree of difficulty for exploit creation and included it in our new update priority ratings. We feel that this is the best way to clearly communicate real-world risk associated with the vulnerabilities addressed in any given security update.

Steve Gottwals
Group Product Manager
Adobe Acrobat Solutions Security

Bookmark and Share

COMMENTS

  • By Mary Sue Singletary - 6:33 PM on March 3, 2013  

    I am trying to reload adobe acrobat 10.1.5….had to unload the 10.1.6 version due to parsing error message in software Encore which needs a lower version. When I try to load, get message that I need the correct upgrade patch for adobe 10.1.5….in order to load it…what do i do?

    • By joiemikitson - 10:16 PM on March 4, 2013  

      Thanks for the question, Mary Sue. Others might be wondering the same thing. an you ask that questions again in our Adobe Reader Forum at http://helpx.adobe.com/acrobat/kb/reader-forums-resources.html. We should be able to help you there and offer more resources to help you troubleshoot.

  • By ILIYA DAN ILIYA - 10:24 AM on March 22, 2013  

    your product having good but have the player 11..5.502.146. kindly sent it to for me.

    • By joiemikitson - 5:11 PM on March 22, 2013  

      You can download the latest update for Flash Player here: http://get2.adobe.com/flashplayer/, let us know if you have any other issues!

  • By Rachel - 10:34 AM on May 12, 2013  

    Hi, i facing problem to open pdf file after upgrade to adobe reader 10.1.5! How can i solve it? I have no problem with the previous version. Should i uninstall this?
    Hope to solve the problem soon. Thanks!
    Regards.