Adobe Reader Blog

Today, we announced the availability of Adobe Reader and Acrobat 9.3.3 and 8.2.3. In addition to addressing CVE-2010-1297, referenced in Security Advisory APSA10-01, this accelerated quarterly Adobe Reader and Acrobat update resolves a number of responsibly disclosed vulnerabilities. For more information regarding the security details in these releases, please see Security Bulletin APSB10-15.

Schedule Change
As mentioned in the Adobe Secure Software Engineering Team (ASSET) blog post titled Background on APSA10-01 Patch Schedule, today’s security update for Adobe Reader and Acrobat represents an accelerated release of the quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010. The next quarterly update is scheduled for October 12, 2010.

Adobe Download Center Changes are Coming
In the past, we delivered Adobe Reader updates as full installers or patches (for instance, 9.x = full installer, 9.x.y = patch). The Adobe Reader Download Center at http://get.adobe.com/reader always offers the most recent full installer of Adobe Reader, which is currently Adobe Reader 9.3. After installation, the Adobe Reader Updater will automatically check and offer the latest patches to keep end-users up-to-date (as of today, the latest patch is Adobe Reader 9.3.3).

We have been working on a new method of always offering the latest version, whether they be full installers or patches, of our most popular language/platform pairs on the Adobe Download Center. This change will make its debut as scheduled on July 13, 2010 (by offering Adobe Reader 9.3.3 for installation) and will become a standard operating procedure going forward. In addition, as always, the Adobe Reader Updater will continue to automatically check for new updates, or users can force an update to happen by selecting > Help > Check for Updates from the Adobe Reader menu.

Update on the New Updater
For our previous quarterly release on Tuesday, April 13, 2010, we activated the new Adobe Reader and Acrobat Updater for our user base. We have been very pleased with the results. When we compared the new updater against the older technology, we found that our users were much more likely to update using the new Adobe Reader Updater. Our data showed that the user population adopted the last update roughly three times faster than previous updates. This is an extremely important metric, since it greatly reduces the window of exposure available to attackers.

PDF “/Launch” Functionality Social Engineering Attack Update
In a previous blog post titled PDF /Launch Social Engineering Attack, I mentioned that Didier Stevens had demonstrated a social engineering attack, which relied on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5. Today’s update includes changes to resolve the misuse of this command. We added functionality to block any attempts to launch an executable or other harmful objects by default. We also altered the way the existing warning dialog works to thwart the known social engineering attacks.
If your organization relies on this capability, we recommend that the functionality be re-enabled.

We are Listening
Adobe Reader is relied upon by individuals, businesses and governments worldwide, and the security of our users continues to be a key priority for us. As part of our commitment, we continually listen to the feedback from our users and the community at large. That feedback is paramount, as we continue to develop new capabilities that strengthen the security of our products. So, please keep the feedback coming!

Steve Gottwals, Group Product Manager, Adobe Reader

It’s been two weeks since Adobe Reader for Android went live on the Android Market. To date, we’ve seen over 250,000 downloads and received a lot of great feedback from our end-users. We’re also getting some great questions regarding our thoughts concerning PDF and mobile environments. I thought I’d answer a few of those questions here.

Mobile Devices and Varying Screen Sizes
The expanding array of mobile devices are driving demand for new and better applications that enable customers to read and use PDF in the mobile environment. Adobe Reader for Android is our first version of Adobe Reader targeting the new wave of smartphone devices. In this first release, we focused on two major areas that we think differentiate Adobe Reader from other choices.

Performance
Mobile devices offer incredible opportunities, but they can also create interesting challenges as a result of limited resources and smaller screen sizes. We spent a lot of time making sure that the interaction with PDF documents was not only natural and easy, but also accurate with good performance. For instance, we tested Adobe Reader for Android against a wide variety of PDF documents and found that, on average, we successfully displayed the first page roughly twice as fast as other viewers. But, we also found that on some documents, the responsiveness of the application can lag a bit. Therefore, we are looking carefully at new ways of improving this.

Supporting the PDF Specification
The PDF specification is quite broad and includes many capabilities that address a wide range of document use cases. A key value proposition of any Adobe Reader is that it handles the fullest possible range of PDF for any given category of device or application. Given the limitations of the mobile environment, we can’t yet claim support for the full ISO 32000 specification, but we believe we support the broadest range of the spec for the most common use cases. We ran Adobe Reader for Android through our PDF test suite, which contains real-world PDF documents like annual reports, presentations, contracts, invoices and press releases. We found that other viewers did not support several common PDF features such as:

• Transparencies: objects on a page, such as images or text that are transparent or ‘show through’, which is an extremely common way to create drop shadows for 3D effects seen in brochures and presentations
• Smooth Shading: used to accurately describe gradient fills, which are common in PowerPoint presentation backgrounds, including many of the templates that ship with the product
• Masked Images: images that have portions made transparent, which is common for GIF images within web pages, and subsequently the PDFs created from those web pages
• JBIG2 and JPEG2000: Compression algorithms commonly used to optimize file size for scanned documents

While Adobe Reader for Android, rendered them successfully.

What’s Next?
Are we done? Absolutely not. In general, we believe Adobe Reader for Android offers a great PDF experience on smartphones, but our work is only beginning. PDF is an incredibly powerful standard, which allows for capabilities like dynamic media, interactive forms and digital signatures. Bringing those advanced technologies to mobile platforms will most certainly require new innovative designs, platform advancements and cloud services. One thing is for certain, your feedback is key. We’ve been very pleased with all the great thoughts so far. So, please keep it up. And, stay tuned, there’s a lot more coming!

Steve Gottwals, Group Product Manager, Adobe Reader

On the heels of some cool Adobe news last week at Google I/O (The Engineering Behind Flash Player 10.1, Available Now: Developer Prerelease of AIR for Android and Flash Player 10.1 on Google TV), I am very pleased to announce that Adobe Reader for Android is available today in the Android Market. Whether you’re browsing the web, or reading an e-mail, you can now use Adobe Reader to access PDF files on your Android device – for free, of course. We hope you enjoy the new app, and we look forward to your feedback as you check it out. Interested in new features? Let us know; we’re already thinking of some ourselves. Anxious to see the product on other platforms? Stay tuned.

Features
Adobe Reader for Android offers multi-touch gestures, like pinch-and-zoom, as well as double-tap-zoom, flick-scrolling and panning. We’ve also added a “reflow” mode, which will take text-heavy documents with wide margins, and automatically wrap the content for easy viewing on smaller screens.

Demo
For a look at the app in action, check out the video below.

Product FAQ
Adobe Reader for Android

System Requirements

• Android v 2.1 and above
• 550 MHz processor
• 256 MB of RAM
• 4.3 MB of available disk space
• Currently Supported Devices: Motorola Droid, Motorola Milestone & Google Nexus One (While we have not yet tested against other Android devices, we expect they may also run the application just fine.)

Reading this on your PC?
Scan the barcode with your Android device to download.

Reading this on your Android device?
Click here to download.

Steve Gottwals, Group Product Manager, Adobe Reader

On Tuesday, April 13, 2010, we are planning to release Adobe Reader and Acrobat 9.3.2 and 8.2.2 as part of our regularly scheduled quarterly updates.

As mentioned in a previous blog post titled Adobe Reader and Acrobat Updates Include New Security Improvements, we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way.

During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we’ve incorporated several positive changes to the end-user experience and system operation. Now, we’re ready for the next phase of deployment.
On Tuesday, April 13, 2010, as part of our quarterly update, we will activate the new updater for all users needing Adobe Reader and Acrobat 9.3.2 and 8.2.2 for Windows and Macintosh. As of yesterday, April 7, 2010, we have been activating our new updater for those users who are not yet up-to-date with our latest versions. During this phase of the process, we are utilizing users’ current update setting found in the Adobe Reader and Acrobat Preferences, under the “Updater” panel, as shown in the screen captures below.

The new updater has been optimized for each platform, and as you will notice, on Windows offers an option called “Automatically install updates.” With this option, to avoid disturbing the user, the new updater favors a time when the system is not busy to install new updates without user intervention.

Honoring the user’s choice is important to Adobe. This includes the user’s update preferences. Adobe has no plans to activate the automatic update option by default without prior user consent. That said, the security of our users is a key priority for Adobe. The majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security fixes. We therefore believe that the automatic update option is the best choice for most end-users. We are currently evaluating options for the best long-term solution for users, which could involve presenting the user with an opt-in screen for the automatic update option as part of the next phase in the roll-out. As always, we will continue to communicate important details with you at the appropriate time.

Steve Gottwals, Group Product Manager, Adobe Reader

Recently, Didier Stevens, a well-known security researcher, demonstrated a social engineering attack, which relies on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5. This is a good example of powerful functionality relied upon by some users that also carries potential risks when used incorrectly by others. The warning message provided in Adobe Reader and Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Furthermore, the default option within the dialog is to not execute.

Adobe takes the security of our products and technologies very seriously; we are therefore always listening to and evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks. We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates.

As we investigate this, users can use the following method to further mitigate against this risk. For consumers, open up the Preferences panel and click on “Trust Manager” in the left pane. Clear the check box “Allow opening of non-PDF file attachments with external applications” as shown below.

For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace “Acrobat Reader” with “Adobe Acrobat”, and for a different version, you would substitute its value for “9.0″.

Steve Gottwals, Group Product Manager, Adobe Reader

Today, we announced the availability of Adobe Reader and Acrobat 9.3 and 8.2. For more information regarding the security details in these releases, please see Security Bulletin APSB10-02.

As mentioned in a previous blog post titled Adobe Reader and Acrobat Updates Include New Security Improvements, we have been shipping a new “beta” updater technology in a passive state since our October 13, 2009 quarterly update. The purpose of the new updater, once activated, is to keep end-users up-to-date in a much more streamlined and automated way. Today, we are testing the new updater with a subset of our end-users, who previously signed up for the beta program. This is the first time we’ve exercised the new updater with “official” updates, which allows us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. Over the next few weeks, we will be analyzing the test results and will continue communicating important details with you, including when we expect it to be active for all users, which could be as soon as our next update.

We also talked about the introduction of the Adobe Reader and Acrobat JavaScript Blacklist Framework in that same blog post. The Framework provides customers granular control over the execution of specific JavaScript API calls. The purpose of the new JavaScript Blacklist Framework is to provide protection against attacks that target specific JavaScript API calls. As mentioned in Security Advisory- Adobe Reader and Acrobat, we were able to recommend this risk mitigation strategy during our recent zero-day exposure window. The JavaScript Blacklist Framework worked as planned and we had positive feedback from customers who were able to utilize the mitigation effectively.

As mentioned in Adobe Reader and Acrobat JavaScript Blacklist Framework Mitigation for Security Advisory – APSA09-07, if you deployed the mitigation to a “non-locked down” area, Adobe will automatically reset the Blacklist Framework with the 9.3 and 8.2 updates. But, if you deployed the registry key setting to a “locked down” area, then you will need to reset that value yourself.

Finally, as described in an earlier post, Adobe Reader and Acrobat Version 7 End of Support, support for Adobe Reader and Acrobat 7.x (as well as Adobe Reader UNIX 8.x) has ended, and Adobe strongly recommends updating to newer versions.

Steve Gottwals, Group Product Manager, Adobe Reader

As stated in the Adobe Support Lifecycle Policy, Adobe provides five years of product support from the general availability date of Adobe Reader and Adobe Acrobat (Windows and Macintosh – Note: Adobe only supports the most recent major version of Adobe Reader for UNIX Version 9.x). In line with that policy, support for Adobe Reader 7.x and Adobe Acrobat 7.x will end on December 28, 2009.

End of Support
End of Support means that Adobe will no longer provide technical support or distribute runtimes, including product and/or security updates, for all derivatives of a product or product version (e.g. localized versions, minor upgrades, operating systems, dot and double-dot releases, and connector products).

Recommendation to Customers/Users
Adobe strongly recommends that customers update to the latest versions of Adobe Reader at: http://get.adobe.com/reader. By updating installations to the latest versions, customers benefit from the latest functional enhancements and improved security measures.

Special Considerations
Adobe recognizes that some organizations still require Adobe Reader 7 for use in controlled environments. Therefore, Adobe is providing a grace period of three months, until March 31, 2010, during which time Adobe Reader 7 will remain available for those customers from the Adobe Reader Download Center at: http://get.adobe.com/reader.

Additional Resources
For more information on the Adobe Support Lifecycle Policy, visit: http://www.adobe.com/support/products/enterprise/eol. For a complete list of Adobe products and technical support periods covered under the policy, visit: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html.
An Adobe Product Security Incident Response Team (PSIRT) blog post discussing the end of support for Adobe Reader 7.x and Adobe Acrobat 7.x can be found at: ttp://blogs.adobe.com/psirt/2009/10/second_quarterly_security_upda.html.

In conjunction with the release of Adobe Reader 9.2 and the announcement of Adobe LiveCycle ES2, Adobe Labs is hosting a new automated testing solution for Adobe Reader based on integration with Hewlett Packard Quick Test Professional – Adobe PDF Test Toolkit. We’ve created this technology for our enterprise customers to support automated testing and validation of PDF Forms workflows, including those hosted by LiveCycle ES2 and SAP.

The Reader integration with HP Quick Test Pro is similar to the existing Flex integration with Quick Test Pro (see: http://livedocs.adobe.com/flex/3/testing_with_QTP_flex3.pdf).
Adobe PDF Test Toolkit supports the following:

• Testing of PDF Forms (Acroforms and XFA forms – including dynamic forms) with Acrobat or Reader running as standalone applications or inside of a browser.
• Testing of complete form workflows with Acrobat or Reader and LiveCycle ES or SAP Interactive Forms by Adobe.

Based on customer feedback, we focused on PDF Forms workflows. We are excited by this technology and the opportunity to integrate Reader and PDF Forms into enterprise testing workflows. As an Adobe Labs technology, it should be considered an early preview and we’ll be taking all feedback into consideration when planning future versions.

Today, we announced the availability of Adobe Reader and Acrobat 9.2, 8.1.7 and 7.1.4. For more information regarding the security details in these releases, please see Security Bulletin APSB09-15.

In order to strengthen protections for customers using our products, we are constantly engaged in security improvement efforts. This includes better security controls within the product itself, as well as methods to rapidly protect end-users against quickly evolving threats by reducing the window of exposure to new vulnerabilities.

As of today, Adobe Reader and Acrobat 9.2 and 8.1.7 are shipping with a new “beta” updater technology, which will initially be in a passive state. We’re delivering it to end-users as part of today’s updates in this state so that we can enable a follow-on, invite-only, external beta program. Even though the new updater ships in a passive state, we have the ability to selectively activate it for end-users invited into the beta program, which will allow us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. The purpose of the new updater, once it is active, is to keep end-users up-to-date in a much more streamlined and automated way. As beta testing progresses, we will continue to communicate pertinent details with you about the new updater, including when we expect it will be active for all users. If you are interested in joining the beta program, leave a comment to this blog post stating so.

Also added to the products, as of today’s Adobe Reader and Acrobat 9.2 and 8.1.7 updates, are two new changes in security user interface and control. We are moving more security awareness into the gold bar, which runs across the top of the document in the application chrome. In the past, if JavaScript had been disabled in the product, a dialog box would alert the end-user and provide further options. Now, when JavaScript is disabled, the gold bar will alert the end-user and provide further options. Our research has shown that this is a much friendlier and more effective way to interact with end-users on security matters. For more information, please see: CPS ID 50432.

Lastly, we have introduced the Adobe Reader and Acrobat JavaScript Blacklist Framework. The Framework provides customers granular control over the execution of specific JavaScript API calls. The purpose of the new JavaScript Blacklist Framework is to allow Adobe to protect customers against attacks that target a specific JavaScript API call. In this case, end-users and administrators can add that JavaScript API call to the blacklist, and block it from executing. Organizations can even block specific JavaScript API calls and keep their end-users from overriding that decision. For more information on the JavaScript Blacklist Framework, please see: CPS ID 50431.

Today, we announced our membership in the Software Assurance Forum for Excellence in Code (SAFECode). SAFECode is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. We joined other software industry leaders EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As a SAFECode member, Adobe will collaborate with subject matter experts to identify and share proven best practices for software assurance, promote broader adoption of software assurance best practices into the cyber ecosystem, and work with businesses, governments and critical infrastructure providers to leverage these practices to manage enterprise risks. Adobe will take an active role in current SAFECode projects that address secure development methods, software integrity in the global supply chain, and the measurability of software security.

For more information on SAFECode, see: http://www.safecode.org.