Recently in Security Category

Digital Signature Validation Cheat Sheet

| No Comments

Confused by all those little icons?. The Digital Signature Validation Cheat Sheet is a handy single page document will help you understand what those icons mean and how you can use them to determine the signer’s identity and the document’s integrity; both are important.

Get the Digital signature validation cheat sheet

Security Guides now posted on Developer Centers

| No Comments

Security for Flash Player compatible content in Acrobat 9

The latest releases of Adobe® Acrobat® and Adobe Reader® 9
introduce new native support for the playback of Flash® Player
compatible content. This new feature uses an embedded Flash Player
runtime and hence is independent of other instances of Adobe Flash
Player installed on the system. This white paper provides an overview
of the security model for Flash Player compatible content playing
inside Acrobat and Adobe Reader® software.
  Get the complete white paper

Acrobat and Reader 9 Security Administration Guide

This document contains information for advanced users (such as system administrators) who are responsible for deploying and supporting the Adobe Acrobat family of products (including Adobe Reader) where these applications are used for digital signatures and document security. This document pertains only to these application’s security features. It is not an administration guide for other features.
  Get the complete guide

Enhanced Security: Privileged Locations

| No Comments

Security is often at odds with usability. Adobe Flash began addressing this problem several releases ago by implementing and standardizing on a cross-domain security model that has evolved over the years into a robust, secure solution. By providing controls for who may receive data from whom, Adobe Flash can power rich Internet applications that are safe and extremely flexible.

An excellent explanation of the cross-domain security model can be found here

Enhanced Security and the Desktop

As Adobe Acrobat and Reader became more powerful over the years (i.e. support for JavaScript and Web Service interaction), the line between document and application gradually became more blurred, and Adobe began to leverage the Flash security model where appropriate. One such area is in Acrobat and Reader 9, with cross-domain security functionality. Since many users save PDFs to their desktop or open PDFs that are email attachments we needed to add desktop domains to Acrobat and Reader.

Acrobat and Reader 9 provide a method for a user or a system administrator to increase the privileges of chosen files, folders, and hosts by specifying them as privileged locations. Files in these privileged locations are exempted from certain security policies and therefore, for example, can be exempt from cross-domain security. The locations can be set by the user through the UI (Preferences dialog), or by a system administrator using Adobe Customization Wizard to specify installer settings prior to enterprise-wide deployment.

The three choices for privileged locations are:

Files — A file is defined by a path, so its security settings will be invalid if that file is moved. The difference between privileged PDF files and folders is the number of files. If a user has a large number of files they know they can trust, it may be more practical to put them all in one privileged PDF folder. Conversely, a user may use privileged PDF files if they have many PDFs in a single folder but only want to trust two of them.

Folders — Privileged PDF folders are similar to privileged PDF files except that all files in a specified folder (but not in sub-folders) have the same privileges.

Host — A privileged PDF site is appropriate for PDFs that can be opened in a browser from a Web server. A privileged PDF host can only be specified at the host name level; for example, can be specified, but not The specified host must be complete with no wild cards (unlike for crossdomain.xml files). The user will have the option to only specify that the host connection must be secure, for example, that it must be an https: connection. All

PDFs on the specified host will all have the same privileged PDF settings.
Using privileged locations, the user can bypass the security restrictions on the following, which would otherwise be in effect:
•Cross-domain data access
•Silent printing
•External streams access
•Document JavaScript sending data to a remote server
•FDF data injection
•FDF script injection
•Data taint: when data is downloaded from multiple hosts and then sent to another host

Note: This information was extracted from a draft version of the “Enhanced Security in Adobe Acrobat 9 and Adobe Reader 9” White Paper which will be published shortly and includes many more important details than this posting. I’ll supply a link to it when that document becomes final.

Enhanced Security in Acrobat 9 and Reader 9

| 1 Comment

Sanjoy Ghosh describes the new Enhanced Security model in Acrobat 9

With the addition of interactive form features, multimedia, and scripting, PDFs can now download and send data over the Internet, which can create a potential security risk for both user privacy and document integrity. To address those security issues, Adobe® Acrobat® 9 and Adobe Reader® 9 feature an Enhanced Security mode designed to minimize those risks by providing control over cross-domain data access and how FDF files are handled. Because the Enhanced Security restrictions may affect some legacy PDF workflows, Acrobat 9 also provides ways to increase privileges for documents and servers that can be fully trusted.

The enhanced security in Acrobat 9 leverages an existing model already in use by Adobe Flash. By providing controls for who may receive data from whom, Adobe Flash can power rich Internet applications that are safe and extremely flexible. Many Flash developers, such as YouTube, use this model. If your company uses Flash for web applications, there are probably people in your organization who understand how this security model works and it should require only incremental effort to migrate your PDF-based applications to this method.

Sanjoy Ghosh

What this means to you

The Enhanced Security features are turned off by default in Acrobat 9 and Reader 9. The new Customization Wizard 9 will allow you to deploy Acrobat or Reader with Enhanced Security turned on. To find out how, click on the "Deploying Acrobat and Reader" link in the "Online Events" column to the left. Over the next few weeks we’ll be finalizing the white papers for Acrobat 9 and I’ll be able to share more details on exactly what the Enhanced Security can do for you.