Archive for July, 2009

In a crisis, communication is key

Peleus here. I focus most of my energy working with the Flash Player and AIR teams. The first half of the year had been fairly uneventful for Flash Player with only a small number of responsibly disclosed vulnerabilities reported over the last few months. The break was welcome and allowed us to focus on the more strategic security tasks that we don’t always blog about, but are still important parts of the Adobe Secure Product Lifecycle.
Unfortunately, nothing lasts forever and the last few weeks have been very busy for the Adobe Secure Software Engineering Team. We had to snap back into action on July 10th to handle the first of two different externally reported vulnerabilities that we ended up patching in Flash Player on July 30th.  First, Microsoft notified us of a flaw in their ATL library that had the potential to affect many of Adobe’s products.  The entire ASSET team mobilized to quickly identify which of Adobe’s over 200 products might be vulnerable.  Fortunately for us, the MSVR team at Microsoft was well organized. They were able to share info early on that helped to speed the triage effort inside Adobe.  We were able to identify and fix two vulnerable products (Shockwave and Flash Player) and confirm that many other widely distributed products like Adobe Reader and Connect Pro were NOT vulnerable. We also provided continual feedback into the Microsoft process that they could then, in turn, share with other partners.
Once the triage process for the ATL vulnerability was well under way we received a sample of a new attack in the wild against the Flash Player library within Reader. Although there are reports Adobe had known about this bug for eight months, the reality is that the July 16th report to the Product Security Incident Response Team (PSIRT) was the first time Adobe evaluated the bug as a security issue. The 12/31/08 bug was not caught as a security bug, so our usual Incident Response process was never initiated.
Flash is at the core of many of Adobe’s flagship products and this simultaneous patch effort required coordination between Reader, Flash Player and the AIR development teams.  This is no small task when you consider that we need to distribute reliable patches to over 90% of the Internet and support multiple versions of each product across multiple versions of the Windows, Macintosh and UNIX operating systems. Granted, we have been doing this for some time so we have automation in place to make the technical processes efficient and accurate. However, we still needed the Flash team to coordinate the creation of the patch and provide guidance to the Reader and AIR teams on adopting the solution. One mis-step in coordination could mean that the testing process starts all over again for each of the products resulting in a delay in the patch for our customers.
Since some of these products are among the most widely distributed software on Earth we used every available resource to get software updates out as soon as we could. We managed to execute a plan for updating Shockwave, Flash Player, AIR, Adobe Reader and Acrobat, all before the end of the month.
In addition to the tremendous amount of internal coordination required, PSIRT also managed the external aspects of the Adobe response. This included communicating with CERTs and other partners in the security ecosystem, creating CVE’s, issuing bulletins and advisories, and responding to customers and media inquiries.  Each notification requires attention to detail so that we provide useful information, but not so much that we put more customers at risk.  As with all major incidents, PSIRT is at the center of balancing the needs of Adobe’s customers, security researchers, product teams, partners and Adobe as a whole.
I recently read a
ZDNet Zero Day blog by George Stathakopoulos talking about coordination within the security community and it’s a common theme in my conversations with friends in the security community.  Our coordination with Microsoft on the ATL header vulnerability was definitely key to being ready in time for their release date.  In addition, coordination within Adobe was critical to shipping four products within the same week, all while balancing the needs of both external and internal stakeholders.  We hosted daily security meetings that leveraged Adobe Connect Pro as a 24/7 virtual war room where we could post the latest information, record IM conversations and track issues.  We used Buzzword for collaborative authoring our PSIRT blog posts, Advisories, and Bulletins that are key to communicating our progress with customers and the security ecosystem.  Overall, situations like these highlight the need for security professionals to truly be a community. With all the technological solutions and formal processes we have at our disposal for creating secure products, we sometimes forget how important the little things like communication are to security.

Casting a Wider Trust Net: Announcing the Adobe Approved Trust List

Over the years, Adobe has made electronic documents and workflows easier, more efficient, and more secure.  With one of the leading implementations of electronic signatures on the market, Adobe products allow you to go the last mile by eliminating the need to print a document out just to sign it.  At the same time, we’ve also been busy behind the scenes working on ways to better deliver trust in those electronic and digital signatures so users can rely fully on these new workflows.  Today, we’re announcing the launch of our latest trust effort, the Adobe Approved Trust List…available now.

The AATL will allow millions of users around the world to create digital signatures that are trusted whenever the signed document is opened in Acrobat or Reader 9.0 and above.  Essentially, both Acrobat and Reader have been programmed to reach out to an Adobe-hosted web page to periodically download a list of trusted root digital certificates.  Any digital signature created with a credential that can trace a relationship (‘chain’) back to a certificate on this list will be trusted by our products.  Trust is only one of many questions Adobe products ask when validating an electronic signature, but it is a critical one.

[SCM]actwin,12,0,1700,927;Beta AATL Test Document.pdf - Adobe Acrobat Pro Extended  Acrobat.exe  5/21/2009 , 5:40:46 PM

[SCM]actwin,12,0,1700,926;Beta AATL Test Document.pdf - Adobe Acrobat Pro Extended  Acrobat.exe  5/21/2009 , 5:39:46 PM

Document Before AATL

Document After AATL

Several countries and organizations have already placed their ‘trust’ in the AATL:

  • DigiNotar
    • DigiNotar Qualified CA
  • GBO.Overheid – Netherlands
    • Staat der Nederlanden Root CA – with Certificate Policies defining secure hardware
    • Staat der Nederlanden Root CA – G2 – with Certificate Policies defining secure hardware
  • GlobalSign
    • DocumentSign CA
  • Keynectis
    • ICS CA
  • SwissSign
    • SwissSign Platinum CA — G2
  • TC Trustcenter / ChosenSecurity
    • CA 7:PN
    • CA 8:PN
  • US Federal Common Policy Root
    • Common Policy – 2010 expiry @  Common Hardware, Common High, Medium HW CBP
    • Common Policy – 2027 expiry @  Common Hardware, Common High, Medium HW CBP
  • VeriSign
    • Class 3 Intermediate Non-Federal SSP @ Medium-Hardware

Starting today, valid signatures with credentials from these providers, chaining up to these certificates, and meeting a set of Technical Requirements will be automatically trusted in Acrobat and Reader 9.0 and above, including most US Federal HSPD-12 / PIV cards.

So how do you take advantage of the AATL?  Well, if you’re using Acrobat or Reader 9, you don’t need to do anything!  This feature is turned on by default when you install these products, and the Trust List will automatically be updated every 90 days, though you must open a signed document (like the one here, for example) or open a signature-related menu item to trigger the timer and update.

If you want to verify the AATL is enabled, go to Edit (‘Acrobat’ on Mac)->Preferences->Trust Manager and be sure that the “Load trusted root certificates from an Adobe server…” check box is checked.  (See image below.)  You can then click the “Update Now” button in that same dialog box to download the latest version of the AATL from Adobe.  In any case, be sure to review the User FAQ if you’re having any problems or have any questions about how the AATL works.


The launch of the AATL complements our existing Certified Document Services (CDS) trust program, where new digital IDs that are chained to the Adobe Root certificate embedded in Adobe products are automatically trusted.  CDS is key to document certification efforts at the US Government Printing Office, Avow Systems, the Antwerp Port Authority, and many other customers who use high assurance signatures to protect the integrity and authorship of key electronic documents.  Anybody who opens a PDF document signed or certified by a CDS credential automatically gets a ‘blue ribbon’ experience with trust provided to the signature without any user interaction.  Five certificate authorities currently offer CDS certificates. 

While the high level benefits of the Adobe Approved Trust List program are similar, the AATL is only available in Acrobat and Reader 9 at this time.  It is not backwards compatible.  CDS credentials, on the other hand, are backwards compatible from the current generation of Acrobat and Reader all the way back to version 6. Also CDS Providers offer certificates that meet a similar high standard for assurance and feature additional capabilities including the automatic embedding of robust timestamping and real-time revocation to provide for easy, long term validation of digital signatures.  However, existing certificate communities, such as government national ID card programs, can join the AATL, as the chain to the Adobe Root certificate is not required.  Contact Adobe to get more information about which program is right for your organization / government.

If you’d like to test the AATL (and you’ve verified that it’s enabled and downloaded per the instructions above and in the FAQ), please browse our sample documents available here.

And the story doesn’t end there!  Several more government and commercial entities are lined up to join the program in the coming months…stay tuned.

Please visit the AATL webpage for more information.