Today McAfee announced the availability of a new joint offering with Adobe called the McAfee Data Protection Suite for Rights Management. This joint solution combines the classification capabilities from McAfee’s Host Data Loss Prevention (DLP) product with persistent protection from LiveCycle Rights Management ES. The joint value proposition allows customers to discover and classify sensitive information on laptops or desktops and automatically and proactively protect it from a single, uniform policy. This will significantly reduce the cost, complexity, and risk associated with sensitive IP and compliance information located on endpoints throughout the enterprise.
This is the result of a global alliance partnership between Adobe and McAfee, previously announced September 28, 2009 aimed at offering more comprehensive security to our Enterprise customers.
Learn more about the new offering available now from McAfee here. Please contact your local McAfee or Adobe sales representative for more in depth information or to schedule a demo of the solution.
Announced last week, and built using Adobe LiveCycle ES, Adobe Security Partner 4Point’s QuickStart e-invoicing solution is designed to offer customers a faster path to cost reduction and improved customer satisfaction by providing an out-of-the-box approach to implementing secure electronic invoicing and eliminating paper.
4Point’s solution leverages LiveCycle ES to provide a way for customers to quickly stand-up an e-invoicing solution with a limited scope that can generate a quick ROI and later serve as a foundation for a broader enterprise-wide capability.
Here are some links to the latest statements by Adobe, McAfee, and iDefense concerning reports of cyberattacks this past week. Additional information will be available on these links should new information become available.
Adobe Secure Software Engineering (ASSET)
McAfee Security Insights Blog
Statement by iDefense
One of Germany’s most trusted savings banks, Berliner Sparkasse, recently rolled out a variety of digital workflow improvements intended to facilitate more efficient customer interaction with a combination of LiveCycle ES components and Adobe Security Partner SoftPRO‘s electronic signature products.
By now, you’ve surely heard the news about the new European standard for PDF Advanced Electronic Signatures (PAdES) which formalizes how digital signatures in PDF can comply with the European requirements for electronic signatures.
However, there are five parts to the standard, and they all deal with terminology that may not be familiar. Don’t worry….you’re not alone. A new website has been set up to answer frequently asked questions on PAdES.
A running theme on this blog is that ASSET and Adobe care a great deal about keeping our products secure and our customers safe. On Tuesday Adobe announced a corporate network security issue and since then we’ve seen media coverage and headlines indicating that vulnerabilities in Adobe Reader may have been the attack vector in this incident.
Just like we always do in the case of reports of security vulnerabilities in an Adobe product, we have been actively tracking down samples or other information regarding potential vulnerabilities in Adobe products related to this incident. The most definitive public description of the incident that we’ve seen thus far is the McAfee post here.
Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010.
This is a complex incident, the investigation is ongoing, and we will continue to work our partners in the security community and the other firms affected. We will continue to use the Adobe PSIRT blog as the first line of communication to our customer base regarding any product security vulnerabilities. Even though we don’t have any information regarding a zero day vulnerability in an Adobe product the sophistication of this incident also serves as a reminder to all of us the importance of layers of security to provide the best possible defense against those with malicious intent.
Since the vast majority of successful attacks against all software products are using known, already-patched vulnerabilities we strongly encourage all of our users to update to the latest version of Adobe Reader and Acrobat by visiting get.adobe.com/reader or selecting “Check for updates” from the Help menu.
Adobe’s Winter quarterly release of Acrobat and Reader is now available for version 8 and 9 customers…
Kyle Randolph here. I work closely with the Adobe Reader and Acrobat engineering team as we continue to work hard on the security initiative first announced back in May 2009. Today, the team announced new security improvements in Adobe Reader and Acrobat 9.3 and 8.2. This is the third quarterly security update for Adobe Reader and Acrobat and we are starting to roll out to users the configuration options and features that we began designing last summer to mitigate the evolving security threats we were seeing. Let me explain the security geek coolness factor of the improvements in this release as well as the improvements in the October quarterly security update.
New Adobe Reader Updater / Acrobat Updater
We introduced the new updater in the October Adobe Reader and Acrobat 9.2 and 8.1.7 update as beta technology, and today, we are testing the new technology with a real-world security update to users participating in the beta program. (Since we are still conducting the pilot, only users who are participating in the beta program are receiving today’s update via the new updater.) The new updater improves the user experience and helps users stay up to date with the new option of receiving security updates automatically, via background updates, which have been shown to have better patch adoption. Some customers, such as corporate IT administrators, need to know and manage which updates are installed and when. But a lot of customers, particularly consumers and individuals who don’t have the autopilot luxury of a managed desktop environment, just want to have the most secure and up-to-date version, and don’t want to be interrupted when it is time to install an update. By allowing customers to select an update process that automatically runs in the background, we can help protect more users from attacks against known, patched vulnerabilities.
Yellow Message Bar
Now the Yellow Message Bar appears at the top of the document as shown below:
For more info on the Yellow Message Bar, see http://kb2.adobe.com/cps/504/cpsid_50432.html.
Multimedia (Legacy) off by Default
Another effective technique to reduce security risk for our customers is to reduce the attack surface of the product. Legacy multimedia is a set of rarely used features which have a broad attack surface. The Multimedia (Legacy) features are no longer trusted by default. Users that open PDFs that contain legacy multimedia will see a Yellow Message Bar at the top of the document.
We’ve discussed the legal validity of electronic signatures and digital signatures in this blog in the past. While a concurrence of laws worldwide point to general acceptance of electronic signatures as legally binding, there are a number of nuances that need to be taken into account when dealing with the identity and evidentiary elements of those electronic signatures, especially as it relates to how they’ll stand up longer term in court.
An event to be
held on March 1, the first day of the RSA 2010 Conference, will be dedicated to these questions.