Archive for March, 2010

Feature Spotlights – Flexible Authentication in LiveCycle ES2

Adobe released updates of all of the LiveCycle components when we released our “ES2” version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.

I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.

First, our integration with ActiveDirectory and LDAP directories executes substantially faster, as we have optimized the system to only pick up records that have changed recently. More info:

Second, our integration with Smartcards and PKI certificates for strong authentication is much more flexible, and supports many more types of certificates. More info:

Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:

Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info:

Feature Spotlights – Simplifying Access Control in Rights Management ES2

Adobe released LiveCycle Rights Management ES2 in November 2009. This will be the first of several postings that detail some of the new functionality within the product and how it can help you be more effective in protecting your intellectual property and restricting access to personally identifiable information.

Today I’ll provide an update on how we’ve simplified how you can define and use access control within your organization as well as across artificial boundaries; with LiveCycle you can confidently ensure that only the right people — regardless of whether they are one of your employees, contractors, partners, customers, or citizens — have access to documents.

Specifically, the latest product offers a new rich web application for defining which users and groups should be able to open documents — or modify, print, copy, etc. You can define and edit policies much more quickly now that you can add multiple users or groups simultaneously.

And with our new “dynamic groups” feature, you can more quickly restrict access to an entire external organization. For example, if you found you were previously listing several users with your partner “”, manually adding,, and, you now have a new option. By adding the LiveCycle dynamic group “*”, you have the flexibility of a wildcard.

The following two video demos show off the new UI as well as the new flexible dynamic groups mechanisms. Check them out!

Improved policy interface:

Dynamic groups:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at or by
contacting Adobe

Follow-Up to Threatpost Live Chat

I sat down for a live chat session moderated by Dennis Fisher from Threatpost on Wednesday, February 24, 2010. I was impressed with the turnout and the number of great questions. Thanks again to everyone who participated. The transcript from the live session is here. I didn’t have time to get to all the questions I wanted to answer, so I’ve posted some of the overflow Q&A here:
Q: Has there been any consideration given to releasing a “light” version of Reader supporting a reduced feature set with a formally specified subset of the PDF ISO spec?
A: Adobe is exploring some ideas, but we are not currently actively working on a “light” version of Adobe Reader. Adobe continues to drive innovation in PDF products and services through active involvement in the ISO 32000 working group and through products like Adobe LiveCycle, Adobe Reader and Acrobat.
Q: Having msi installation packages for Flash and Shockwave is great, why not for Reader?  It would make it easier to deploy updated versions.
A:  We do offer “msi” installation packages of our full installers. When we deliver patches, those come in “msp” format.
Q: Has Adobe considered having JavaScript turned off in Adobe Reader by default?
A: End-users can disable JavaScript in Adobe Reader. But, just like disabling JavaScript in Web browsers, doing so also disables the functionality of legitimate content, such as PDF forms. We have introduced an approach that gives customers more control and allows them to mitigate risk without giving up critical functionality.  Adobe Reader supports the JavaScript Blacklist Framework, a much more granular approach that provides control over specific JavaScript API calls as opposed to simply turning all JavaScript functionality off.
Q: If you are willing to work with partners for distribution of patches, how about Microsoft and WSUS? Do you have a way of pushing updates from a local server within the organization instead of all workstations needing to connect to Adobe, like Microsoft WSUS server?
A: Today, enterprise customers typically disable the update mechanism built into the product and use their own enterprise tools for deploying our updates (which we make available to them from the support download section of our Web site). Microsoft and Adobe are working closely together to help improve the software update experience for our mutual customers. Through this collaboration we hope to make it easier for Microsoft System Center Configuration Manager (SCCM) and Microsoft System Center Essentials (SCE) customers to import Adobe updates through the Microsoft System Center Updates Publisher (SCUP) and manage their distribution to client computers. When we have final details on this process, we will share them with our customers and the media, but for now, we have nothing to announce.
Updated response with more detail – March 17, 2010
Q: What are Adobe’s plans to make people feel more comfortable with their products–it seems to me that there is a perception (whether it’s true or not) that Adobe has not been on the ball with their updates.
A: We hope that through our increased efforts at transparency into our software security efforts we can help people outside Adobe understand our dedication to making our products as safe and secure as possible to use. After retooling our response processes in early 2009 we were able to respond within two weeks for four urgent incidents later in 2009. Our shift to quarterly security updates for Adobe Reader and Acrobat also gives our customers a predictable and regular security patch schedule for mitigating responsibly disclosed incidents.
Q: How often are your internal reviews and the consultants you hire finding new flaws, relative to the ones that we see reported elsewhere?
A:Our internal security processes, including the use of external consultants, are focused on preventing vulnerabilities in the end software that we ship to customers. We’ve found the most effective way for us to do this is by front-loading our efforts on early-phase security reviews and activities such as threat modeling, specification/design reviews, and other activities from our SPLC. The output from these activities are helping us to make sure that every release raises the bar for security.
Q: The Security Bulletin “Security update available for Adobe Download Manager” contains incorrect information on removing a Service in Windows. There is no way that a Service can be deleted from the Services Console in Windows.  One must edit the registry’s CurrentControlSet to remove a Service.
A: Thank you for pointing out this error. We have updated the Security Bulletin text, and apologize for any confusion.
Q: Any chance that Adobe will ever make their products updatable by non-admin users on the Windows side?  Deploying a new Adobe MSI every week is getting pretty old.
A: Adobe Flash Player requires admin privileges to install at this time due to the current installation location and need to update certain keys in the registry. We have been installing this way for years, but we welcome feedback and votes for this feature request. For Reader, the user has to be Admin for Windows Installer Service to install full installers (MSIs). On Vista and W7 it is possible that Windows Installer Service will allow to apply Patches (MSPs) without elevation under several conditions. Our new Reader/Acrobat updater will allow users to install without being Admin on Vista or Windows 7 systems.