Archive for May, 2011

Update: FIPS Validation Certificates for Acrobat/Reader X and LiveCycle ES2.5

Version X of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME encryption module with FIPS 140-2 validation certificate #1092. To enable FIPS mode in Acrobat and Reader X and restrict document encryption and digital signatures to the FIPS approved algorithms (AES/RSA/SHA) in this library, please refer to Section 6.1.11 of the Acrobat Digital Signature Admin Guide.

Adobe LiveCycle ES2 and ES2.5 include the RSA BSAFE Crypto-J 3.5 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Information on FIPS compliance in Acrobat and Reader 9….see this post.

Trust, Enhanced: More updates to the Adobe Approved Trust List

Today, Adobe pushed out yet another update to its certificate trust program implemented in Adobe Reader and Acrobat.  The AATL program, launched in 2009, makes it easier for users to view and rely on digitally signed PDFs by automatically displaying a green checkmark for those signature credentials which meet higher assurance requirements when opened in Reader and Acrobat 9 and X.

The update today included the Columbian A.C. Raiz Certicamara S. A. root certificate for Acrobat and Reader X.

Continue reading…

Software Security is a Team Effort – SANS Webcast Tuesday 24 May

The SANS Institute, in conjunction with Adobe, is hosting a webcast featuring SANS security analyst Dave Shackleford and our own Brad Arkin entitled “Security of Applications: It Takes a Village.”  This webcast will discuss the efforts Adobe is undertaking to deal with client software vulnerabilities in this age of advanced, zero-day threats. The webcast will also discuss how our customers can more effectively mitigate the risk posed by these threats and improve their reaction to newly discovered vulnerabilities with version standardization, improved assessment, and better patching and response cycles.

We hope you are able to attend as we continue the discussion on how we all can work together to ensure better real-world outcomes.  You can register to attend this webcast here –

Advancing Flash Player Privacy and Security

Today, Adobe has released Flash Player 10.3, which includes several important new privacy and security features for our customers. Let us provide some background and perspective on how these features came about and what they mean for our customers:

Adobe has been leading a signficant privacy initiative focusing on managing Flash Player Local Shared Objects (LSOs). We have actively participated in industry discussions on the topic and worked closely with Carnegie Mellon University and the Center for Democracy and Technology (CDT) to follow up on the reported misuse of Flash Player LSOs to “respawn” browser cookies—and to make changes in our technology to help address the associated privacy concerns. It was important for Adobe to understand how our development community was using our technology. The Carnegie Mellon University study showed that respawning browser cookies no longer appeared to be an active practice on the sites that were studied.

While these were promising results, we also wanted to further improve our end-users’ ability to control their settings and data. Flash Player 10.3 includes a number of exciting new features designed to give end-users more (and easier) ways to control their privacy:

  • Adobe coordinated with the open-source browser community to develop the ClearSiteData NPAPI. This new API allows the browsers to communicate a user’s desire to wipe user data stored by installed browser plugins. Now, when end-users go into their browser settings to clear their browser history or clear their cookies, they will be able to clear both their browser data as well as their plugin data. This API was designed so that any plugin can participate, and Flash Player is the first plugin to support the new API. Mozilla Firefox 4 already supports the new API today, and the Google Chrome team currently offers browser support for the feature in their dev channel. We expect to have official support across all open source browsers in the near future.
  • In addition to coordinating with the open-source browsers, Adobe also teamed up with Microsoft to provide equivalent functionality within Internet Explorer. With today’s launch, end-users can start taking advantage of this functionality in Internet Explorer 8 and 9. Microsoft even created a demo page, so that end-users can try out the functionality.
  • Another key focus area was to improve the Flash Player Settings Manager itself by making it easier for end-users to manage their Flash Player settings. In January, Emmy Huang, group product manager for Flash Player, announced our native control panel for Flash Player 10.3. Until now, end-users could manage their Flash Player settings by right-clicking on content written for Flash Player and selecting “Global Settings…” or by visiting the online Flash Player Settings Manager. The online version of the Flash Player Settings Manager was not very intuitive for end-users. With Flash Player 10.3, we have created a new native control panel for Windows, Macintosh and Linux desktops that will allow end-users to manage all of the Flash Player settings, including camera, microphone and Local Shared Objects. The control panel can still be found by right-clicking on content written for Flash Player and selecting “Global Settings.” However, starting with Flash Player 10.3, it can now also be found in the Control Panel or System Settings for your operating system. As an example, on Windows operating systems, the new native control panel in Flash Player 10.3 can be found under Control Panel -> Programs.

In addition to these privacy improvements, Flash Player 10.3 includes a new auto-update notification mechanism for the Mac OS platform. In the past, Mac users often had trouble keeping up with Flash Player updates since the Mac OS and Flash Player ship schedules are not in sync. With this new feature, Flash Player will automatically check each week for new updates and notify the user when new updates are available. This feature matches the auto-update notification capability previously implemented on Microsoft Windows.

Please check out Flash Player 10.3, and try out the new control panel. Also, watch for updates in your open-source browsers, since you will soon be receiving the ability to clear plugin data directly from the browser. We want to thank everyone who worked so hard in assisting us with this effort.

Peleus Uhley, Platform Security Strategist
Lindsey Wegrzyn, Sr. Privacy Product Manager

Updated 5/15/2011: Added reference to Mozilla Firefox 4 already offering support for the new ClearSiteData NPAPI.