Some Notes on Adobe Reader and Acrobat X (10.1)

As part of the regularly scheduled quarterly security updates for Adobe Reader and Acrobat, we released Adobe Reader and Acrobat 10.1 today. The Security Bulletin and Release Notes have all the details, but there are a few points I wanted to call out in particular:

Adobe Acrobat Protected View

The first is Adobe Acrobat Protected View (aka sandboxing). This security enhancement for Adobe Acrobat extends the concept of Adobe Reader Protected Mode (introduced with Adobe Reader X in November 2010) to the Acrobat browser plugin; it also introduces Adobe Acrobat Protect View for document viewing with Acrobat in standalone mode. Kyle Randolph’s post gives more technical context, but a short-hand description is that Adobe Acrobat Protected View offers similar mitigations and user workflows to Microsoft Office 2010 Protected View. Acrobat Protected View provides an additional layer of protection for Acrobat X users and will ultimately result in a safer experience, fewer urgent patches, and lower total cost of ownership in enterprise environments.

Adobe Reader Automatic Update Option for Windows Users

The second relates to the automatic update option in Adobe Reader. In April 2010, we activated a new updater for Adobe Reader and Acrobat designed to keep end-users up-to-date in a much more streamlined and automated way. With the activation of the new updater, Windows users were given the option to download and install updates for Adobe Reader and Acrobat automatically, without user interaction. During the first phase of the roll-out, we utilized the users’ current update settings found in the Preferences because the automatic update option was a significant change to the way most Windows users were accustomed to updating their product installations. With today’s update, we are entering the next phase in the roll-out by turning the automatic update option on by default for all Adobe Reader users on Windows. Because honoring the user’s choice is important to Adobe, the user will be presented with the following screen for the automatic update option the next time the Adobe Reader Updater detects that a new update is available:

 

 

 

 

 

 

 

 

 

The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates. We therefore believe that the automatic update option is the best option for most end-users and strongly encourage users to choose this option.

Support Model Change for Adobe Reader for Linux

The third is a change to our support model for Adobe Reader for Linux. Moving forward, we will ship security updates for Adobe Reader 9.x for Linux twice a year (i.e. every other quarter). The next security update for Adobe Reader 9.x for Linux will ship with the next quarterly security update for Adobe Reader and Acrobat on September 13, 2011. This change has been made to better align our engineering investments with usage patterns and the absence of attack activity — we have never seen or heard of reports of a real-world malware sample that was functional or targeted against Adobe Reader for Linux. Going forward, each security update for Adobe Reader 9.x for Linux will address all known CVEs present in the code for that platform.

Adobe Reader and Acrobat Quarterly Update Cycle

The last point is a quick reflection on two years of regularly scheduled security updates for Adobe Reader and Acrobat. In 2009, we announced a move towards regularly scheduled updates and shipped the first quarterly update on June 9, 2009. Since then, we have received quite a bit of positive feedback on the benefits of having a regular update cadence with a predictable schedule aligned with the Microsoft “Patch Tuesday” release of security updates. We have also demonstrated flexibility in responding appropriately to security incidents with out-of-cycle updates or accelerated schedules for planned releases.

There has also been occasional confusion regarding the definition of the term “quarterly.” To us, quarterly means once per quarter, but not necessarily exactly three months apart. Sometimes, the next release may be three months out; but depending on customer feedback and engineering schedules, we may also schedule the next release two or four months out. Our goal is to keep a regular cadence for Adobe Reader and Acrobat to provide timely updates to resolve vulnerabilities reported to Adobe and to allow our customers to plan for each security update by announcing the date of the next release in the Security Bulletin for each current release.

In closing, we are excited about Adobe Acrobat Protected View in today’s Acrobat X (10.1) release, and we hope even more end-users will take advantage of the automatic update option now turned on by default in Adobe Reader for Windows. The goal behind all of this work is to focus our efforts on activities that will help protect users by increasing the real-world cost to attackers, and we believe the Adobe Reader and Acrobat X (10.1) release helps us move the needle on this important metric.

Brad Arkin
Senior Director, Product Security and Privacy