Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

The latest releases of Adobe Reader and Acrobat X (version 10.x) include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.  In the meantime, users of Adobe Reader and Acrobat 9 and X can manually remove the DigiNotar Qualified CA using one of several methods described below.

With all of the enhancements in Adobe Reader and Acrobat X, including new features and security capabilities, Adobe recommends customers migrate to these latest releases–especially for the free Adobe Reader.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

We are also in discussions with the Dutch government about the status of the DigiNotar intermediate certificates under the “Staat der Nederlanden” roots, which are included in the AATL.  We will continue to update you on the latest developments regarding these other certificates via this “Security Matters” blog and the Adobe Product Security Incident Response Team (PSIRT) blog.

Finally, Adobe will be proactively implementing a number of changes to the policies, terms and Technical Requirements for our AATL program in light of the DigiNotar breach and will communicate these changes within the next few weeks.

How to Remove the DigiNotar Qualified CA Certificate

If you would like to remove the DigiNotar Qualified CA certificate manually from Adobe Reader and/or Acrobat, versions 9 or X, we describe below two ways to do so.  Note that if you are operating a version of Adobe Reader and/or Acrobat prior to version 9, you do not need to take any action. Also, if you are an enterprise operating Adobe Reader and/or Acrobat, you should consult the Acrobat security and administration documentation located  here for information about removing this certificate.

Method One – Security Settings File

1) Download this ZIP file, and extract the RemoveDigiNotar.acrobatsecuritysettings file inside it.

2) Open Adobe Reader and/or Acrobat.

3) In Adobe Reader/Acrobat 9, open the Advanced menu (Document menu in Reader)->Security->Import Security Settings. In Adobe Reader/Acrobat X, open the Edit Menu->Protection->Import Security Settings.

4) Browse to the file you just downloaded, select it, and click Open.

5) Click Import.

6) If the certificate was found on your machine, it will be removed.

 

Method Two – Manual Removal – Adobe Reader 9

1)   Open Adobe Reader.

2)   Open the Document Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

Method Two – Manual Removal – Adobe Acrobat 9

1)   Open Adobe Acrobat.

2)   Open the Advanced Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

Method Two – Manual Removal – Adobe Reader X (Win/Mac) and Acrobat X (Mac)

1)   Open Adobe Reader or Acrobat.

2)   Open the Edit Menu->Protection->Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

 

Method Two – Manual Removal – Adobe  Acrobat X (Win)

 

1)   Open Adobe Reader or Acrobat.

 

2)   Open the View Menu->Tools->Sign & Certify.  In the right-hand sidebar, click on More Sign & Certify->Manage Trusted Identities.

 

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

 

 

4)   Select the DigiNotar Qualified CA.

 

 

5)   Click Delete, and then confirm the deletion by clicking OK.

 

 

This posting is provided “AS IS” with no warranties and confers no rights.