Security Matters

Now available for free on the Apple App Store and the Android Market, Adobe Reader 10.1 brings to your favorite mobile devices the same best-in-class PDF viewing experience you’re used to on the desktop. This latest release is our first for iOS devices, and shows Adobe’s commitment to provide the most compelling mobile experiences on the most popular platforms. With each new version, Adobe is bringing to mobile those capabilities that users on the go find most important, like text search, easy page navigation, bookmarks, and printing.

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device. Continue reading…

“JITC certified,” you say…what’s that?  JITC stands for the US Department of Defense’s Joint Interoperability Test Command, which carries out extensive work on software and other systems intended to be used by the US military for mission critical purposes.

In this specific instance, Adobe Acrobat and Reader X have been certified by JITC for their compliance with the DoD’s application requirements for Public Key Enabled services, e.g digital signatures.  The testing included intensive, comprehensive evaluations of Acrobat and Reader’s capabilities in:

• Certificate operations
• Signature and certificate status validation
• Path processing and validation
• Configuration and documentation

Adobe is proud to note that we have consistently been certified for JITC compliance in every version of Adobe Acrobat and Reader back to version 7 back in 2006.

Click here for a link to the official JITC list of software and solutions that have been tested for Public Key Enabled compliance.

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

Continue reading…

Just last night, we announced the availability of updates to both Adobe Acrobat and Reader, bringing them up to version 10.1.  Along with a significant list of vulnerability mitigations, these updates also bring with them substantial changes to the secure operation of Acrobat on Windows, and to the digital signature functionality across platforms.

First, Acrobat 10.1 on Windows now features the same Protected Mode operation as Adobe Reader X, protecting users from malicious PDFs.  Additional information on Acrobat’s implementation of sandboxing is available on the Adobe Secure Software Engineering Team’s (ASSET) blog.  For those savvy in digital signatures, note that Protected Mode (on both Acrobat and Reader) may impair the installation of PKCS#11-based tokens.  Refer to the simple instructions here for a workaround.

And if you’re like me and love the nitty-gritty details of digital signatures, you’ll probably appreciate the other signature-specific changes in 10.1…

Continue reading…

Version X of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 3.0.0.1 encryption module with FIPS 140-2 validation certificate #1092. To enable FIPS mode in Acrobat and Reader X and restrict document encryption and digital signatures to the FIPS approved algorithms (AES/RSA/SHA) in this library, please refer to Section 6.1.11 of the Acrobat Digital Signature Admin Guide.

Information on FIPS compliance in Acrobat and Reader 9….see this post.