Posts tagged "Reader"

Reader 9.x Reaches End-of-Life

Posted on June 26, 2013 by | Comments (0)

In line with the Adobe Support Lifecycle Policy, Adobe’s Acrobat 9.x and Reader 9.x suite of products reached their end-of-life (EOL) today, June 26, 2013. This means that Adobe will no longer provide security or other updates to this product suite.

Over the years, we’ve made several security enhancements in the successors of Reader 9, Reader X and Reader XI, including the Protected Mode (aka “sandboxing”) and Protected View. There has never been a better time to upgrade to Reader XI. Please upgrade, ensure automatic updates are turned on, and stay secure!

Karthik Raman

Security Researcher, ASSET

The Evolution of Exploit Sophistication

Posted on April 4, 2013 by | Comments (0)

When we look at the exploits that Adobe patched from February and March of this year, it is clear that today’s zero-day exploits are increasingly more sophisticated. This increase in sophistication is not limited to the skills needed to find and exploit the vulnerability. The code used to exploit the environment is also more robust in terms of code quality and testing. In short, exploit creation today requires the same level of rigor as professional software engineering projects.

Today’s advanced exploits need to be written to work in any target environment. For instance, February’s Reader 0-day supported 10 different versions of Reader with 2 sub-versions dependent on the end-user’s language. In addition, Flash Player CVE-2013-0634 had shell code for Windows XP, Vista, Windows 7, Server 2003, Server 2003 R2, Server 2008 and Server 2008 R2 as well as supporting six versions of Flash Player. Variants of CVE-2013-0634 also supported Firefox and Safari on Mac OS X. An exploit developer would need a robust testing environment to ensure that the exploit would work in that many different environments for each version of Flash Player. The exploit writers even took into account different CPU architectures by including a signed 32-bit payload and a 64-bit payload. This reflects the fact that these exploits are written with professional code quality and stability requirements for distribution across a dynamic target base.

As vendors are increasing software defenses through techniques such as sandboxing, attackers are now combining multiple vulnerabilities from different vendors to achieve their goals.When I look at the reports from Pwn2Own and some of the recent zero-day reports such as CVE-2013-0643, attacks are moving toward combining vulnerabilities from multiple products, some of which are from different vendors. We are moving away from the model of single vulnerability exploits.

This is all a part of the natural evolution of the threat landscape and the commercialization of exploits. This will require an equal evolution on the part of vendors in their software defences. Karthik Raman and I will be discussing this topic, “Security Response in the Age of Mass Customized Attacks,” in more detail at the upcoming Hack in the Box Conference (HITB) Amsterdam next week. Please stop by our talk if you would like to discuss this further.

Peleus Uhley
Platform Security Strategist

New Security Capabilities in Adobe Reader and Acrobat XI Now Available!

Posted on October 17, 2012 by | Comments (0)

This week, Adobe released the next generation of Adobe Reader XI and Acrobat XI with improved security features, among many other enhancements.

Adobe Reader X represented a milestone release in terms of security with the introduction of Adobe Reader Protected Mode (aka “sandboxing”), which created a more secure environment for our customers. We followed the Adobe Reader X release with the introduction of Adobe Acrobat X (10.1) Protected View. Since we added sandbox protection to Adobe Reader and Acrobat, we have not seen any exploits in the wild that break out of the Adobe Reader and Acrobat X sandbox.

Over the last year, we have continued to work on adding security capabilities to Adobe Reader and Acrobat, and today, we are very excited to present Adobe Reader and Acrobat XI with a number of new or enhanced security features.

Adobe Reader XI Protected Mode (Enhanced)

In our Adobe Reader X sandbox implementation, the sandboxing architecture’s primary focus was on “write protection” to prevent the attacker from installing malware on the user’s machine and from monitoring the user’s keystrokes when the user interacts with another program.

In Adobe Reader XI, we have added data theft prevention capabilities by extending the sandbox to restrict read-only activities to help protect against attackers seeking to read sensitive information on the user’s computer.

Adobe Reader Protected View (New) and Adobe Acrobat Protected View (Enhanced)

To provide an additional layer of defense and strengthen the sandbox protection in Adobe Reader and Acrobat even further, we have implemented a separate desktop and WinStation in Adobe Reader and Acrobat XI, which will block, for instance, screen scraping attacks. For additional insights into implementing a separate desktop to provide an additional layer of defense, see David LeBlanc’s Web log entry Practical Windows Sandboxing – Part 3. For details on WinStations and desktops in general, click here.

This mode effectively introduces a new Protected View in Adobe Reader and enhances the Protected View implementation in Adobe Acrobat even further. Protected View behaves identically for Adobe Reader and Acrobat, whether viewing PDF files in the standalone product or in the browser. For more information, administrators can refer to the Enterprise Toolkit for Acrobat Users.

Force ASLR Support in Adobe Reader/Acrobat XI

Adobe Reader and Acrobat leverage platform mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), etc. In Adobe Reader and Acrobat XI, we have enabled support for Force ASLR on Windows 7 and Windows 8. Force ASLR improves the effectiveness of existing ASLR implementations by ensuring that all DLLs loaded by Adobe Reader or Acrobat XI, including legacy DLLs without ASLR enabled, are randomized. By enabling Force ASLR in Adobe Reader and Acrobat XI, we are making it even more difficult for an attacker to exploit vulnerabilities. For more information on ASLR and Force ASLR, please refer to Microsoft’s Knowledge Base article on the topic.

PDF Whitelisting Framework

For high-assurance, managed enterprise environments, we’ve added the Adobe PDF Whitelisting Framework, which allows administrators to selectively enable advanced functionality, such as JavaScript for specific PDF files, sites or hosts, on both Windows and Mac OS.

Support for Elliptic Curve Cryptography

And last but not least, we have added support for Elliptic Curve Cryptography (ECC) for digital signatures in the area of content security. Users can now embed long-term validation information automatically when using certificate signatures and use certificate signatures that support elliptic curve cryptography (ECC)-based credentials.

We’re excited about these additional security capabilities in Adobe Reader and Acrobat XI, which mark the latest in our continued endeavor to help protect our customers by providing a safer working environment.

Priyank Choudhury
Security Researcher, Adobe Secure Software Engineering Team (ASSET)

Adobe’s Support of “International Technology Upgrade Week”

Posted on July 23, 2012 by | Comments (0)

Earlier today, Skype together with Norton by Symantec and TomTom kicked off “International Technology Upgrade Week,” a global initiative to encourage consumers to regularly download and install software updates. Keeping software up-to-date is probably the single-most important advice we can give to users—consumers and businesses alike. For details on this consumer-focused update initiative, we invite you to read the Adobe Reader blog post supporting this very important update initiative.

Join Skype, Norton by Symantec, TomTom and Adobe this week, and take the time to make sure your software is—and stays—up-to-date. For consumers outside of managed environments, choose automatic updates, if your software offers this option; or if it doesn’t, install updates when you first receive the update notification.

Adobe Reader and Acrobat X (10.1.2) and 9.5 Add JavaScript Whitelisting Capability

Posted on January 10, 2012 by | Comments (0)

Today, we released the quarterly security updates for Adobe Reader and Acrobat (versions 10.1.2 and 9.5). The security bulletin and release notes have comprehensive details. This blog post will highlight an important security-related enhancement in this release:

JavaScript Whitelisting Capability

Adobe Reader and Acrobat allow administrators to disable the execution of JavaScript embedded in PDF files, a potential attack vector for exploits. While doing so provides mitigation against JavaScript-based vulnerabilities, it also breaks PDF-based solution workflows that rely on forms and JavaScript.

The new JavaScript whitelisting capability introduced in Adobe Reader and Acrobat X (10.1.2) and 9.5 allows JavaScript execution in PDF files based on document trust. If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution. The trust decision is based on Privileged Locations.

With this capability, two additional admin controls have been added:

  • JavaScript Lockdown
    • Provides administrators the ability to lock down all JavaScript execution, except when embedded in trusted documents, and prevent users from enabling JavaScript from the user interface/preferences

  • AdminTrusted Locations
    • Provides administrators the ability to add trusted locations

In case administrators want to completely disable all JavaScript execution, including the execution of JavaScript in trusted PDF files, they can take advantage of the “Javascript lockdown” capability along with the “Disable Trusted Location” capability, which prevents users from adding Privileged Locations.

Please refer to the release notes for more details.

Steve Gottwals, Group Product Manager, Adobe Reader
Priyank Choudhury, Security Researcher, Adobe Secure Software Engineering Team (ASSET)

Just Released! Adobe Reader 10.1 for iOS and Android with LiveCycle Rights Management Support

Posted on October 18, 2011 by | Comments (2)

Now available for free on the Apple App Store and the Android MarketAdobe Reader 10.1 brings to your favorite mobile devices the same best-in-class PDF viewing experience you’re used to on the desktop. This latest release is our first for iOS devices, and shows Adobe’s commitment to provide the most compelling mobile experiences on the most popular platforms. With each new version, Adobe is bringing to mobile those capabilities that users on the go find most important, like text search, easy page navigation, bookmarks, and printing.

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device. Continue reading…

Adobe Acrobat X and Reader X Are Now JITC Certified!

Posted on October 18, 2011 by | Comments (0)

“JITC certified,” you say…what’s that?  JITC stands for the US Department of Defense’s Joint Interoperability Test Command, which carries out extensive work on software and other systems intended to be used by the US military for mission critical purposes.

In this specific instance, Adobe Acrobat and Reader X have been certified by JITC for their compliance with the DoD’s application requirements for Public Key Enabled services, e.g digital signatures.  The testing included intensive, comprehensive evaluations of Acrobat and Reader’s capabilities in:

  • Certificate operations
  • Signature and certificate status validation
  • Path processing and validation
  • Configuration and documentation

Adobe is proud to note that we have consistently been certified for JITC compliance in every version of Adobe Acrobat and Reader back to version 7 back in 2006.

Click here for a link to the official JITC list of software and solutions that have been tested for Public Key Enabled compliance.

Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List

Posted on September 9, 2011 by | Comments (13)

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

Continue reading…

Adobe Acrobat and Reader 10.1 Released, Feature New Security and Signature Enhancements

Posted on June 15, 2011 by | Comments (0)

Just last night, we announced the availability of updates to both Adobe Acrobat and Reader, bringing them up to version 10.1.  Along with a significant list of vulnerability mitigations, these updates also bring with them substantial changes to the secure operation of Acrobat on Windows, and to the digital signature functionality across platforms.

First, Acrobat 10.1 on Windows now features the same Protected Mode operation as Adobe Reader X, protecting users from malicious PDFs.  Additional information on Acrobat’s implementation of sandboxing is available on the Adobe Secure Software Engineering Team’s (ASSET) blog.  For those savvy in digital signatures, note that Protected Mode (on both Acrobat and Reader) may impair the installation of PKCS#11-based tokens.  Refer to the simple instructions here for a workaround.

And if you’re like me and love the nitty-gritty details of digital signatures, you’ll probably appreciate the other signature-specific changes in 10.1…

Continue reading…

Update: FIPS Validation Certificates for Acrobat/Reader X and LiveCycle ES2.5

Posted on May 23, 2011 by | Comments (0)

Version X of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 3.0.0.1 encryption module with FIPS 140-2 validation certificate #1092. To enable FIPS mode in Acrobat and Reader X and restrict document encryption and digital signatures to the FIPS approved algorithms (AES/RSA/SHA) in this library, please refer to Section 6.1.11 of the Acrobat Digital Signature Admin Guide.

Adobe LiveCycle ES2 and ES2.5 include the RSA BSAFE Crypto-J 3.5 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Information on FIPS compliance in Acrobat and Reader 9….see this post.