05:32 PM
Connect Directly
Repost This

Adobe Bolsters Security In Reader, Acrobat XI

Adobe builds on its sandboxing protections as part of a series of moves to improve security

Adobe Systems made a number of moves to improve security in Adobe Reader and Acrobat with new releases of the applications today.

Building off of the sandboxing protections the company first introduced into its products in 2010, Adobe has taken steps to add another layer of defense to the sandbox in the latest versions of Reader and Acrobat. In the case of Adobe Reader XI, the company has added data theft prevention capabilities by restricting read-only activities to prevent attackers from reading sensitive information on the user's computer. The company also has implemented a separate desktop and WinStation in both Reader and Acrobat to block screen-scraping attacks.

"This mode effectively introduces a new Protected View in Adobe Reader and enhances the Protected View implementation in Adobe Acrobat even further," explains Priyank Choudhury, a security researcher with Adobe Secure Software Engineering Team (ASSET), in reference to the separate desktop and WinStation. "Protected View behaves identically for Adobe Reader and Acrobat, whether viewing PDF files in the standalone product or in the browser."

In addition to the enhancements to Adobe's sandboxing capabilities, the company also enabled support for Force ASLR (Address Space Layout Randomization) on Windows 7 and Windows 8. According to Adobe, Force ASLR ensures all DLL files loaded by Adobe Reader or Acrobat -- including legacy DLLs without ASLR enabled -- are randomized. The move will make it more difficult for an attacker to exploit vulnerabilities, Choudhury explains.

The company also added the Adobe PDF Whitelisting Framework, which allows administrators to selectively enable advanced functionality, such as JavaScript for specific PDF files, sites, or hosts on both Windows and Mac OS X.

The final piece of the security overhaul is newly added support for Elliptic Curve Cryptography (ECC) for digital signatures. Users can now embed long-term validation information automatically when using certificate signatures and use certificate signatures that support elliptic curve cryptography (ECC)-based credentials, Choudhury blogs.

"Over the last year, we have continued to work on adding security capabilities to Adobe Reader and Acrobat, and today [Oct. 17], we are very excited to present Adobe Reader and Acrobat XI with a number of new or enhanced security features," he writes, adding that Adobe is "excited about these additional security capabilities in Adobe Reader and Acrobat XI, which mark the latest in our continued endeavor to help protect our customers by providing a safer working environment."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Jim d.
Jim d.,
User Rank: Apprentice
10/18/2012 | 4:11:52 PM
re: Adobe Bolsters Security In Reader, Acrobat XI
When does it come out?
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web