Risk
10/17/2012
05:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Adobe Bolsters Security In Reader, Acrobat XI

Adobe builds on its sandboxing protections as part of a series of moves to improve security

Adobe Systems made a number of moves to improve security in Adobe Reader and Acrobat with new releases of the applications today.

Building off of the sandboxing protections the company first introduced into its products in 2010, Adobe has taken steps to add another layer of defense to the sandbox in the latest versions of Reader and Acrobat. In the case of Adobe Reader XI, the company has added data theft prevention capabilities by restricting read-only activities to prevent attackers from reading sensitive information on the user's computer. The company also has implemented a separate desktop and WinStation in both Reader and Acrobat to block screen-scraping attacks.

"This mode effectively introduces a new Protected View in Adobe Reader and enhances the Protected View implementation in Adobe Acrobat even further," explains Priyank Choudhury, a security researcher with Adobe Secure Software Engineering Team (ASSET), in reference to the separate desktop and WinStation. "Protected View behaves identically for Adobe Reader and Acrobat, whether viewing PDF files in the standalone product or in the browser."

In addition to the enhancements to Adobe's sandboxing capabilities, the company also enabled support for Force ASLR (Address Space Layout Randomization) on Windows 7 and Windows 8. According to Adobe, Force ASLR ensures all DLL files loaded by Adobe Reader or Acrobat -- including legacy DLLs without ASLR enabled -- are randomized. The move will make it more difficult for an attacker to exploit vulnerabilities, Choudhury explains.

The company also added the Adobe PDF Whitelisting Framework, which allows administrators to selectively enable advanced functionality, such as JavaScript for specific PDF files, sites, or hosts on both Windows and Mac OS X.

The final piece of the security overhaul is newly added support for Elliptic Curve Cryptography (ECC) for digital signatures. Users can now embed long-term validation information automatically when using certificate signatures and use certificate signatures that support elliptic curve cryptography (ECC)-based credentials, Choudhury blogs.

"Over the last year, we have continued to work on adding security capabilities to Adobe Reader and Acrobat, and today [Oct. 17], we are very excited to present Adobe Reader and Acrobat XI with a number of new or enhanced security features," he writes, adding that Adobe is "excited about these additional security capabilities in Adobe Reader and Acrobat XI, which mark the latest in our continued endeavor to help protect our customers by providing a safer working environment."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jim d.
50%
50%
Jim d.,
User Rank: Apprentice
10/18/2012 | 4:11:52 PM
re: Adobe Bolsters Security In Reader, Acrobat XI
When does it come out?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.