Adobe Bolsters Security In Reader, Acrobat XI

Adobe Systems made a number of moves to improve security in Adobe Reader and Acrobat with new releases of the applications today.

Building off of the sandboxing protections the company first introduced into its products in 2010, Adobe has taken steps to add another layer of defense to the sandbox in the latest versions of Reader and Acrobat. In the case of Adobe Reader XI, the company has added data theft prevention capabilities by restricting read-only activities to prevent attackers from reading sensitive information on the user's computer. The company also has implemented a separate desktop and WinStation in both Reader and Acrobat to block screen-scraping attacks.

"This mode effectively introduces a new Protected View in Adobe Reader and enhances the Protected View implementation in Adobe Acrobat even further," explains Priyank Choudhury, a security researcher with Adobe Secure Software Engineering Team (ASSET), in reference to the separate desktop and WinStation. "Protected View behaves identically for Adobe Reader and Acrobat, whether viewing PDF files in the standalone product or in the browser."

In addition to the enhancements to Adobe's sandboxing capabilities, the company also enabled support for Force ASLR (Address Space Layout Randomization) on Windows 7 and Windows 8. According to Adobe, Force ASLR ensures all DLL files loaded by Adobe Reader or Acrobat -- including legacy DLLs without ASLR enabled -- are randomized. The move will make it more difficult for an attacker to exploit vulnerabilities, Choudhury explains.

The company also added the Adobe PDF Whitelisting Framework, which allows administrators to selectively enable advanced functionality, such as JavaScript for specific PDF files, sites, or hosts on both Windows and Mac OS X.

The final piece of the security overhaul is newly added support for Elliptic Curve Cryptography (ECC) for digital signatures. Users can now embed long-term validation information automatically when using certificate signatures and use certificate signatures that support elliptic curve cryptography (ECC)-based credentials, Choudhury blogs.

"Over the last year, we have continued to work on adding security capabilities to Adobe Reader and Acrobat, and today [Oct. 17], we are very excited to present Adobe Reader and Acrobat XI with a number of new or enhanced security features," he writes, adding that Adobe is "excited about these additional security capabilities in Adobe Reader and Acrobat XI, which mark the latest in our continued endeavor to help protect our customers by providing a safer working environment."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.