Security beefed up in new Adobe Reader, Acrobat

Share this article:

Adobe this week released new versions of its flagship Reader and Acrobat products to include a number of new security capabilities.

Reader XI extends previously introduced sandbox "Protected View" controls -- in which PDFs are displayed in a confined environment to prevent malware from running elsewhere on the machine -- to now include "read-only" activities so hackers are unable to steal data via attacks, including so-called screen scrapes.

The new Reader and Acrobat editions also include a built-in security feature known as Address Space Layout Randomization, or ASLR. Introduced with the release of Windows Vista in early 2007, ASLR randomizes memory space and significantly lowers the chances for certain code execution attacks to succeed.

"Force ASLR improves the effectiveness of existing ASLR implementations by ensuring that all DLLs (dynamic-link libraries) loaded by Adobe Reader or Acrobat XI, including legacy DLLs without ASLR enabled, are randomized," Priyank Choudhury, a researcher with the Adobe Secure Software Engineering Team (ASSET), wrote in a Wednesday blog post. "By enabling Force ASLR in Adobe Reader and Acrobat XI, we are making it even more difficult for an attacker to exploit vulnerabilities."

The update also includes a new PDF Whitelisting Framework, which administrators can use to approve certain JavaScript running on PDF files or websites. In addition, the new versions offer support for elliptic curve cryptography (ECC) for digital signatures. ECC technology is generally considered a highly efficient form of public-key encryption.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.