Acrobat 9.0-A Security Blunder


Adobe's latest flagship product, Acrobat 9.0, is subject to a major security vulnerability. The algorithm used to protect documents has been changed, according to Adobe. This change can make it easier to crack the password that protects PDF documents. In version 8.0, the company used 128-bit AES encryption. In version 9.0, the company switched to 256-bit AES encryption. Adobe says the switch was made to allow for faster opening of documents. However, the 256-bit encryption algorithm allows a brute-force attack to happen much faster because it requires fewer CPU cycles to test each password attempt.


Adobe recommends that when password protecting documents, users should create password phrases. Specifically, it recommends using lines from your favorite songs or poems. In addition, it strongly recommends using a mix of upper and lower case letters combined with numbers.


A word of advice here: I password protected hundreds of documents that use password phrases, which are case sensitive. I have created a spreadsheet of the phrases that I've used. After I enter the phrase into the spreadsheet, I cut and paste it into the document. This way, I lessen the chance of fat fingering the password and guarantee that the password that I type in the spreadsheet is the one I used to protect the document. For users that have high-security requirements, Adobe recommends using PKI encryption or Adobe LiveCycle Rights Management encryption.


Adobe has published a Security Administration Guide for Acrobat. The guide covers the security differences for most of the major releases of the product and is available for download.


Despite this and a recent vulnerability in Reader 8.1.2 that could allow an attacker to take control of a computer, Adobe has done an excellent job in securing its products. Also on the plus side, Adobe offers excellent support, a blog in which many community members often participate, and a product forum that is moderated by a knowledgeable Adobe employee.