Adobe Reader Security – Trusted certificates

When Adobe Reader XI 11.0.0.6 was released there was suddenly a new pop-up once you open Adobe Reader for the first time, and had settings in the profile from an older Adobe Reader X installation.

image

The message reads;

Trusted certificates from your previous version of Adobe Reader were found. Would you like to import them?

Any certificates that are not imported in this step will not be available in this version of Adobe Reader.

Adobe calls this the Addressbook and apparently this specific feature is the Addressbook Import.

There is a setting within the Windows Registry reference (under Security –> Addressbook Import) that documents three options an administrator can make to avoid having this nagging users.

The setting is “iImportAddressBook” and has three options;

  • 0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed.
  • 1 or null: Default: The user is asked whether the address book should either be installed or not.
  • 2: Import the address book silently.

To suppress this message, and silently import the address book you can set it the suggested DWORD-value to 2. It would look something like this;

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Security\cDigSig]
 "iImportAddressBook"=dword:00000002

If you need this to be part of the deployment the suggestion is to add this value as part of the Registry. Recommended approach is to use Adobe Customization Wizard XI – if using the Adobe supported editor the registry key will be part of their custom MSI table EnterpriseRegistries.

Adobe Reader Prompts / Performance

This is a repost of an old article published on an old blog.

As Adobe Reader is the most commonly discussed security threat (Microsoft apparently has shapen up in their process to address problems) and its still a widely distributed software – this can be seen as simple ways of improving its performance and end-user experience

Avoiding prompts

Updater
The most common annoyances in a corporation is the automatic updates or call-backs to the vendor. Adobe has for several years released the Customization Wizard which automatically can disable these things in a installation package. Apart from that you can also remove the Update-plugin (to decrease loading time) by removing the .API-file (Updater.api) from the plug_ins folder (C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins).

Trust Manager
Something that rarely effects people is the Trust Manager and that its set to prompt users before update a root certificate.

image

The setting is available under Preferences –> Trust Manager and can easily be flipped off (Ask before installing). The prompt that may show-up (in case this is left checked) reads something like this;

A new security settings update is available from Adobe Systems. Would you like to install it now?

Edit Warnings
A setting that will lead to less prompts, but perhaps some of them are desired, is the Do not show Edit Warnings

image

Available under Preferences –> General this can be either reset or enabled / disabled. From the help of Adobe Acrobat Reader 8 the following can be read;

Do Not Show Edit Warnings
Disables warning boxes that would normally appear when you delete items such as links, pages, page thumbnails, and bookmarks.

Reset All Warnings
Restores default settings for warnings.

Multimedia-players
There are several settings for howto interact with third-party programs used to view multimedia files

image

The settings for using an external multimedia-player can be defined using two levels of trust; Trusted or Other. Other has a default of prompting the user if they wish to open a file from an “other” source. Trusted is given the benefit of the doubt, and is considered a trusted source and always to allowed being executed.

Digital Signatures
Digital Signatures has several options and specifically there is a hidden setting under Preferences –> Security and by clicking the Advanced Preferences…

image

The default for verifying a signature is to use the method specified within document, however if that is not available it may cause the end-user to be prompted. To alter this – just check the radio-button below to use the Adobe Reader default-method if the document specified method is not available. Personally, I have never been prompted by this.

Performance

Rendering
Adobe Reader have continuely been improving its performance, however in a RDS (or a like) environment there might be settings to improve the usage of the application. Citrix has documented two in their knowledgebase-archive which contains the following resolution;

Disable the options by going to the Edit menu > Preferences > Rendering and uncheck Smooth line art and Smooth images.

Screen Reader
There are quite often loads of tips available online and a common one is to clear out the plug_ins folder. This increases load time, but also disables certain functionality. A specific example is when Adobe Reader is started by opening a document. This may cause performance problems (especially the older versions of Reader), but v9 allows a more granular option.

image

The default option for Screen Reader is to only optimize for larger documents, with the minimum defined for 50 pages. This can be set to Only read the currently visible pages – decreasing the overhead when starting up. It may not give the same performance improvement as when v8.0 was released, but its still an improvement.

One more for the keeping;

http://support.citrix.com/article/CTX119372

1. Open up Adobe Acrobat Reader.

2. In Acrobat Reader, select Edit > Preferences.

3. Under Categories, select Reading.

4. Under the Screen Reader Options section, clear the Confirm before tagging documents checkbox then click OK

Seems to effect Adobe Acrobat Reader 8 on Windows Server 2003 mostly…

Update;

http://kb2.adobe.com/cps/887/cpsid_88761.html