The reason why Reader XI is not shipped with Protected View enabled by default is that it breaks some workflows as the level of protection it offers is incompatible with screen readers or some other some common tasks like printing, Arkin said. With every update, the company is trying to solve some of the incompatibilities so that it can turn the feature on by default, Arkin said. However, people in highly targeted environments can still turn it on now and use various work-arounds to access the required functionality, he said.
As far as Flash Player is concerned, the immediate goal is to do more security testing and targeted code hardening in order to identify and fix potential flaws, Arkin said. Small changes are also being done to the ActionScript Virtual Machine 2 (AVM2) engine based on feedback from platform partners and people in the Chrome and IE 10 teams, in order to make it more robust against corrupt bytecode, he said.
The CSO title was needed at Adobe because the importance of cybersecurity in the world has increased, both from a technical point of view, with new types of attacks appearing, and also from a regulatory standpoint, with the new cybersecurity executive order in the U.S. and the cybersecurity strategy in the E.U., Arkin said.
"Creating a chief security officer position now is a way for us to communicate externally the scale of the work that we're doing on security internally," he said. "It also helps to convey the weight and serious nature of the issues and how Adobe is tackling them head on."