Adobe: Wake Up & Smell the Javascript

Ever since Adobe’s recent updates to Acrobat and Reader, I’ve been irritated by the fact that every time I open a PDF, I’m prompted to  re-enable JavaScript, which I disabled while we were all waiting patiently for those patches to the last round of vulnerabilities.

"This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they’re disabled."

The main cause of my irritation (apart from the fact that it doesn’t believe me the first time I click "no" and sits there till I click it again) is that this message is blatantly incorrect: more often than not these are documents I’ve just generated myself, and there ain’t no JavaScripts. (Yes, I have checked!)

Which is why I said in a previous blog: "It’s actually a little more annoying than that. I now find that every time I open a PDF on this system, Acrobat informs me that JavaScript is enabled in the document (even when I’ve just created it on a system with JS disabled), and prompts me to re-enable it in the application. While there may be no signficant danger in re-enabling it right now, that may not always be so, and in any case I’d prefer it if Adobe would be a little less insistent."

This might be a good time to say "I told you so."

Adobe’s PSIRT blog has today reported that Adobe is aware of "a potential vulnerability in Adobe Reader 9.1 and 8.1.4" and that it is investigating.: No further information is given, but the vulnerability referred to is described at "Adobe Reader ‘getAnnots()’ Javascript Function Remote Code Execution Vulnerability." (Yes, the RSS feed still works: no, I didn’t get an email from the Security Notification Service!) 

According to the SecurityFocus page, it’s known to affect Reader 8.1.4 and 9.1 for Linux, but it also suggests that other versions or platforms may be vulnerable, and links to an exploit. However, I’m not aware that the vulnerability is being used "in the wild" at the moment. If or when it is, it will probably be used for targeted attacks, as we’ve seen previously, though there’s no absolute reason why such vulnerabilities can’t be used for more random attacks too, so bear in mind that PDFs are not an automatically "safe" format.

In the current absence of further information, I’d suggest that you think about disabling JavaScript (if you haven’t already) and ignore Adobe’s vexatious prompting, though I can’t guarantee that doing so fixes the underlying vulnerability: I don’t have that information at the moment. And perhaps, as Mikko Hypponen has been saying for a while, it really is time to think about other PDF readers.

I may come back to that thought, but for now I’m on my way to the Infosec exhibition in London, and will be there for much of the next three days. Maybe I’ll see some of you around the ESET UK stand, or at my presentation on testing?  

Director of Malware Intelligence

Author David Harley, ESET

  • Sean

    To avoid this stupid warning, I used a GPO and Policy Maker to disable javascript in PDF companywide. I’ve got Adobe Reader currently on the THREE STRIKES. Last issue was strike one, two more and it’s gone.

    Remember when the advantage to PDF was that it just displayed a page like you intended for it to look in print?

    If I wanted javascript, I would release my documents as web pages.

  • Ahmed ghanem

    Well it was a year ago when I began considering alternatives to Adobe, and I’m already using some other product [won’t mention the name as it’d be considered publication] and it’s not foxit reader as its text rendering is awful.

    Anyway regarding your note about the vulnerability and the message that shows up, it doesn’t occur with all PDFs, well at least not with the ones that are created according to the PDF/A specification.

  • The point of JavaScript in PDF files was to generate “smart forms”, that could include sanity checks against the data entered into the form. This would be useful for tax forms, while still maintaining the 1:1 electronic analogue with paper documents.

  • David Harley

    @Sean: yes, I’ve seen similar approaches suggested elsewhere. I should try it, in my copious free time. Thanks.

    @Ahmed: thanks. I’d forgotten PDF/A, as I have no use for it, generally.

    @Kim: thanks. You’re absolutely right: that’s the primary use for it. I’d still suggest turning it off when you’re not generating forms, if you can stand the nag messages. Incidentally, I read today on a mailing list that if you keep it disabled on such a form, you’ll get the message every time you access a field, not just when you open the document. I haven’t tried it.

  • Ahmed Ghanem

    David : well I don’t see any use exporting my documents as PDFs using 1.6 or 1.7 specifications, if I don’t need javascript or encryption, and the message doesn’t show mainly because javascript is prohibited in PDF/A files so I’d recommend anyone to convert his documents to the PDF/A for a while till this vulnerability gets patched, and I’m not excluding switching to another product as well.

    • Hi, Ahmed. What I meant by “have no use for” was that I create PDFs for a number of different purposes, and PDF/A wouldn’t suit them all, while the export process involves taking several steps that I’d rather not be bothered with. I can certainly see that for some people, changing the defaults for “Create PDF” would make sense. In which case, if you then received a PDF that triggered a prompt, that might actually be a useful indicator of danger, if the message wasn’t so misleading (i.e. didn’t tell you that there are scripts present when there aren’t). Deoending on how many other people made the same choice.

      I suppose my real gripe is that the quick and simple format isn’t… This is actually starting to annoy me so much that I’m considering reading the manual. ;-)

  • Ahmed Ghanem

    Yes, I actually see your point, I guess Adobe and Microsoft are all alike, I wonder if it’d take Adobe that much time to patch this vulnerability as it took Microsoft to begin considering to patch Autorun, really annoying though when you know you’re safer using another product and so…..

    I really like the Eset Threat Center blog, it keeps me always updated with most wide-spread threats, keep up the good work here guys :D

Follow us

Copyright © 2017 ESET, All Rights Reserved.