PDF – Pretty Darned Fatal

Adobe PDF files were supposed to be a safe alternative to Microsoft Word documents in a time when Microsoft offered no effective protection against macro viruses and had virtually no security model in Office at all. Times change. Microsoft Word documents rarely spread macro viruses and have not for a long time if you are using versions of Word newer than Office XP.

In a dazzling display of arrogant refusal to learn from history, Adobe has configured their products for inferior security by deliberately choosing not to learn security lessons that Microsoft learned years ago.

Security flaws in Adobe reader and Adobe Acrobat are a major problem, but in most cases the technology that allows the exploits to work is JavaScript. Adobe Reader and Acrobat support JavaScript and insanely leave it enabled by default. In practice most PDFs do not require JavaScript and many that do are quite usable without it anyway.

If you want to do something simple to help protect yourself against drive-by malware infections – the kind where you simply go to a webpage and get infected, then disable JavaScript in Acrobat and Reader.

In Adobe Reader version 9, you go to the edit menu, select preferences, then JavaScript, and then uncheck the box that says “Enable Acrobat JavaScript”.

This is how Adobe would set the defaults if they listened to their security experts instead of the marketing department.

While you’re at it, it doesn’t hurt to go to the help menu and check for updates too!

Randy Abrams
Director of Technical Education

Author , ESET

  • The main application of Javascript in PDFs (as I understand it) is for corporate forms validation, although I recently found out that sometimes Google Docs uses it for printing. But perhaps if there were a policy you could set, and eventually they could make this mandatory, that JavaScript is disable unless the PDF is signed by a trusted CA, and optionally from a specfic whitelist of signers. That would make it much harder to social-engineer an attack, even a targeted one.

    • Randy Abrams

      signed scripts? Are you suggesting they learn from the successful security model in Microsoft word? Yeah, Microsoft has validated the approach you suggest. I believe ihave come across JavaScript in IRS forms also.

Follow us

Copyright © 2017 ESET, All Rights Reserved.