Keeping Adobe Reader and Acrobat Safe

Yesterday we blogged about a problem in the design of PDFs that can lead to exploitation.

The problem is that PDFs are now designed to be able to include executable attachments and to execute them. Foxit has released a fix for their software. If you use Foxit then you should make sure your version is current. Adobe has a workaround, but not a patch or new version.

We did post the workaround, but I’ll post it again and include some other security settings that I recommend for most people using Reader or Acrobat. The first thing to do is to check for updates and make sure you have the most current version. For Reader this is free, for Acrobat there may be a charge to upgrade to the most current version, but patches should still be available for supported versions.

To protect against the problem with executables being run, open up Reader and go to the Edit menu and select Preferences… From here, on the left side of the window click on Trust Manger. On the right side there is a check box that you should uncheck. This will prevent Reader from opening non-PDF file attachments. This is a good start, but there’s more to securing Reader.

Still in Preferences, click on the label JavaScript and uncheck that box. Many of the past vulnerabilities in Reader, and there have been several, were exploiting by also using JavaScript. Most people don’t need JavaScript in a PDF. If you open a PDF that has JavaScript you will be prompted to turn it on. I always refuse to turn it on and I open the PDF without it.

Next, still in Preferences, click on Multimedia Trust (Legacy).  This is where you set how Reader acts when it runs Windows Media Player or Flash in a PDF. The default is to always run the multimedia files. I change this to Prompt. The reason for this is that sometimes there are vulnerabilities found in the media players. When the settings for the multimedia players prompt you to allow the media to be played, you can choose not to, especially if you weren’t expecting a media file.
Finally, in Preferences, click on Security (Enhanced) and make sure that the enhanced security is enabled.

PDFs are a major attack vector, but you can minimize the ability for many attacks to succeed by properly configuring Reader (and Acrobat) for better security.

Randy Abrams
Director of Technical Education

Author , ESET

  • Charles

    Hi Randy,
    Thanks for the update! From comes this IT-focused solution which can be pushed out to protect an entire company:
    ——forward to your IT group—–
    For administrators who wish to accomplish this with a registry setting on Windows, add the following DWORD value to:
    HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader9.0Originals
    Name: bAllowOpenFile
    Type: REG_DWORD
    Data: 0
    Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader9.0Originals
    Name: bSecureOpenFile
    Type: REG_DWORD
    Data: 1
    Note: These samples assumed you were adding registry settings to Adobe Reader 9. For Adobe Acrobat, you would replace "Acrobat Reader" with "Adobe Acrobat", and for a different version, you would substitute its value for "9.0".

  • Adam Piggott

    Hi Randy, I'm an Eset UK reseller and wanted to note that there's another way of securing Acrobat Reader.

    One can use a customized installer to disable these features – and in some cases lock them disabled – which is helpful if you're installing it on many computers, helps prevent mistakes and omissions and applies the settings across all user accounts.

    I've put a set of installer files and a guide on my web site at:

    • Randy Abrams

      The URL didn’t make it, but I always advise people to only download from the developer’s site. A guise would be useful, but people really should download Adobe products from the Adobe web site.

Follow us

Copyright © 2017 ESET, All Rights Reserved.