Turns out there are some nasty security holes in Adobe Reader that are not bugs, just intended features. Unfortunately, these “features” should not be enabled by default, but they are.

1. JavaScript - there really is no reason to have JavaScript enabled in most PDF documents unless it is a form-based document that requires input with validation. So, unless you use this type of document all the time, please disable JavaScript in the Preferences dialog (located under the Edit menu, or just press Ctrl-K). Click on the JavaScript category and uncheck Enable Acrobat JavaScript.

2. External Application Launching - Believe it or not, Reader can launch other application and have them display their content within the PDF viewer. This is enabled by default! Turns out there is a hack to change the contents of the warning dialog to use social engineering to deceive the user into allowing the application to launch and even launch arbitrary code to take over your computer. This is easily avoidable by disabling it – if you ever do need it, Adobe Reader will tell you that it is disabled and you can have the opportunity to re-enable it. To do so,go to the Preferences dialog and click on the Trust Manager category. Uncheck “Allow opening of non-PDF file attachments with external applications.” Please.

This entry was posted on Thursday, April 15th, 2010 at 1:43 pm and is filed under Security, WILT. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.