Adobe Acrobat and Reader install by default with a fairly significant security flaw enabled. Acrobat has the ability to incorporate JavaScript into a document. It’s not uncommon for this feature to go unused and unknown, however it’s enabled by default. As a result, a script, any script, can be executed on your computer. It’s a fairly simple matter for an attacker to embed JavaScript in a PDF and infect your computer or have it perform tasks they want. This vulnerability poses a major risk to your security, and has become a powerful attack vector for penetration testers and attackers alike.
Increasingly, Adobe applications are becoming a preferred target for hackers. According to an article by CIO, Adobe will be the top target for attackers in 2010. And there supposedly is no anti-virus checking for this vulnerability yet. Luckily the solution to the problem is simple. For some time, security professional have been recommending users disable JavaScript in Adobe Acrobat and Reader. Now Adobe is recommending the same.
Make sure to patch any Adobe applications you may be running, see the steps below to disable JavaScript in Adobe Acrobat and Reader, and see possible alternatives to Adobe Reader.
To Disable JavaScript in Acrobat and Reader
Whether Mac, PC, or Linux, the steps should essentially be the same. Within the program, edit your Preferences, find the JavaScript section, and uncheck the option.
Alternatives To Adobe Reader
You can look at CNET’s download.com for examples of applications that can be used to create and view PDFs. And this bit.ly link is a Google search for alternatives.
[…] a previous post I wrote about the need to prevent JavaScript from running automatically in Adobe Acrobat or Reader. Below are some statistics further demonstrating why this is such a […]