Adobe Reader Security Considerations
Recently a number of warnings have been issued in various computer security publications regarding Adobe Acrobat Reader and potential vulnerabilities it introduces to PC workstations. However, many of the issues can be mitigated by careful user habits.
Most importantly:
- Don't visit websites you don't trust
- Don't open attachments from unknown/untrusted senders
These apply to much more than just PDF files.
Some recommendations adapted from the Carnegie Mellon Computer Emergency Response Team (CERT) report
Disable JavaScript in Adobe Reader and Acrobat
Disabling Javascript may prevent this vulnerability from being exploited. Acrobat JavaScript can be disabled in the General preferences dialog (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).
Disable the displaying of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser may
mitigate this vulnerability. If this workaround is applied to updated
versions of the Adobe reader, it may mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a
web browser:
- Open Adobe Acrobat Reader.
- Open the Edit menu.
- Choose the preferences option.
- Choose the Internet section.
Prevent Internet Explorer from automatically opening PDF documents
Note: Users may wish to contact the Computer Support Help Desk for assistance with modifying the Windows registry.
The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Download this .reg file and double-click to install.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
Keep systems up-to-date with the latest patches and anti-virus signatures.
Computing & Communications provides Sophos Anti-Virus at no cost for staff and faculty campus and home computers as well as student residence hall computers. See more information about checking for updates in Sophos.
See more information about software patches and updates.
Limit user rights on systems to only those that are necessary.
Most everyday tasks can be accomplished on a PC without being logged in as an administrative user. A good policy is to create both an administrator and standard user, and log in to the former only when installing new software or hardware, performing most tasks in the standard user account.
US-CERT also recommends that organizations remind users of the following precautions when working with emails:
- Do not trust unsolicited email.
- Do not click links in unsolicited email messages.
- Employ the use of a spam filter.
- To educate users about social engineering and phishing attacks, review US-CERT Cyber Security Tip ST04-014, “Avoiding Social Engineering and Phishing Attacks.”
