8

Aside from patch updates, is there any way to mitigate the risks with adobe reader exploits? Frankly, I don't know how most reader exploits work. However, is there any functionality that I can disable in reader that will make it more safe from most exploits?

Josh Brower
  • 1,659
  • 3
  • 18
  • 29
Brett G
  • 2,023
  • 1
  • 27
  • 45

5 Answers5

6

Disabling Javascript within Reader will help a bit. Also, enable the "Enhanced Security" feature (it is on by default in Reader 9.3 and 8.2).

MattB
  • 11,124
  • 1
  • 29
  • 36
  • I believe that unfortunately that Reader will prompt the user to turn back on Javascript when it encounters javascript. Is it possible to turn off Javascript permanently so a non-admin can not turn it back on? – Knox Feb 26 '10 at 21:36
  • @Knox: unfortunately I don't think that is possible. It can be set via group policy via a registry key and you can remove the users rights to that key - but they can still turn it on in the current Reader session. – MattB Feb 26 '10 at 22:00
  • that was my understanding last time I investigated it. We are disabling it via the registry. – Knox Feb 26 '10 at 22:11
4

Unfortunately, Adobe Reader has had numerous serious security vulnerabilites in the past years, and although Adobe has focused slightly more on security lately (establishing their Product Security Incident Response Team (PSIRT)), it is wise to assume that new vulnerabilities will be found and exploited.

The most important things you can do is:

  • Read the Reader Security Guide, available from https://www.adobe.com/devnet/acrobat/security.html

  • In particular, disable Javascript if possible by setting bEnableJS under HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs to 0. Many of the recent exploits have utilized the Javascript support.

  • Keep an eye on the PSIRT blog and the ISC Storm Center for new vulnerabilities.

  • Establish an ongoing patch regime ensuring rapid deployment of new versions, and actively eradicate old versions.

  • The Adobe PSIRT publicly announced a serious flaw on December 14th 2009, but a patch was not available until mid-January 2010. For time intervals like this, you should have a plan for mitigating security controls, for example blocking PDFs on mail gateways and web proxies.

  • Consider the use of alternative PDF readers (Mac OS X has builtin support, Foxit Reader and others may be an alternative on the Windows platform)

oddbjorn
  • 56
  • 2
3

Not really, many of the recent vulnerabilities have been in either javascript or JPEG processing, so if you're inclined to disable images and JS, you might gain a little false sense of security.

Enhanced security mode does indeed help, but many of the recent exploits have had the ability to break out of the self-imposed sandbox.

The issue with Adobe Reader bugs is that its an unexamined field, Sure, theres been bugs in Reader since time immemorial and people have discovered them, but only recently have auditors taken to looking for bugs.

Furthermore, and arguably compounding the issue is the distinct LACK of buffer overflows in Adobe products (Comparatively speaking to say, Microsoft) in the past. For those who aren't familiar, the Buffer overflow was THE programmatic flaw to exploit circa 1989-2005, Thus Adobe's been riding on a false air of security for quite some time. Now that highly complex vulnerabilities like use-after-free point dereferencing conditions and Integer Overflows leading into function pointer poisoning are becoming increasingly popular to exploit in Adobe products, Adobe is scrambling to review code for vulnerabilities (I've heard anecdotally that Adobe only kept 3 people on staff for security QA in the entire company before CVE-2009-0189).

The long story short is that vulns could be anywhere, So just practice due diligence, In this particular case - that means keeping AV updated and maintaining your IPS/Firewall.

zetavolt
  • 1,352
  • 1
  • 8
  • 12
2

Adobe has an extremely bad record of secuirty. I highly recommend avoiding their products as much as possible. On my linux system i use XPDF which is open source and there is a windows version. Sumatra is another open source pdf viewer for windows.

Rook
  • 2,615
  • 5
  • 26
  • 34
1

For what little it's worth, the users I've been able to deprive of local admin privs are perfectly safe. ;) (MattB's options are far more helpful, however).

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • +1 for not allowing users to have local admin privileges. – MattB Feb 26 '10 at 22:33
  • -1 for inaccuracy: Depriving users of local admin privs helps, but they are not perfectly safe. There are multiple AR vulnerabilities that allow local priv escalation (to admin level) from unpriv user (http://www.adobe.com/support/security/advisories/apsa08-02.html) (http://www.adobe.com/africa/support/security/bulletins/apsb09-10.html) – Josh Brower Feb 26 '10 at 23:08