Disarming Adobe PDF Viewer
Security researcher David Kierznowski has found a few flaws in the Adobe PDF viewer and Acrobat PDF creator. Using the built-in Javascript he was able to construct PDFs that can force MS internet Explorer to open a malicious URL without warning, and to perform reconnaissance of local settings like ODBC connections.
We wrote about problems with PDF last Wednesday. PDF and Flash seem to be security blindspots… they’ve been considered harmless for so long that people just tune out at any mention of security issues. Many antivirus products also skip scanning of PDFs, even though PDFs can contain embedded malware and can launch external programs at will.
So what can an organization do about PDFs? The Reader is encrusted with multiple "enhancements" and e-commerce plugins that can be abused, plus settings are entirely under the control of the user: try to disable Javascript and the multimedia settings and the user can re-enable them at any time (users are actually prompted to re-enable features when a PDF asks to use them).
Here are some suggestions for protecting yourself from potential PDF exploits:
Use a different default viewer
While the vulnerabilities in PDFs stem from the ever-expanding capabilities of the PDF file specification (scripting, embedded files, SOAP, etc.) the vulnerabilities are mostly due to specific implementation errors in Adobe Reader. Alternative PDF viewers are available. For Windows the best one is currently FoxIt Reader. The basic version is free to use and works well for viewing and printing most PDFs.
However, Foxit Reader also supports scripting and plug-ins so it probably has vulnerabilities of it’s own. At least they’ll be different than those in Adobe Reader. Some PDFs use advanced formatting and features that only work correctly in Adobe Reader, so as a strategy install both viewers, but set Foxit as the default. Then PDFs from email and web pages will launch the alternate reader, but users can still access the Adobe one when needed.
Disable vulnerable settings
Individual users can disable many of the exploitable features of Adobe Reader. Open the viewer, select File -> Preferences and change all of the following:
- General: disable "Automatically detect URLs from text"
- Internet: disable "Display PDFs in browser" (this has been exploitable in the past under MS Internet Explorer)
- Multimedia: "Preferred player": set to anything other than the highly vulnerable Windows Media Player
- Security -> Advanced preferences: When verifying: "Always use the default method" (and set the default method to be "Windows", if it’s available)
- Trust Manager: Uncheck "Allow multimedia operations" for both "Trusted documents" and "untrusted documents"
- Trust Manager: Uncheck "Allow documents to open other files and launch other applications"
There’s no point in trying to disable Javascript… the Reader and many plugins use it. It will keep hounding you to re-enable Javascript.
Keep in mind that the user has full control over the settings of PDF viewer, and when a feature like multimedia is requested by a PDF the user will be prompted to turn it back on. An administrator cannot force settings to be immutable: settings are read at startup but can be changed by the user after Adobe Reader is running.
Remove plug-ins
Much of the extra unwanted functionality in Adobe reader is provided as plug-ins. Multimedia, Internet search, eBook reading and other capabilities can be disabled by carefully deleting or renaming files in the plug_ins and plug_ins3d directories. Various guides are available around the net describing which ones are safe to disable, and a free tool named Adobe Reader Speedup can automate the process.
Be careful playing around with the plugins: it can completely disable the viewer. The plugins are also re-installed each time the software is updated.
Check your anti-virus
Verify that both anti-virus gateway and desktop AV are configured to scan inside PDF files. Also check that they are capable of seeing embedded objects in PDF. You’ll need to create your own PDFs using the full Acrobat product and embed test objects like malicious ASX multimedia and the EICAR test pattern. If you don’t own Acrobat, Adobe offers a 30 day trial.
Related posts: