Disable Acrobat Javascript

An unpatched vulnerability in Adobe Reader and Acrobat 9.2 and earlier is in the wild. The potential payload is remote arbitrary code execution. The expected patch availability is January 12, 2010. Meanwhile, Adobe suggests implementing the JavaScript Blacklist Framework or disabling Acrobat Javascript as a mitigation measure. (Note: Adobe announced Adobe Reader and Acrobat Version 9.3 and 8.2 on January 12, 2010 as mitigation measures.)

If you need JavaScript functionality and have updated to versions of Adobe Reader which support the JavaScript Blacklist Framework, and the JavaScript API needed isn’t the vulnerable DocMedia.newPlayer API, then the JavaScript Blacklist Framework can preserve your business processes while providing risk mitigation. If you do not need JavaScript functionality, turn it off. If you don’t know if your business processes need JavaScript functionality within PDFs, then start finding out.

JavaScript Blacklist Framework

Designed in anticipation of a vulnerability such as this, the JavaScript Blacklist Framework enables a person to designate the APIs that represent security risks. Download the registry keys [zip]. Even if it is not feasible to implement the JavaScript Blacklist Framework before a patch is released, plan to implement it for another opportunity.

Note that this will not be a complete measure; a signed PDF bypasses the JavaScript Blacklist Framework.

Certified documents signed with certificates that chain up to a trust anchor trusted for executing high privileged Javascript.

Plan to permit the blacklisted API once a patch is released.

Didier Stevens has posted a video which illustrates the Adobe Reader JavaScript Blacklist Framework

Disabling Acrobat Javascript

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

When JavaScript is disabled, if a PDF which uses JavaScript is opened, the user will be prompted to re-enable JavaScript:

JavaScript is currently disabled and this document uses it for some features. Enabling JavaScript can lead to potential security issues.

“Options” and “Help” buttons are offered. Options:

  • Enable JavaScript for this document one time only.
  • Enable JavaScript for this document always.

That is, Adobe offers a way the user can bypass JavaScript prohibitions.

Plan to reverse this procedure once a patch is released. Perhaps you won’t implement that plan, but have the plan ready.

Comments are closed.