May 5th, 2009
Businesses struggling with Adobe PDF security advice
Adobe has set a May 12 date for the delivery of patches to cover a critical zero-day vulnerability in its Adobe Reader 9.1 and Acrobat 9.1 software products.
An official security advisory from Adobe confirms the severity of the vulnerability and reiterates the advice for users to turn off JavaScript as a temporary measure to avoid code execution attacks. However, customers have started to grumble that Adobe’s mitigation is difficult to implement and, even worse, useless in corporate environments.
[ SEE: Exploit posted for brand-new Adobe PDF zero-day ]
Erik Cabetas, security officer at a New York City-based e-commerce company, does not mince words:
This does not work, it does NOT disable JavaScript. It merely prompts the user with a vague dialog box stating that there is something they can’t see because JavaScript is disabled. Guess what? Most users click to allow JavaScript!
Here’s the image the end user sees:
[ SEE: Adobe: Turn off JavaScript in PDF Reader ]
In an e-mail Cabetas said he wrote a script to “disable” JavaScript across his entire company only to have an employee ask “If I should click yes when opening this PDF from a friend”.
The rest of the users of course didn’t even mention it to me, they all just click yes because they’re conditioned to at security prompts.
These concerns were echoed by several enterprise IT administrators who are becoming increasingly frustrated by an increase in zero-day vulnerabilities — and patches — in Adobe’s products.
ESET’s Randy Abrams brings up another issue regarding Adobe and vulnerabilities:
The addition of JavaScript to Acrobat vastly increased the attack surface of Acrobat documents. Microsoft learned about the power of macros many years ago and effectively disabled macros in Word, unless a user deliberately turns them on. Adobe, on the other hand, enables JavaScript, arguably as powerful as macros, and does not notify the user of the vastly increased vulnerability they have just been exposed to.
When a user disables JavaScript and opens a PDF with JavaScript in it they are prompted to allow it to run and there is a check box to always allow it to run. The option should conspicuously indicate that this is the option of least security.
As always, if you think Adobe exposes your computer system(s) to increased risk, consider using an alternative product.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
