Mitigating Vulnerabilities in Adobe Reader and Acrobat

On February 19th, Adobe confirmed a critical vulnerability spanning multiple versions of Adobe Reader and Acrobat:

          A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Disabling JavaScript in Reader may provide some protection. To do this:

1. Open Reader and click Edit > Preferences
2. Click the JavaScript Category
3. Uncheck “Enable Acrobat JavaScript”

Should you need to implement this change across a large number of machines, PhishLabs have posted some information which will make your life easier.

Should disabling JavaScript not be an option – and, in some enterprise environments, it may well not be – there is not much that you can do except wait for the patch which Adobe say will be released by 11th March for Reader and Acrobat 9 or by 18th March for earlier versions.

Note that disabling JavaScript will not necessarily provide you with complete protection. According to Adobe:

          Reports have been published that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk.

So, regardless of whether or not you disable JavaScript, it would be an extremely good idea to ensure that users are aware that they should exercise caution when opening PDF files from unknowned or untrusted sources.