Adobe Acrobat has a history of tripping over security and they do so, in part, because Adobe seems to be determined to prove that they cannot be forced to learn from history, Adobe has spent years trying to repeat the mistakes of Microsoft Office’s early macro fiasco by including JavaScript in Adobe Reader and then leaving it enabled by default. This is simply bad security.

Shadowserver has an entry at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 titled “When PDFs Attack - Acrobat [Reader] 0-Day On the Loose”.

Of note: “we found that disabling JavaScript would definitely prevent the malware from being installed on the system.”

For most people there is no reason to have JavaScript enabled in Acrobat. JavaScript in Acrobat is and always has been a bad security idea. As does Shadowserver, I strongly encourage you to disable JavaScript in Acrobat. It isn’t hard if you know where to do it! The Shadowserver post tells you how to disable JavaScript in Adobe Reader, but I’ll repeat the instructions.

First, make sure you are using Adobe Reader version 9. If you have an older version go to www.adobe.com and get the new version and install it, then open Adobe Reader. Go to the “EDIT” menu and choose “Preferences”. Click on “JavaScript” and then uncheck the box that says “Enable Adobe JavaScript”. If the security people at Adobe had a voice then I am can’t believe that JavaScript would be enabled by default.

WARNING WARNING WARNING!!! The final step it to click OK. If you close the set up panel without using the OK Button you have not saved your changes. The little box in the upper right hand corner that you can use to close the window does so without accepting your changes. Use the OK button!!!

The final step is to go to http://www.adobe.com/cfusion/mmform/index.cfm?name=wishform and tell Adobe that you prefer security and do not want JavaScript to be enabled by default when you install Acrobat Reader.

Randy Abrams
Director of Technical Education