Ever since Adobe's recent updates to Acrobat and Reader, I've been irritated by the fact that every time I open a PDF, I'm prompted to re-enable JavaScript, which I disabled while we were all waiting patiently for those patches to the last round of vulnerabilities.
"This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled."
The main cause of my irritation (apart from the fact that it doesn't believe me the first time I click "no" and sits there till I click it again) is that this message is blatantly incorrect: more often than not these are documents I've just generated myself, and there ain't no JavaScripts. (Yes, I have checked!)
Which is why I said in a previous blog: "It’s actually a little more annoying than that. I now find that every time I open a PDF on this system, Acrobat informs me that JavaScript is enabled in the document (even when I’ve just created it on a system with JS disabled), and prompts me to re-enable it in the application. While there may be no signficant danger in re-enabling it right now, that may not always be so, and in any case I’d prefer it if Adobe would be a little less insistent."
This might be a good time to say "I told you so."
Adobe's PSIRT blog has today reported that Adobe is aware of "a potential vulnerability in Adobe Reader 9.1 and 8.1.4" and that it is investigating.: No further information is given, but the vulnerability referred to is described at http://www.securityfocus.com/bid/34736/info: "Adobe Reader 'getAnnots()' Javascript Function Remote Code Execution Vulnerability." (Yes, the RSS feed still works: no, I didn't get an email from the Security Notification Service!)
According to the SecurityFocus page, it's known to affect Reader 8.1.4 and 9.1 for Linux, but it also suggests that other versions or platforms may be vulnerable, and links to an exploit. However, I'm not aware that the vulnerability is being used "in the wild" at the moment. If or when it is, it will probably be used for targeted attacks, as we've seen previously, though there's no absolute reason why such vulnerabilities can't be used for more random attacks too, so bear in mind that PDFs are not an automatically "safe" format.
In the current absence of further information, I'd suggest that you think about disabling JavaScript (if you haven't already) and ignore Adobe's vexatious prompting, though I can't guarantee that doing so fixes the underlying vulnerability: I don't have that information at the moment. And perhaps, as Mikko Hypponen has been saying for a while, it really is time to think about other PDF readers.
I may come back to that thought, but for now I'm on my way to the Infosec exhibition in London, and will be there for much of the next three days. Maybe I'll see some of you around the ESET UK stand, or at my presentation on testing?
David Harley
Director of Malware Intelligence