Stephen Northcutt, with the SANS Technology Institute, suggested the following in the SANS NewsBites Vol. 11 Num. 61:
[Editor's Note (Northcutt): I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can.]
Limiting the use of software is always good advice, but should you remove Adobe products from your computer? Given the prevalence of Flash and PDF files that might be a bit drastic, although there are other PDF readers available.
Adobe has had a rash of security vulnerabilities found in their products recently. I don’t think you have to get rid of the Adobe Reader, but there are some smart precautions you can take to make it more secure.
The first step is to make sure you have the most current version of Adobe Reader. Under the help menu, select about and it will tell you the version number. If you do not have version 9, then you may need to go to www.adobe.com and download the latest version. If you do have version 9, then under the help menu select “Check for Updates” so that you have the latest version of version 9. As of this writing it is version 9.1.3 or version 9.1.2.82. You see, when I click on the words “Version 9.1.3” it then changes to “Version 9.1.2.82”. So, the safest thing is to check for updates. By default Adobe Reader checks for updates every week, but with the recent security problems it is best to check for updates now and every day that you use the reader.
The next step is to go to the edit menu and select preferences. On the left side click on the word JavaScript. On the right side uncheck the box that says “Enable JavaScript”. For most people they will never notice that JavaScript is not enabled. There are some legitimate PDF files with JavaScript, but it rarely, if ever, is needed to use the document. Many security problems with Adobe Reader would have been avoided if Adobe had disabled JavaScript by default. You will know that Adobe has taken security seriously when they start disabling JavaScript by default.
The next step is to click on “Multimedia (Legacy). This is on the left side again. There will be a list of media players on the right side. You will see things like “Permission for Windows Built-In Player is set to allow. Click on each of these and either choose prompt or disable. You do need to click on each one and change the setting though.
The next step is to return to the left side and click on “Security (Enhanced). Check the box that says Enable Enhanced Security.
The final step is to not open PDF files that come from unknown senders or that you are not expecting from a known sender. Ask the sender if they sent it before you open the PDF if you were not expecting it. Why ask the sender? Email addresses can be spoofed. Just because it says Mom@aol.com it doesn’t mean that it really came from mom.
All of these steps combined will make Adobe Reader much safer to use and in most cases it will not impair the functionality of the PDF files you read.
In a future article I’ll discuss Adobe Flash in more detail
Randy Abrams
Director of Technical Education
