Monday, May 31, 2010

9 Easy Steps to Increase Adobe Reader Security

I've been meaning to write an article about Adobe security for some time.  Adobe Flash Player and Adobe Acrobat/Reader are considered by some to be necessarily evils; Flash and PDF content is widely distributed on the Internet, but Adobe has a poor reputation when it comes to product security.

I recently worked on a PC that had become infected, and I determined through forensic analysis that the infection vector was a PDF exploit hosted on a malicious domain (see details at the end of this article).  I decided that it was time to write an article on how to improve Adobe Reader's security by tweaking some settings.  Note that these instructions are based on version 9.3.2, the latest version available as of when I'm writing this, but will likely apply to future versions as well.  UPDATE: I have tested and regularly use the first 6 of these steps with 9.4.x.  Most readers should probably update to Adobe Reader X so that they can use its new Protected Mode which can help stop certain exploits.  Unfortunately some users are stuck having to use 9.x due to software incompatibilities.  However, most (or perhaps all) of these steps should apply to securing Adobe Reader X as well.

9 Easy Steps to Increase Adobe Reader Security
  1. Download and install the latest version of Adobe Reader from http://get.adobe.com/reader/ (be sure to uncheck any toolbar options first).  After installation, open Adobe Reader and check for updates by clicking on the Help menu and selecting "Check for Updates...".  (You may be asking yourself why this is necessary when you just downloaded the latest version straight from Adobe's site.  Sadly, Adobe is notorious for distributing old versions of Reader that are not fully patched and leaving it up to the user to figure this out and patch it on their own.)  Install any updates as prompted.
     
  2. Disable JavaScript.  This rarely used feature of Adobe Reader is much more likely to do harm than good—in fact, lots of PDF malware uses it—so it's best to turn it off.  To do so, open Adobe Reader and click on the Edit menu and select "Preferences...".  (Note that in the Mac version of Adobe Reader, you'll find Preferences under the "Adobe Reader" menu directly to the right of the Apple menu.)  In the left side of the window, select JavaScript.  Now on the right side of the window you'll see a checkbox labeled "Enable Acrobat JavaScript".  Uncheck that box to disable JavaScript in Adobe Reader, then click OK.
      
  3. Disable "non-PDF file attachments".  This is another rarely used and potentially dangerous feature that Adobe currently enables by default.  To disable it, open Adobe Reader and click on the Edit menu and select "Preferences...".  In the left side of the window, select Trust Manager.  Now on the right side of the window in the "PDF File Attachments" section you'll see a checkbox labeled "Allow opening of non-PDF file attachments with external applications".  Uncheck that box to disable the feature, then click OK.  (For more information on why this feature is dangerous and should be disabled, see this blog post by Didier Stevens.)
      
  4. Enable "Automatically install updates".  Make sure that Adobe Reader is configured to update itself automatically.  Open Adobe Reader, click on the Edit menu, and select "Preferences...".  In the left side of the window, select Updater.  Now on the right side of the window in the "Check for updates" section you'll see a radio button labeled "Automatically install updates".  Click on that button to allow Adobe Reader to update itself automatically, then click OK.  (Note that this option is not available in the Mac version. The next best choice is "Automatically download updates, but let me choose when to install them".)
      
  5. Delete the AuthPlay library after each update.  This file is another commonly exploited component of Adobe Reader because it enables embedded Flash content inside PDFs, and new Flash exploits are being discovered and used in the wild on a regular basis.  Nearly all users of Adobe Reader have no need for active, animated Flash content inside their static, printable PDFs, and it's safe to delete this file.  Deleting the AuthPlay file may be a bit tricky because the file does not have a consistent name or location across all operating systems and versions of Reader.  About.com has a guide that explains how to find and delete the AuthPlay library for Adobe Reader 9 on Windows, Mac, Linux, and Solaris, and if you have Adobe Reader X those instructions may lead you in the right direction to locate the file on your system.  For Adobe Reader 9.x for Windows, the file is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll.  Unfortunately, the AuthPlay library will be reinstalled during every Adobe Reader update, so you will have to remember to delete it each time.
      
  6. Enable "Use only certified plug-ins".  Although I'm not currently aware of any exploits that take advantage of non-certified plug-ins, it shouldn't hurt to enable this option.  Open Adobe Reader, click on the Edit menu, and select "Preferences...".  In the left side of the window, select General.  Now on the right side of the window in the "Application Startup" section you'll see a checkbox labeled "Use only certified plug-ins".  Click on that checkbox to enable the setting, then click OK.
        
  7. Disable inline PDF display in your Web browsers.  This is a bit more extreme and may not be right for everyone since some legitimate sites require the ability to view embedded PDFs, but remember that accidentally browsing to a malicious or infected site with an embedded PDF can trigger an exploit and compromise your system; you'll have to weigh the pros and cons and decide for yourself whether this step is worth it for you.  The easiest way to disable PDF support for most Windows browsers is to open Adobe Reader, click on the Edit menu, select "Preferences...", then in the left side of the window select Internet, then on the right side of the window under "Web Browser Options" uncheck "Display PDF in browser", then click OK.
     
    The United States Computer Emergency Readiness Team (US-CERT) also recommends configuring Internet Explorer to not open PDF files without user interaction.  To do so, open the Notepad application (look in the Start menu under Programs, Accessories), paste the following text, and save it as a file with .REG at the end of the file name (e.g. DisableIEPDF.REG):
     
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\AcroExch.Document.7]
    "EditFlags"=hex:00,00,00,00

     
    After saving the .REG file, double-click on it to add the above to the Windows Registry.
     
    In the Mac version of Adobe Reader, the option you'll need to disable is "Display PDF in browser using:".  You will also need to disable Safari's built-in PDF reader functionality as well.  To do so, first open the Terminal application (in the /Applications/Utilities folder; if you can't find it, click on the magnifying glass in the top-right corner of the screen and type the word Terminal, then click on the application when it appears in the list).  Then type or paste the following command and then press Return or Enter:  

    defaults write com.apple.Safari WebKitOmitPDFSupport -bool YES
     
  8. Disable PDF preview in your file browser (i.e. Windows Explorer or the Mac OS X Finder).  This will prevent accidentally reading data from a malicious PDF file by merely opening the folder that contains that file.  On Windows, click on Start, Run (if you don't see Run, search for cmd and open it instead) and type or paste the following command and then press Enter:
     
    regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"
     
    You'll also want to make sure that the Windows Indexing service doesn't accidentally access a malicious PDF file.  The easiest way to do this is to disable the Indexing Service altogether.  If you're unfamiliar with how to disable Windows services, here's a tutorial that details how to disable the Indexing Service in Windows XP, Vista, and 7.  If you don't want to disable the Indexing Service entirely, US-CERT has some vague instructions for specifically disabling PDF integration with the service (note that the instructions are vague because each version of Adobe Acrobat and Adobe Reader puts its files in a different folder based on the version number, rather than sticking to something consistent like C:\Program Files\Adobe\Acrobat\ or C:\Program Files\Adobe\Reader\).
     
    On the Mac, PDF integration is a major part of the operating system, so disabling it entirely would be extremely difficult.  One way to potentially help prevent the OS (Leopard, Snow Leopard, or later) from accidentally previewing a malicious PDF is to change the Downloads folder in the Dock to display as a Folder in List view (as opposed to a Stack in Fan or Grid view, all of which show previews automatically).  To do so, right-click on Downloads (or hold down the Control key and click, if you're using a one-button mouse), and under "Display as" select Folder, then right-click on Downloads again and under "View content as" select List.  Now when new files are downloaded to the Downloads folder, a preview of the file won't appear in the Dock.  You can also disable previews in specific folders in the Finder, for example the desktop or the Downloads folder.  To disable file previews on the desktop or for a specific folder, click on the desktop or open the folder, then click on the View menu and select "Show View Options", then uncheck "Show icon preview".
       
  9. Install good antivirus software.  As an additional line of defense, antivirus software from a reputable company may catch some malicious PDFs when downloaded onto your system.  I list this step last because it is unwise to rely solely on antivirus software to catch malicious PDFs; there are lots of PDF vulnerabilities, many of which are yet undiscovered, and even the best antivirus won't prevent against every undiscovered PDF exploit.
Note that these steps won't make your computer 100% safe from PDF exploits.  You will still need to make sure that Adobe Reader is properly updating itself.  Even if you keep Adobe Reader up-to-date, there's still the problem of zero-day vulnerabilities (security flaws that Adobe hasn't patched yet).  As demonstrated in my previous post, it's possible for a determined individual to find PDF vulnerabilities through fuzzing, which could lead to the creation of maliciously crafted PDF files.  Nevertheless, following the steps above will help mitigate the threat of malicious PDF documents infecting your computer.

UPDATE, 1 Jun 2010 @ 13:28 PDT: Steven Burn from Ur I.T. Mate Group, maintainer of the excellent hpHosts site, e-mailed me to suggest a Windows alternative to Adobe Reader called Sumatra PDF.  According to the developer's site, Sumatra is "a slim, free, open-source PDF viewer for Windows. Portable out of the box."  It does not support JavaScript or launching external applications like cmd.exe from within PDF files, making it inherently safer out of the box than Adobe Reader or Foxit Reader.  I'm very interested to know how well Sumatra handles other types of vulnerabilities and fuzzed PDFs; readers, if you're aware of any research on this, please post a comment.

UPDATE, 28 May 2011 @ 00:33 PDT: I changed the article from 7 Easy Steps to 9 Easy Steps (specifically, I added a new step 5 and 6, and bumped the other steps down in the list).  I added these steps in the middle because I feel the first 6 steps listed above go together best, and I regularly use these 6 steps when configuring Adobe Reader.  I also added a note about Adobe Reader 9.4.x and Adobe Reader X at the top of the article.


Following are some details about the malicious domain that I mentioned earlier, and an affiliated domain:

http://safeweb.norton.com/report/show?name=relwqin.com
http://www.malwareurl.com/listing.php?domain=relwqin.com
http://www.mywot.com/en/scorecard/relwqin.com
http://hosts-file.net/?s=relwqin.com

http://www.mywot.com/en/scorecard/antispyfortress.com
http://www.siteadvisor.com/sites/antispyfortress.com#reviewercommentssummary
http://www.malwareurl.com/listing.php?domain=antispyfortress.com


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.