Trojan Security Vulnerability : targetted attacks on Adobe Acrobat Reader : catch 21

Posted on 2009-02-20
Last Modified: 2012-05-06

The security team from HQ issued us the following security alert but
 if we disabled Adobe Javascript (see attached picture/screen shot),
 will it  disable (or create issues) which prevent us from using Adobe
 to read Pdf files?

Any workaround or suggestion that will satisfy the security team and
users of Adobe are most appreciated.


[ Summary ]
A vulnerability was reported in Adobe Acrobat Reader that when successfully
exploited, allows a remote attacker execute arbitrary code.

An attacker can exploit this issue to execute arbitrary code with the
privileges of the user running the affected application or crash the
application, denying service to legitimate users.

The exploit is delivered as a specially crafted PDF document that when
triggered, several executable files that are embedded inside the malicious
PDF document would be installed.

Symantec detects this attack as:

[ Affected Systems ]
     Adobe Acrobat Reader 9
     Other versions may also be vulnerable

[ Solution/Workaround ]
There is no patch available from the vendor yet. Please implement the
following workarounds and mitigation measures where applicable.

  Remind users to be vigilant when handling email attachments (PDF
  documents in particular), especially from unsolicited and untrusted
  Remind user not to follow links provided by unknown or untrusted source.
  Keep anti-virus signatures updated.
  Run Adobe Acrobat Reader as a non-privileged user with minimal access
  Disable JavaScript for Acrobat Reader (NOTE: Disabling JavaScript will
  cause a loss in functionality and cause malicious PDFs to crash Reader.
it will protect users from exploitation.)
  (Embedded image moved to file: pic25918.jpg)

[ Reference ];jsessionid=70B073D6A05063C76BEA403B0B0E3570#A187
Question by:sunhux
    LVL 7

    Assisted Solution

    > if we disabled Adobe Javascript (..),  will it disable (or create issues) which prevent us from using Adobe
     to read Pdf files?
    Disabling Adobe Javascript may create issues when certain functionality is required inside PDF files (think validation in interactive forms). Disabling Adobe Javascript should *not* hinder reading "plain" PDF files.
    Given the nature and severity of the vulnerability IMHO one shouldn't look for "workarounds". In addition to what your HQ Security Team adviced already please see the CERT advisory (find link in the Securityfocus BID references) for additional measures. * There's at least one PDF reader that installs *without* Javascript functionality: you have to install a separate module. Unless you regularly require Adobe Javascript, Foxit may provide a usable alternative.
    LVL 12

    Accepted Solution

    Disabling javascript in Reader will only prevent pdf files with embedded javascript from working as intended.
    In terms of reading plain old pdf files there is no impact whatsoever.

    I've had javascript disabled since the first time a vulnerability was discovered in the javascript engine in Reader and I've never noticed the lack of javascript - I don't think I've ever come across one with an embedded video or any other reason to allow javascript.

    Javascript is used to perform Heap Spraying to improve the chances that the Reader exploit will work and disabling javascript in Reader will prevent this heap spray.  This means that, should you open such a malicious pdf, the exploit attempt will still be executed, but will very likely be unsuccessful and will cause Reader to crash.

    This exploit isn't widespread at the moment and it seems to be targetted quite specifically at high value targets, but regardless of this fact, disabling javascript will help mitigate this threat should you be one of these high-value targtes and for later when the exploit gets picked-up and used by others.

    It could be the middle of March before we see a patch for this issue, so my advice: Disable Javascript and keep an eye open at

    Author Comment


    Is there any way to centrally and remotely disable Adobe Javascript, without going
    to individual users' PC to manually set/check it?

    This is one decision I have to make because if it's too much of an effort and manually
    going to each PC to do it, then might as well wait for the patch to be available in mid
    Mar 09 and then push down the patch
    LVL 12

    Assisted Solution

    Good Question.  It's possible to deploy reader with GPO and the distribution package can be customised with transfromations generated with the Adobe Customization Wizard so in theory at least, you should be able to redeploy Reader with a custom set of preferences.  Whether you can modify already deployed installations I just don't know.
    Have a look at and there's a good pdf for Reader 8 at

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Read about achieving the basic levels of HRIS security in the workplace.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now