It seems like in the past couple of weeks a lot of security risks are popping up. So to add to the list, I read about a critical security risk with Adobe Reader versions 8.1.2 and lower (this exploit is not applicable to version 9). The vunerability comes from the use of JavaScript inside the PDF file:
Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content.
My first thought is why does a PDF document even need JavaScript? I seriously cannot think of a single reason a PDF document would need this ability. Perhaps I have opened PDF’s in the past which had JavaScript in them and I didn’t know it, but overall I just use a PDF reader to open “static” documents.
To avoid issues such as this, just use a ’simple’ PDF viewer, such as Foxit Reader which is not effected by this exploit. If you do need the additional functionality of Adobe however, just make sure you keep it updated.
Jason Faulkner is the man who brings you our daily tips. He is based in Atlanta, Georgia.
I have seen a PDF file containing some forms to fill in.
There was some scripting involved which checked that the appropriate fields had been completed. Perhaps that is what Javascript is for.
One advantage of using JS rather than inventing a new scripting language is that people don’t need to learn a new language.
However, JS *should* have been added in such a way that it could only be used to affect elements within the PDF.
I’ve just noticed that the Net Security article cited in the article specifically says that the Adobe Reader bug is the same as the previously discovered bug in FoxIt.
Foxit *was* affected by the bug (CVE-2008-1104), but it was fixed some time ago.
So presumably Foxit Reader does support Javascript.
Though it is much smaller and quicker to load than Adobese Reader.
Same as SAP said but I thought this problem was only tested & found in Foxit first up in the last week.
Even the exploit doesn’t affect Adobe Reader version 9 is good to disable JavaScript just in case. About FoxReader there must be a way to disable JavaScript also or at least another version that covers this hole.
Early versions of Foxit reader did not support javascript. I know this because our company tested LockLizard viewer for secure PDF files, which we were told was based on the Foxit version 1 SDK, and javascript is not supported. In fact all active content is prevented from loading, but it only works with LockLizard protected PDF files. I guess we are back to the age old question of security vs usability…