Adobe JavaScript Blacklisting

The JavaScript implementations in Adobe Reader and Acrobat have been a sore spot for Adobe (as well as administrators) for a while now.  To help make the world a safer place, Adobe has added a feature to Reader (versions 9.2 and 8.1.7) to allow administrators to blacklist certain functions in the JavaScript API.  Many times when 0days are released for Reader, the recommendation for administrators is to disable JavaScript in Reader while a patch is readied.  The problem is that in many organizations PDF forms are used extensively, so disabling JavaScript can mean that these forms stop working, so disabling it may not be practical.  In addition, if it is disabled while waiting for a patch, that period of time may be long, as Adobe has switched to a quarterly update schedule, and has cited this schedule in the past as a reason for delaying patches.

The new JavaScript Blacklist Framework for Reader and Acrobat uses some configuration settings (registry on Windows, Preferences on MacOS).  Instead of using one area for the settings, the Framework has two.  The first is for administrators, and it appears the second is for Adobe to use in conjunction with the new silent update feature they have rolled out in beta versions of Reader.  This means that the updates will not trample over administrator preferences.

Of course, there will always be cases where organizations know of a vulnerability in a particular function of the JavaScript API which is used by business documents, Adobe has also added a way to add “trusted locations” (by URL or path), as well as certificate management so that particular documents and be exempted from blacklisting.

There are some drawbacks, such as limitations to what can be blacklisted (not all JavaScript functions are eligible, nothing from the 3D JavaScript API, if a blacklisted function is called, all scripts in a document will stop working), but it is a good start.

SourceFire’s VRT has a post on some of their testing with the framework, and is nice enough to supply some suggestions for blacklisting candidates, as well as sample PDFs which can be used for testing.

Adobe Reader and Acrobat JavaScript Blacklist Framework

Managing JavaScript Execution in the Acrobat Family of Products (PDF)

Enhanced Security and Trusted Locations (PDF)

Leave a Reply