Disabling Javascript on Adobe Acrobat
Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.
That said, for many users PDF’s are simply a mechanism for providing documents to read. Given the spate of vulnerabilities identified in Acrobat and Reader in 2009, and the likely promise of more in 2010, we are releasing by request this general instruction for disabling Javascript in Adobe Acrobat. An advisable approach, depending on your usage of these products, may be to disable Javascript and only re-enable when performing an activity with a PDF that requires Javascript be enabled, such as with an eForm.
Adobe notes that disabling Javascript mitigates against exploits identified this year that use Javascript functions to cause a memory corruption, although in some cases it would be possible to create variants that do not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat: select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.
Uncheck to disable Acrobat JavaScript
Related Posts:
- Security and IT Pros, I need your help
- iPhone 4 Ordering and Session Switching
- May’s Patch Tuesday
- First Patch Tuesday of 2010
- Regular or Decaf? Tool launched to combat COFEE
Filed Under: Security
is there any way to make disabling javascript “sticky”? i have disabled it in the past, but when i run into a form that needs it turned on, acrobat turns javascript on permanently, not just for the current document.
JCG to date not there is no way to globally disable JavaScript in Adobe Acrobat or Reader permanently. I set my patch mgmt system to “autofix” all agents via the registry key and try to educate the end users of the risks.
There is however the Adobe JavaScript Blacklist Framework that was released this past October. More information on using this to mitigate the current 0-Day is here
http://kb2.adobe.com/cps/532/cpsid_53237.html
I also cover it on my personal b log (warning with a bit of a rant) here: http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html
Hope this helps. Its not perfect and its very reactive but I am hoping that Adobe steps up and gives us an alternative (i.e. an option to permanently disable JS)
[...] have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, [...]