University of California, Riverside

Security



Adobe Reader Security Considerations


Recently a number of warnings have been issued in various computer security publications regarding Adobe Acrobat Reader and potential vulnerabilities it introduces to PC workstations. However, many of the issues can be mitigated by careful user habits.

Most importantly:

  1. Don't visit websites you don't trust
  2. Don't open attachments from unknown/untrusted senders

These apply to much more than just PDF files.

Some recommendations adapted from the Carnegie Mellon Computer Emergency Response Team (CERT) report

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent this vulnerability from being exploited. Acrobat JavaScript can be disabled in the General preferences dialog (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser may
mitigate this vulnerability. If this workaround is applied to updated
versions of the Adobe reader, it may mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a
web browser:

  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the preferences option.
  4. Choose the Internet section.
Prevent Internet Explorer from automatically opening PDF documents

Note: Users may wish to contact the Computer Support Help Desk for assistance with modifying the Windows registry.

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Download this .reg file and double-click to install.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Keep systems up-to-date with the latest patches and anti-virus signatures.

Antivirus software must be up-to-date with the latest databases to check and find the latest viruses.  These programs have either an automatic or manual updating, so please be aware and keep your software updated. 

See more information about software patches and updates.

Limit user rights on systems to only those that are necessary.

Most everyday tasks can be accomplished on a PC without being logged in as an administrative user. A good policy is to create both an administrator and standard user, and log in to the former only when installing new software or hardware, performing most tasks in the standard user account.

US-CERT also recommends that organizations remind users of the following precautions when working with emails:
  • Do not trust unsolicited email.
  • Do not click links in unsolicited email messages.
  • Employ the use of a spam filter.
  • To educate users about social engineering and phishing attacks, review US-CERT Cyber Security Tip ST04-014, “Avoiding Social Engineering and Phishing Attacks.”

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer