Update

The following instructions are deprecated with the release of the 9.3 and 8.2 patches. Adobe recommends that users update their applications to the latest version for the reasons described here, as well as for other reasons.

Archived Information

Issue

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system as described in Security Advisory APSA09-07. Adobe recommends that customers follow the mitigation guidance below, utilizing the Adobe Reader and Acrobat JavaScript Blacklist Framework, until a patch is available.

Overview

The Adobe Reader and Acrobat JavaScript Blacklist Framework provides customers granular control over the execution of specific JavaScript API calls. The purpose of the Framework is to allow Adobe to protect customers against attacks that target a specific JavaScript API call, like the one referenced in Security Advisory APSA09-07.

Solution

Consumers

Windows: For end users on Windows, download the compressed file (link removed), and double-click the appropriate registry setting, based on your version of Reader or Acrobat, to populate the JavaScript Blacklist Framework. Adobe automatically resets the value during the next update.

Mac and UNIX: For end users on Mac and UNIX, follow the Enterprise instructions below.

Enterprises

Windows: For Enterprise administrators, use the documentation provided at: CPS ID 50431 for detailed instructions on using the JavaScript Blacklist Framework and to determine the best approach for your Windows environment. The required keys are in the following compressed file (link removed) for Windows.

Macintosh:

1. On your Mac, go to Applications folder or location where you have (Adobe Reader or Acrobat) installed.
2. Right-click Adobe Reader or Acrobat Professional.
3. Click Show Package Contents.
4. Expand Contents.
5. Expand MacOS.
6. Expand Preferences.
7. Make a backup of the FeatureLockDown file.
8. Right-click FeatureLockDown.
9. Open With TextEdit.
10. Just before the last >> add this line to the FeatureLockDown file:

/JavaScriptPerms [ /c << /BlackList [ /t (DocMedia.newPlayer) ] >> ] 

11. Save the file.
12. Restart Adobe Reader or Acrobat.

For an example of what this would look like, see: Sample FeatureLockDown.dat

Linux: 

1. Go to the Global Prefs file at: 
   <installation>/Reader/GlobalPrefs/reader_prefs

2. Add the following line to the file:

/JavaScriptPerms [/c << /BlackList [/t (DocMedia.newPlayer) ] >> ]