Making the JavaScript Blacklist Framework for Reader/Acrobat more Accessible

Hello everyone! Karthik here from the PSIRT Engineering team. One thing PSIRT always thinks about is presenting mitigations for classes of vulnerabilities. When a product patch is not immediately available, alternative mitigations become even more valuable. To ease the mitigation deployment process we are releasing the JavaScript Blacklist Framework Tool which offers protections against an entire class of vulnerabilities related to the JavaScript API for Adobe Reader and Acrobat.

JavaScript exploits used to be one of the main attack vectors for Adobe Reader as well as the PDF format in general. In October 2009, Adobe introduced a series of security enhancements for managing JavaScript execution within Adobe Reader and Acrobat, all of which are described here.

One of these, the JavaScript API blacklist, proved invaluable only two months later when attackers launched targeted attacks against CVE-2009-4324. Both end-users and enterprises were able to completely mitigate attacks exploiting this vulnerability by blacklisting the individual JavaScript API. Since the technique simply involves adding new registry value entry to a particular registry key, some organizations we talked to were able to deploy a Group Policy Object with the updated registry entry to hundreds of thousands of machines within 24 hours.

To further refine this process for enterprise IT, the security team created a tool with a user interface for this feature, and it is now available on Adobe Labs.

Blacklist Tool Screenshot

Blacklist Tool Screenshot

The tool presents a list of JavaScript APIs that have been attacked in the past. It retrieves this list of APIs from an Adobe server. If an Internet connection is unavailable, it presents a default list. When you click on ‘View,’ it displays the current entries in the JavaScript Blacklist and saves this data in a text file in the directory the application is running from (usually its installation directory). You can check multiple APIs then ‘Add’ them to the JavaScript Blacklist or Remove them. Simple enough!

Note that the tool requires the Microsoft .NET 4.0 framework. The tool’s installer should prompt you to install dependencies automatically.

If you are a Windows sysadmin and have had to make changes to the JavaScript Blacklist by hand, this tool will make your life a little easier. To download the tool, visit Adobe Labs at http://labs.adobe.com/technologies/acrobat_ittools/. The tool will work with the JavaScript Blacklist Framework on Reader 9.2 and 8.1.7 and later versions (including Reader X and Acrobat X) on Windows.

Karthik Raman, Security Researcher, PSIRT
Ben Rogers, Technical Writer, Acrobat & Reader Engineering