Une pratique que j’utilise pour diminuer les vulnérabilités
d’Adobe Reader est de modifier les préférences suivantes
(Édition->Préférences):
- Fiabilité multimédia -> Autoriser les opérations multimédia: NON
- Gestionnaire des approbations -> Autoriser l’ouverture de pièces jointes non PDF…: NON
- JavaScript -> Activer Acrobat JavaScript: NON
- Protection (renforcée) -> Activer la protection renforcée: OUI
Il faut toutefois continuer à se méfier des autres vulnérabilités
d’Adobe Reader que ces changements n’adressent pas. Autrement dit, il
faut continuer à éviter d’ouvrir des documents de sources inconnues ou
douteuses.
Voir ici-bas pour la version anglaise d’Adobe Reader…
–
I copied the following steps from here.
Note: These steps are written for Adobe Reader 9. If you have the
full version of Adobe Acrobat 9 you should secure it as well with these
steps. If you have an older version (pre-9) of Adobe Acrobat, these
steps may not match exactly. But you would still want to secure these
applications as best you can.
1. Open Adobe Reader 9.
2. From the Edit menu choose Preferences.
3. In the Categories list, choose JavaScript.
Note: Past vulnerabilities in Adobe Reader have included exploits via
JavaScript. You shouldn’t need JavaScript in a PDF. If you open a PDF
that has JavaScript, you will be prompted to turn it on. You can refuse
to turn it on and open the PDF without it.
4. Un-check the Enable Acrobat JavaScript box.
5. In the Categories list, choose Multimedia Trust (legacy).
Note: The default settings here allow multimedia files to play
automatically. By changing the settings for the multimedia players to
“prompt” you, you can choose not to, especially if you weren’t expecting
a media file.
6. Highlight the Permission for Windows Built-In Player is set to Always choice.
7. From the Change permission for selected multimedia player to drop down list, choose Prompt.
8. Repeat steps 6 – 7 with the remaining multimedia choices.
9. In the Categories list, choose Security (Enhanced).
10. Check the Enabled Enhanced Security box.
11. In the Categories list, choose Trust Manager.
12. Un-check the Allow opening of non-PDF file attachments with external applications box.
13. Click OK to close Preferences.
14. Adobe Reader is secured and is ready to use.
Note: This April 6, 2010 Adobe blog post, PDF “/Launch” Social
Engineering Attack, discusses the ‘Allow opening of non-PDF file
attachments with external applications’ option and why it should be
un-checked at this time. As the post says, you should “only open and
execute the file if it comes from a trusted source.” This is especially
true if you receive an attachment that you were not expecting, even from
a co-worker.
