Comment sécuriser Adobe Reader pour prévenir les attaques malveillantes

Une pratique que j’utilise pour diminuer les vulnérabilités d’Adobe Reader est de modifier les préférences suivantes (Édition->Préférences):

• Fiabilité multimédia -> Autoriser les opérations multimédia: NON
• Gestionnaire des approbations -> Autoriser l’ouverture de pièces jointes non PDF…: NON
• JavaScript -> Activer Acrobat JavaScript: NON
• Protection (renforcée) -> Activer la protection renforcée: OUI

Il faut toutefois continuer à se méfier des autres vulnérabilités d’Adobe Reader que ces changements n’adressent pas. Autrement dit, il faut continuer à éviter d’ouvrir des documents de sources inconnues ou douteuses.

Voir ici-bas pour la version anglaise d’Adobe Reader…
–
I copied the following steps from here.
Note: These steps are written for Adobe Reader 9. If you have the full version of Adobe Acrobat 9 you should secure it as well with these steps. If you have an older version (pre-9) of Adobe Acrobat, these steps may not match exactly. But you would still want to secure these applications as best you can.
1. Open Adobe Reader 9.
2. From the Edit menu choose Preferences.
3. In the Categories list, choose JavaScript.
Note: Past vulnerabilities in Adobe Reader have included exploits via JavaScript. You shouldn’t need JavaScript in a PDF. If you open a PDF that has JavaScript, you will be prompted to turn it on. You can refuse to turn it on and open the PDF without it.
4. Un-check the Enable Acrobat JavaScript box.
5. In the Categories list, choose Multimedia Trust (legacy).
Note: The default settings here allow multimedia files to play automatically. By changing the settings for the multimedia players to “prompt” you, you can choose not to, especially if you weren’t expecting a media file.
6. Highlight the Permission for Windows Built-In Player is set to Always choice.
7. From the Change permission for selected multimedia player to drop down list, choose Prompt.
8. Repeat steps 6 – 7 with the remaining multimedia choices.
9. In the Categories list, choose Security (Enhanced).
10. Check the Enabled Enhanced Security box.
11. In the Categories list, choose Trust Manager.
12. Un-check the Allow opening of non-PDF file attachments with external applications box.
13. Click OK to close Preferences.
14. Adobe Reader is secured and is ready to use.
Note: This April 6, 2010 Adobe blog post, PDF “/Launch” Social Engineering Attack, discusses the ‘Allow opening of non-PDF file attachments with external applications’ option and why it should be un-checked at this time. As the post says, you should “only open and execute the file if it comes from a trusted source.” This is especially true if you receive an attachment that you were not expecting, even from a co-worker.