Adobe 12001196 Security Guide

Adobe 12001196 - Acrobat - Mac Manual

Get Adobe 12001196 - Acrobat - Mac PDF manuals and user guides
UPC - 718659085742
View all Adobe 12001196 manuals
Add to My Manuals
Save this manual to your list of manuals

Adobe 12001196 manual content summary:

  • Adobe 12001196 | Security Guide - Page 1
    Acrobat Application Security Guide (all versions) Acrobat® Family of Products
  • Adobe 12001196 | Security Guide - Page 2
    such license. Except as permitted by any such license, no part of this guide may be reproduced, stored in a retrieval system, or transmitted, in any form actual organization. Adobe, Acrobat®, Reader®, and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in
  • Adobe 12001196 | Security Guide - Page 3
    Protected Mode 9 3.1 Overview 9 3.2 Changes across releases 10 3.3 Configuration 10 3.3.2 Trust overrides 11 3.4 Read policy changes for 11.0 Access 25 4.5 User experience 26 4.6 Examples 28 4.7 Troubleshooting and FAQs 30 5 JavaScript Controls 31 5.1 Permissions basics
  • Adobe 12001196 | Security Guide - Page 4
    Certified document trust 40 5.10 JavaScript invoked URLs 40 5. 7.5 Calling policies via JavaScript 67 7.6 Troubleshooting 67 8 External Content Access 76 8.1 Internet 82 8.4 3D content (9.5.1 and later) 83 8.5 Flash integration 83 9 Trust Methods 85 9.1 Privileged locations 85
  • Adobe 12001196 | Security Guide - Page 5
    Guide describes configuration details for the Acrobat 's security capabilities. Adobe provides a security settings for XObjects, 3D content, and Flash. Assign trust to workflow components 1. certificate trust and control user interaction with signed PDFs via certificates, seed values, etc. Many HKCU
  • Adobe 12001196 | Security Guide - Page 6
    Description This LABs utility allows IT to modify the JS API blacklist for any Acrobat product. Describes the security model when Flash runs inside a PDF document. A specification and guide for creating server-based cross domain policy files with examples. News Resource Security Bulletins
  • Adobe 12001196 | Security Guide - Page 7
    it invokes. When PV is enabled, Acrobat assumes some or all PDFs are potentially malicious based on user preferences and confines processing to a restricted sandbox. Note For links to all documentation about Reader's sandbox, see http://learn.adobe.com/wiki/display/security/Protected+Mode+FAQ
  • Adobe 12001196 | Security Guide - Page 8
    Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, etc. In this respect, a PDF of a button. Protected View 10.x: standalone vs browser functionality Feature Drag-drop PDFs to the reading or navigation No
  • Adobe 12001196 | Security Guide - Page 9
    \Adobe\\\FeatureLockDown] "iProtectedView" 2.2.4 Enabling logging Logging is available for users who need to troubleshoot problems a log file location: 1. Go to HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\Privileged. 2. Right click and choose New > REG_SZ Value. Section 2
  • Adobe 12001196 | Security Guide - Page 10
    2 Protected View Application Security Guide 3. Create tBrokerLogfilePath. 4. Right are useful for fixing broken workflows, supporting third party plug-ins, and cases where Reader install directory adjacent to the AcroRd32.exe in the install folder: D:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat
  • Adobe 12001196 | Security Guide - Page 11
    Unsupported configurations for Acrobat running in Protected View change across releases as the product evolves. For example, Protected Mode supports Citrix and Windows Terminal Services deployments with 10.1. For a list of unsupported configurations and workarounds, see http://kb2.adobe.com/cps/860
  • Adobe 12001196 | Security Guide - Page 12
    Guide System requirements? Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored to each environment. The current release includes support for the following: • Adobe Acrobat 10 • In enterprise settings where PDF workflows are entirely confined to
  • Adobe 12001196 | Security Guide - Page 13
    : • Adobe Reader 10.0. • Windows 32 and 64 bit platforms, including XP. Much like Google's Chrome, Adobe's initial efforts are focused on hardening its Windows products because there are more Windows users and Windows applications with proven sandboxing implementations. • Any supported browser. PDFs
  • Adobe 12001196 | Security Guide - Page 14
    Guide 3.2 Changes across releases Evolution of Protected Mode Version 10.0 10.x-11.0 11.0 Change Protected Mode introduced in Reader. Many changes and improvement were made for dot releases as described at http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader where PDF workflows
  • Adobe 12001196 | Security Guide - Page 15
    Reader process to display the preview. In such cases, Task Manager shows that two AcroRd32.exe processes spawn and that the operation is occurring with Protected Mode enabled. 3.3.4 Logging registry config Logging is available for users who need to troubleshoot problems \Adobe\Acrobat Reader\10.0\
  • Adobe 12001196 | Security Guide - Page 16
    Guide • 0: Disables the feature. • 1: Enables the feature. 3.3.6 Verifying the current mode There are two ways to verify if the application is running in Protected Mode: • Open the process explorer or task manager. When protected mode is on, two reader supporting (x86)\Adobe\Reader 10.0\Reader\ •
  • Adobe 12001196 | Security Guide - Page 17
    Mode in Reader 10.x prevented arbitrary writes to file locations in the user's profile area such as My Documents, Pictures, Downloads folder, %AppData following: 1. The correct functioning of Adobe Reader itself; for example %appdata%\Adobe\Acrobat\11.0\*. 2. PDFs explicitly opened by the user via
  • Adobe 12001196 | Security Guide - Page 18
    Section 3 Protected Mode Application Security Guide BUILTIN\Users groups read access is not "interdoc PDF links" in the web will be to PDF on the web, not the user's machine or network share. Search-warning dialogs Finally, it is impossible to securely support the index search and Reader's desktop
  • Adobe 12001196 | Security Guide - Page 19
    helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader. supported until 10.1 and later. Note When a screen reader like JAWS or Window-Eyes is already running when Reader is started for the first time on XP systems, a warning is shown instructing the user to turn Protected Mode off manually
  • Adobe 12001196 | Security Guide - Page 20
    priority at this point in time. What configuration are not supported? For a current list of issues, see http://helpx.adobe.com/acrobat/kb/protected-mode-troubleshooting-reader.html. Does the fact that Protected Mode invoke two Reader processes affect updating and patching? No. The patching mechanism
  • Adobe 12001196 | Security Guide - Page 21
    Temp directory (as returned by GetTempPath() Windows API or equivalent Acrobat API). Another white-listed location is Adobe Reader's own appdata area. Does the Protected Mode impair a PDF's ability to access trusted web sites? No. Can I still save Acrobat forms on my own computer? Yes. There is no
  • Adobe 12001196 | Security Guide - Page 22
    0Preferences' folder? Yes, Reader X allows writing to these type of locations. Will plug-ins that access web services via an URL work? Yes, it should work. Will Protected Mode affect the functioning of URLs in a PDF? No. Will the broker allow an embedded Flash Player 10.1 instance to access hardware
  • Adobe 12001196 | Security Guide - Page 23
    Application Security Guide Section 3 Protected Mode One option is to add custom policies to bypass protected mode restrictions. Can plug-in developers write their own broker? No, we
  • Adobe 12001196 | Security Guide - Page 24
    Section 4 Enhanced Security Application Security Guide 4 Enhanced Security Introduced in version 9.0 and enabled by injection via an FDF, XFDF, and XDP NOT returned as the result of a post from the PDF. • Blocks stream access to XObjects such as external images. • Stops silent printing to a file
  • Adobe 12001196 | Security Guide - Page 25
    Guide Section 4 Enhanced Security Version 9.0 9.1 8.1.7 & 9.2 8.2 & 9.3 Change Enhanced security introduced. Support configuring paths, use your product (Adobe Acrobat or Acrobat Reader) and version (9.0 or 8.0). typically only need when troubleshooting. Logging is not available on Macintosh.
  • Adobe 12001196 | Security Guide - Page 26
    path to reflect the product (Acrobat or Reader) and version number (9.0 or 8.0) you are using. To configure the settings: 1. Navigate to the .plist file: • Mactel: UserLibraryPreferencescom.adobe.Acrobat.Pro_x86_9.0.plist • Mactel: UserLibraryPreferencescom.adobe.Acrobat.Pro_x86_8.0.plist Page 22
  • Adobe 12001196 | Security Guide - Page 27
    Application Security Guide Section 4 Enhanced Security • PowerPC machine: UserLibraryPreferencescom.adobe.Acrobat.Pro_ppc_8.0.plist • PowerPC machine: UserLibraryPreferencescom.adobe.Acrobat.Pro_ppc_9.0.plist • PowerPC machine: UserLibraryPreferencescom.adobe.Reader_ppc_8.0.plist • PowerPC machine
  • Adobe 12001196 | Security Guide - Page 28
    adobe/Acrobat/9.0/Preferences/reader_prefs • ~/.adobe/Acrobat/8.0/Preferences/reader_prefs 2. Navigate to /TrustManager. 3. Add and set the keys in the file. 4. Save and exit. Application Security Guide Users can trust documents on-the-fly when the PDF opens: When the Yellow Message Bar appears,
  • Adobe 12001196 | Security Guide - Page 29
    Application Security Guide Section 4 Enhanced Security 4.4.1 Privileged directories, and specific hosts (wildcards are supported). • 8.1 Internet access settings in the Trust Manager support both global and granular trust of all domain access for specific PDFs Section 4 Enhanced Security Page 25
  • Adobe 12001196 | Security Guide - Page 30
    Guide For a PDF that comes from a server, the server has a domain and hence the PDF has a domain; however, a stand-alone PDF residing on a user's machine has no domain. When such a PDF accesses a server, Acrobat Reader enabled signature applied by a LiveCycle ES server: PDFs , Adobe recommends
  • Adobe 12001196 | Security Guide - Page 31
    FDF data specified by that url may be injected into the open PDF if the FDF has no /F key and if the PDF may receive data from the FDF based on the cross domain policy. • If the PDF opens in the Acrobat/Reader standalone application and the FDF data comes back in the https response
  • Adobe 12001196 | Security Guide - Page 32
    Section 4 Enhanced Security Application Security Guide 4.5.2.1 9.2, 8.1.7, and earlier Pre 9.3 and 8.2, the application displayed modal dialogs whenever a risky domain access Yellow Message Bar: JavaScript injection 4.6 Examples 4.6.1 Default settings: 10.0+ Page 28 Section 4 Enhanced Security
  • Adobe 12001196 | Security Guide - Page 33
    Application Security Guide Section 4 Enhanced Security The default settings are similar to 9.3.4. See Changes across releases. 4.6.2 Default : 9.x and 10.x [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\\FeatureLockDown] "bEnhancedSecurityStandalone
  • Adobe 12001196 | Security Guide - Page 34
    security settings: 9.x and 10.x [HKEY_CURRENT_USER\Software\Adobe\(Adobe Acrobat or Acrobat Reader)\(9.0 or 10.0)\TrustManager] "bEnhancedSecurityStandalone"=dword:00000000 "bEnhancedSecurityInBrowser"=dword:00000000 "bTrustOSTrustedSites"=dword:00000001 4.7 Troubleshooting and FAQs See Enhanced
  • Adobe 12001196 | Security Guide - Page 35
    Application Security Guide Section 5 JavaScript Controls 5 JavaScript Controls JavaScript support is one of Acrobat's and Adobe Reader's most powerful features, and Adobe provides several controls that enable tuning application behavior so that JavaScript (JS) executes within your desired level of
  • Adobe 12001196 | Security Guide - Page 36
    Application Security Guide 8.1.7 & 9.2 8.2 & 9.3 9.3.4 10.1.1 11.0 panel, uncheck Enable Acrobat JavaScript. This preference sets: [HKCU\Software\Adobe\\\JSPrefs • Users can trust documents on-the-fly when the PDF opens: When the Yellow Message Bar appears, choose the
  • Adobe 12001196 | Security Guide - Page 37
    Security Guide JS Workflow: Enabling-disabling JS Section 5 JavaScript Controls 5.5 Blacklisting JS APIs The Acrobat JavaScript Adobe\\\FeatureLockDown\cJavaScriptPerms\] "tBlackList" • Windows: Adobe's update/patch list: The Adobe blacklist is modified by Acrobat and Adobe Reader
  • Adobe 12001196 | Security Guide - Page 38
    Section 5 JavaScript Controls Application Security Guide On a 64 bit Windows system, the path is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe. 5.5.2 Blacklist configuration The manual steps described below require administrator privileges on a machine and should only be undertaken by someone
  • Adobe 12001196 | Security Guide - Page 39
    Application Security Guide JS Workflow: Blacklisted APIs Section 5 JavaScript Controls 5.5.4 JS blacklist tool Adobe intends to You are using it for Reader and Acrobat 9.2 and 8.1.7 and later versions as well as any 10.x version. 3. Agree to the Terms of Use and download the installer. 4. Unzip
  • Adobe 12001196 | Security Guide - Page 40
    Security Guide 5. Choose 8. Choose Next. 9. Choose Next again to confirm the installation. 10. Choose Close. 5.5.4.2 Usage The tool presents a list of JavaScript 1. Choose Start > Programs > JS Blacklist Framework for Adobe Reader or Acrobat. 2. Check and uncheck multiple APIs to Add or Remove
  • Adobe 12001196 | Security Guide - Page 41
    Application Security Guide Section 5 JavaScript Controls 5.6 Disabling menu-invoked JS Beginning with Acrobat 7.0, execution of JavaScript items JavaScript execution privileges. This values sets: [HKCU\Software\Adobe\\\JSPrefs] "bEnableMenuItems" Note Enables executing
  • Adobe 12001196 | Security Guide - Page 42
    Section 5 JavaScript Controls Application Security Guide HKLM\SOFTWARE\Policies\Adobe\\\FeatureLockDown\cDefaultExecMenuItems\ " privileged JavaScript is restricted by default. High privilege JavaScripts are Acrobat methods with security restrictions. These are marked by an
  • Adobe 12001196 | Security Guide - Page 43
    Application Security Guide Section 5 JavaScript Controls 5.8.1 Trusted override There are several and is editable via the user interface. It resides at: HKCU\Software\Adobe\\\TrustManager\(cTrustedSites or TrustedFolders)\cJavaScript 5.8.1.1 Certificate trust You can control
  • Adobe 12001196 | Security Guide - Page 44
    Application Security Guide 5.9 actions via the Options button on the YMB. 5.10.1 Trusted override There are several ways to assign can trust documents on-the-fly when the PDF opens: When the Yellow Message Bar appears, at: [HKCU\Software\Adobe\\\TrustManager\(cTrustedSites
  • Adobe 12001196 | Security Guide - Page 45
    Guide Section 5 JavaScript Controls 5.11.1 Trusted override There are several ways to assign trust so that this feature works in a trusted context: • Users can trust documents on-the-fly when the PDF 5.12 Workflow changes by version Acrobat and Adobe Reader have always provided controls for
  • Adobe 12001196 | Security Guide - Page 46
    Section 5 JavaScript Controls Application Security Guide 5.12.2 9.2 and 8.1.7 and later These versions will behave as this document always: This option stores a unique document ID in HKCU\Software\Adobe\\\TrustManager\cTrustedFolde Yellow message bar: JS off warning (9.2 and
  • Adobe 12001196 | Security Guide - Page 47
    Reader, thereby sandboxing all processes. Additionally, 10.1.1 introduces the following changes: • New user JS location: The user JavaScript folder is moved from • Vista and Windows 7: Users\(username)\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts to Users\(username)\AppData\Roaming\Adobe\Acrobat
  • Adobe 12001196 | Security Guide - Page 48
    new format. Note For Adobe Reader, you can only use the latter method since the JavaScript console is not available unless you have enabled it as described at http://blogs.adobe.com/pdfdevjunkie/2008/10/how_to_use_the_javascript_debu.html. 2. Manually execute the JavaScript setPersistent method
  • Adobe 12001196 | Security Guide - Page 49
    Security Guide Section 6 Attachments 6 Attachments Acrobat products types and how the application manages those types. Adobe applications maintain Black lists and white lists which for file types in the attachment list can be modified manually as needed. New file extensions can be added to the
  • Adobe 12001196 | Security Guide - Page 50
    Security Guide • setting does not work for any version of Reader 10.x with Protected Mode enabled. Modifying the registry :3|.wsf:3|.wsh:3|.z:3|.zip:3|.zlo:3|.zoo:3|.pdf:2|.fdf:2|.jar:3|.pkg:3| .tool:3|. click the application file in Applications/Adobe Acrobat . 3. Choose Show Package
  • Adobe 12001196 | Security Guide - Page 51
    Security Guide Section in Linux: 1. Navigate to /Adobe/
  • Adobe 12001196 | Security Guide - Page 52
    Section 6 Attachments Application Security Guide Users can indirectly manage the registry list to a black or white list, attach the new file type to a document and then try to open it: 1. Acrobat: Choose Document > Attach a File and attach a file type not on the black or white list (e.g. yfile.xyz
  • Adobe 12001196 | Security Guide - Page 53
    Application Security Guide .gz .hex .hlp .hqx .hta .inf .ini .ins .isp .its .jar .job .js .jse .ksh .lnk Initialization/Configuration file IIS Internet Communications Settings (Microsoft) IIS Internet Service Provider Settings (Microsoft) Internet Document Set, International Translation Java
  • Adobe 12001196 | Security Guide - Page 54
    Component Windows Script file Windows Script Host Settings file Compressed Archive file ZoneLabs ZoneAlarm Mailsafe Renamed .PIF file An early compressed file format Application Security Guide Page 50 Section 6 Attachments
  • Adobe 12001196 | Security Guide - Page 55
    PDFs in one domain that attempt to access data from another domain. By default, when requested content is not from the same origin as the requesting document, Acrobat and Adobe Reader Acrobat family of products became more powerful over the years (i.e. support for JavaScript and web service
  • Adobe 12001196 | Security Guide - Page 56
    Section 7 Cross Domain Configuration Application Security Guide 7.1.2 Cross domain workflow A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat permission to handle data across domains. When a client hosts content from a particular
  • Adobe 12001196 | Security Guide - Page 57
    Guide Section 7 Cross Domain Configuration 7.1.3 When you need cross domain access Cross domain access is permitted for Acrobat and Adobe Reader default installations in versions 9.2/8.17 and earlier. You can prevent such access by turning on the enhanced security feature. Cross domain support
  • Adobe 12001196 | Security Guide - Page 58
    dialog presented to the user is considered adequate warning that downloading may occur. • Cross domain access is permitted for service (similar to Web mash-ups). Note Cross-domain restrictions do not apply to data requested by Reader for non-document request operations. For example, if Adobe Reader
  • Adobe 12001196 | Security Guide - Page 59
    Guide • *.xyz.com • www.xyz.com 7.1.5 PDFs in a standalone application vs. the browser Acrobat and Adobe Reader behave similarly with respect to data access, and similarly to Flash running in the browser: Same domain requests do not require a check, and cross domain checks do. • PDF viewed in
  • Adobe 12001196 | Security Guide - Page 60
    Section 7 Cross Domain Configuration Application Security Guide • Enhanced security is enabled and privileged contexts are slightly different. Note Because Acrobat and Flash share the same cross domain model, the specification as well as much of the Flash documentation may prove useful to you.
  • Adobe 12001196 | Security Guide - Page 61
    Application Security Guide Section same-origin and cross-domain examples shows examples of combinations of PDF and server locations for both same-origin and cross-domain data .example.com"/> The
  • Adobe 12001196 | Security Guide - Page 62
    Domain Configuration Application Security Guide
  • Adobe 12001196 | Security Guide - Page 63
    Guide com" /> 7.2.10 IP address If you specify an IP address, access 57.83.12/document.pdf), not those loaded using domain-name syntax. Acrobat does not perform
  • Adobe 12001196 | Security Guide - Page 64
    Configuration Application Security Guide 7.3 Certificate-based permissions Acrobat and Adobe Reader 9.1 introduces an extension to cross-domain policies access. Two types of certificate fingerprints are supported: • Certificates extracted from a certified document
  • Adobe 12001196 | Security Guide - Page 65
    Application Security Guide Section 7 Cross Domain Configuration Note If you are using a certificate hash for documents that are Reader enabled by a LiveCycle ES server, you should use the certificate issued in conjunction with the server. This certificate will be unique to your organization. To
  • Adobe 12001196 | Security Guide - Page 66
    Windows store. Only one method is described here. To extract a certificate hash: 1. Open Acrobat. 2. Do one of the following to open the Digital ID list: • 9.x: Choose Advanced > Security Settings. • 10.x: Choose Tools > Sign and Certify > More Sign and Certify > Security Settings. • 11.x: Choose
  • Adobe 12001196 | Security Guide - Page 67
    Security Guide Section be set to • 9.2/8.17: text/x-cross-domain-policy • 9.3/8.2: Any type supported by the specification. • The file usually resides at the server's root. However 7.4.2 Differences between Acrobat and Flash The Acrobat family of products leverages the Flash model. However,
  • Adobe 12001196 | Security Guide - Page 68
    Guide • For 9.2, Acrobat requires that cross-domain policy files return from the server with the content-type text/cross-domain-policy. • For 9.3, both clients support HTTP response header. • Acrobat does NOT support the Socket usage. However, Flash does support policy files that grant permissions
  • Adobe 12001196 | Security Guide - Page 69
    text/x-cross-domain-policy (or a type supported per the specification). • Extensions: xml 9. Choose Apply and OK. S 10. Start the application. WebSphere: Mime ,.and Netweaver 2004: 2. Choose the Properties tab of the HTTP Provider Service running on the server process. 3. Enter a new MIME type in
  • Adobe 12001196 | Security Guide - Page 70
    Section 7 Cross Domain Configuration Application Security Guide 1. Open NetWeaver Administrator. 2. Navigate to Java System Properties: Configuration Management > Infrastructure. 3. In the Services tab, select HTTP Provider Service. A list of all service properties is displayed on the Extended
  • Adobe 12001196 | Security Guide - Page 71
    affect other PDFs opened during that client's session. For details, refer to the JavaScript™ for Acrobat® API Reference . • SWFs can load policies from other locations via the JavaScript method Security.loadPolicyFile. Refer to the Flex documentation for more information. 7.6 Troubleshooting When
  • Adobe 12001196 | Security Guide - Page 72
    Section 7 Cross Domain Configuration Application Security Guide 7.6.1 Enabling logging If you need to debug cross domain access, enable logging. Note Logging is not available on Macintosh. Cross domain logging Logging: User interface
  • Adobe 12001196 | Security Guide - Page 73
    Guide Section 7 Cross Domain Configuration 1. Open the registry. 2. Create an AVPrivate key if it does not exist at: HKDCUSoftwareAdobe
  • Adobe 12001196 | Security Guide - Page 74
    Application Security Guide • No the problem that was found; see messages about failures to load policy files. OK No problem exists. Policy file accepted %s No problem exists be set to text/x-cross-domain-policy. Like Flash, Acrobat will soon support these additional content-types: • Any content
  • Adobe 12001196 | Security Guide - Page 75
    Application Security Guide Section 7 Cross Domain Configuration The client made an HTTP access, it accepts HTTP policy files regardless of their Content-Type. • HTTP meta-policies: When Flash Player has access to HTTP response headers, it honors the HTTP meta-policies declared in master HTTP policy
  • Adobe 12001196 | Security Guide - Page 76
    Section 7 Cross Domain Configuration Application Security Guide HTTP header from %s specifies meta-policy 'by-ftp-filename', which is only applicable to FTP, not HTTP. A by-ftp-filename meta-policy was found in
  • Adobe 12001196 | Security Guide - Page 77
    Application Security Guide Section 7 Cross Domain Configuration The meta-policy has Content-Type of text/x-cross-domain-policy, which indicates that the administrator deliberately made changes to support meta-policies. Since the official Content-Type for HTTP policy files is in use, the client
  • Adobe 12001196 | Security Guide - Page 78
    Section 7 Cross Domain Configuration Application Security Guide Port ranges may include the wildcard *, individual in this policy file. 7.6.5 Flash only messages Theoretically, Acrobat clients should not receive these messages. However, since Acrobat leverages the Flash model, these are provided
  • Adobe 12001196 | Security Guide - Page 79
    Application Security Guide Section 7 Cross Domain Configuration Timeout on %s (at 3 seconds) while waiting for socket policy file. Only pertinent to Flash and socket policy files. [strict] Local socket connection forbidden to host %s without a socket policy file. Only pertinent to Flash and socket
  • Adobe 12001196 | Security Guide - Page 80
    Section 8 External Content Access Application Security Guide 8 External Content Access 8.1 Internet access Your application can inform you when a PDF file is attempting to connect to an Internet site. Opening a Web page represents a security risk because malicious content can be transferred
  • Adobe 12001196 | Security Guide - Page 81
    Application Security Guide Section 8 External Content Access If you choose the custom settings option, the Web Sites panel becomes active and you can enter unique URLs. URLs must begin with www and end with a valid suffix. The Acrobat family of products maintains a white and black list of URLs
  • Adobe 12001196 | Security Guide - Page 82
    appear in the presence of these media types. Changes across releases: Multimedia support Version 8.2 & 9.3 Change • Legacy multimedia support is disabled by default. For media types other than Flash, support must be manually enabled. • A non-intrusive Yellow Message Bar (YMB) that doesn't block
  • Adobe 12001196 | Security Guide - Page 83
    Application Security Guide Section 8 External Content Access 9.5 & 10.1.2 11.0 Multimedia trust is integrated into used. The product no longer uses an embedded Flash player. Instead, the product leverages the user's system player such as the Flash Player plug-in for browsers which use the Netscape
  • Adobe 12001196 | Security Guide - Page 84
    Guide Membership on the trusted document list is permanent until the list is manually on-the-fly when the PDF opens: When the Yellow Message Adobe\\\TrustManager\\] "cMultiMedia" Certificate trust settings 8.2.3 Historical notes 8.2.3.1 Pre-10
  • Adobe 12001196 | Security Guide - Page 85
    Application Security Guide Section 8 External Content Access 8.2.3.2 9.3-8.2 & later For 9.3 and 8.2, the item to the already existing Trusted Documents list. Note For versions 8.2-9.3 to 9.4.7-10.1.1, this feature does not interact with enhanced security and the Trusted Documents list is not
  • Adobe 12001196 | Security Guide - Page 86
    Section 8 External Content Access Application Security Guide 8.2.3.3 Up to 9.2-8.1.7 These product versions displayed the flags which are defined in the PDF Reference. For example, an URL might point to an image external to the document. Only PDF developers create PDF files with streams, so you
  • Adobe 12001196 | Security Guide - Page 87
    change the setting via HKLM\SOFTWARE\Policies\Adobe\\\FeatureLockDown\bEnable3D. Note This is a 9.5.1-only change since Protected Mode in 10.x products provides effective mitigation against 3D attack vectors. 8.5 Flash integration Section 8 External Content Access Page 83
  • Adobe 12001196 | Security Guide - Page 88
    you open a PDF that requires Flash, a dialog prompts you to download and install the latest Flash player. To preinstall Flash, go here: • Windows: Adobe Reader and Acrobat Flash Player Download for Windows • Macintosh: Adobe Reader and Acrobat Flash Player Download for Mac Note Flash de-coupling is
  • Adobe 12001196 | Security Guide - Page 89
    Application Security Guide Section 9 Trust Methods 9 Trust Methods Ideally, you've enabled and not appear in the registry until the user interface is exercised. However, you can create it manually. • Configuration may occur via the user interface or directly in the registry. • If configured
  • Adobe 12001196 | Security Guide - Page 90
    Section 9 Trust Methods Application Security Guide 10.0 10.1 9.5 & 10.1.2 • Wildcards are supported when specifying hosts as privileged locations. • A sandbox for Reader is introduced called Protected Mode (PM). PM restrictions can be overridden via privileged locations. • Folder trust is
  • Adobe 12001196 | Security Guide - Page 91
    Application Security Guide Section 9 Trust Methods 9.1.3 User on-the-fly config. Whenever a PDF opens that contains content which is blocked list of available preferences see the Preference Reference. While you can create PLs manually at the registry level, it's easier to use the UI and then
  • Adobe 12001196 | Security Guide - Page 92
    Section 9 Trust Methods Application Security Guide [HKEY_CURRENT_USER\Software\Adobe\\\TrustManager\cTrustedFolders\ following: Note 11.0 introduces support for locking on Macintosh. [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\\\FeatureLockDown] "
  • Adobe 12001196 | Security Guide - Page 93
    Guide Section 9 Trust Methods 9.1.7 Wildcard and host trust 10.x products support the use of wildcard matching of subdomain components for trusted host URLs. For example, for a basic URL of a.b.c.adobe the Windows and Macintosh versions of Reader and Acrobat. When set, certified documents become
  • Adobe 12001196 | Security Guide - Page 94
    Guide [HKEY_CURRENT_USER\Software\Adobe\\\TrustManager] "bTrustCertifiedDocuments"=dword:00000001 To lock the setting, set the following: [HKLM\SOFTWARE\Policies\Adobe set certificate trust: 1. Open Acrobat. 2. Do one of the list, choose Certificates. • 10.x: Choose Tools > Sign
  • Adobe 12001196 | Security Guide - Page 95
    Application Security Guide Section 9 Trust Methods For details about setting up trust for cross domain access other than via privileged locations, see be configured via the UI or in the registry as described in the Preference Reference for Acrobat and Adobe Reader. Section 9 Trust Methods Page 91
  • Adobe 12001196 | Security Guide - Page 96
    security Application Security Guide 10 Content security Application security is all about hardening restricted by enhanced security. This guide focuses solely on application security--configuring the application to enable, disable, or restrict features and PDF functionality that may pose a
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
Acrobat® Family of Products
Acrobat
Application Security Guide
(all versions)