Software Engineering Institute

Different versions of Adobe Acrobat software can create, modify, and read Portable Document Format (PDF) files. Acrobat JavaScript implements PDF-specific objects, methods, and properties and provides functionality similar to that of HTML client JavaScript. More information about Acrobat JavaScript is available from Acrobat 5 JavaScript Training site and in the Acrobat JavaScript Object Specification.

A vulnerability in the way Acrobat 5 validates JavaScript in PDF files could allow arbitrary files to be written to any location on the local file system that is writeable by the user running Acrobat. From the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch:

Due to a vulnerability in the JavaScript parsing engine, a malicious PDF document can instruct Acrobat to write code into the user's Plug-ins folder. Any file in the user's Plug-ins folder that is developed to the Acrobat plug-in specification will automatically install and run when a user launches Acrobat.
According to Adobe, the full version of Acrobat 5 and Acrobat Approval 5 for the Windows platform are vulnerable. Acrobat 6 and all versions of Acrobat Reader are not vulnerable. Acrobat and Acrobat Approval for Macintosh and Acrobat for UNIX are not vulnerable.

An attacker could cause arbitrary files to be written to the local file system within the scope of the users' permissions.
A virus (W32.Yourde) that exploits this vulnerability has been discovered. This virus does not destroy data. More detailed information is available in write-ups from Symantec and McAfee.

Apply Patch or Upgrade

Install the Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch or upgrade to Acrobat 6 or later.

Disable JavaScript

Acrobat JavaScript can be disabled in the General preferences dialog (Edit > Preferences > General > JavaScript).

Restrict Access to Plug-ins Directory

Use NTFS file permissions to prevent users from writing to the Plug-ins directory (typically C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Plug_ins). This will protect against the W32.Yourde virus, but it will not prevent malicious JavaScript from writing to other locations.

Remove JavaScript Plug-in

Remove the JavaScript plug-in (EScript.api) from the Plug-ins directory. This will effectively disable Acrobat JavaScript and may cause other unexpected results.

Maintain Anti-Virus Software

As a general best practice, maintain updated anti-virus software. Links to anti-virus vendors and other information are available on the Computer Virus Resources page.