Adobe Acrobat 9 PRO Extended User Manual
Page 233
227
USING ACROBAT 9 PRO EXTENDED
Security
Last updated 9/30/2011
Security alerts are displayed in the following situations.
Blacklisted JavaScript
Adobe uses a blacklist to specify vulnerable JavaScript APIs that could leave your program open to malicious attacks.
Adobe modifies the blacklist via Acrobat and Reader patches whenever new vulnerable JavaScript APIs are discovered,
or when vulnerabilities are fixed. Enterprise administrators can prevent additional JavaScript APIs from running in
their environment.
If a PDF tries to access a blacklisted JavaScript, a message appears in the yellow document message bar below the
toolbar area. The type of message depends on your version of Acrobat or Reader, recent updates from Adobe, and any
fine-tuning by enterprise administrators.
For more information about the situations that trigger JavaScript warnings, see the TechNote at
For more information about blacklisted JavaScripts, see the TechNote at
Security settings update
Adobe periodically distributes certificates to be used as trust anchors for signature workflows. These downloads are
important to ensure that digitally signed PDFs from trusted sources maintain their trusted status. If you receive an
update from an unknown source, verify that it is from a web address that you trust before proceeding. Updates from
untrusted websites can create vulnerabilities on your computer.
Access to unknown or untrusted websites
An alert helps prevent PDFs from connecting to malicious websites. The alert is displayed when a PDF tries to connect
to a site in these situations:
•
The site is not on your list of trusted sites in Trust Manager.
•
The PDF or the website is not listed as a privileged location in the Security (Enhanced) preferences.
Before allowing the connection, look carefully at the URL to ensure that it is an appropriate link. To find out why the
PDF is trying to contact the Internet, contact your system administrator or the PDF creator.
Enhanced security warnings
With enhanced security enabled, Acrobat and Reader alert you when a document attempts any of several potentially
risky actions. You can selectively allow these restricted actions by using an appropriate method from the list in
“
Bypassing enhanced security restrictions
Important: Acrobat and Reader 9.3 and 8.2 enable enhanced security by default. Adobe recommends that you enable
enhanced security if it is not already enabled, and that you bypass restrictions only for trusted content.
Cross-domain access
Enhanced security prevents a PDF in one host domain from communicating with another
domain. This action prevents a PDF from getting malicious data from an untrusted source. When a PDF attempts
cross-domain access, Acrobat and Reader automatically attempt to load a policy file from that domain. If the domain
of the document that is attempting to access the data is included in the policy file, then the data is automatically
accessible.
Note: This action is different from displaying or browsing HTML pages, images, or other web content, which is allowed.
Loading or running JavaScript
Acrobat and Reader block JavaScript operations when the scripts are blacklisted or
originate from an external source.