Adobe: A Security Risk

Most of us know that operating systems have security issues. Microsoft is best known for this, and issues patches every month on “Patch Tuesday” (the second Tuesday of each month). But Microsoft is not the only one with issues. Viruses and trojans targeting Macintosh computers are becoming more common, and my Linux boxes get security updates regularly. We also know that browsers are a source of security vulnerabilities. Just a few days ago a problem in Internet Explorer seems to have created the opening used to hack Google’s servers in China, but again, I get regular security fixes to my Firefox installations as well.

What you may not have thought about are the vulnerabilities created by the other programs you run, and in this case we have several that come from Adobe. This company has created two file types that are essentially ubiquitous on the Internet: Adobe Flash (this runs all of those YouTube videos, and most video on the Internet), and Adobe Acrobat (PDF files, which are very popular for distributing all kinds of print content). And with these file types, Adobe has created serious problems for users.

Adobe Flash

The problem with Flash is that Adobe essentially re-introduced cookies in a way in that most people did not expect, and were probably not aware of. How big a problem this is depends on your views regarding cookies. I think they are mostly benign, but there are exceptions. I personally do not allow what are called “third-party” cookies. If I visit Google, for instance, I am recognized because of a cookie on my computer that tells Google it is me, and all of my settings and personalizations are preserved for me. I like that. What I do not want is Google giving my information to another company, like DoubleClick (actually, this is owned by Google, but I still don’t like them). DoubleClick would love to track what I do on all other Web sites so they build a profile and send me ads. I set Firefox to reject that. But now it turns out that Adobe Flash, which is used in a lot of Web sites, is creating its own cookies to track what I do. It is even possible for Adobe Flash to create browser cookies, even to re-instate browser cookies I had previously deleted (called respawning). You can read some details in this story from Wired.

So, what can you do? If you want to stop Flash from setting cookies at all, you have to do it indirectly. Adobe apparently never considered this from a security perspective, and so you do not have the options in Flash that you have in most browsers to control this. You can do one or both of two things: 1) Delete all existing cookies: and 2) Stop new ones from being created.

To delete existing cookies, you need to remove all of the *.LSO files on your computer. LSO stands for Local Shared Objects, and this is the equivalent of a cookie. Use whatever search methods your operating system offers, and delete these files. Another way (for Firefox users) is to install the add on BetterPrivacy. This gives you a bunch of options, such as clearing all Flash cookies when the browser shuts down, or when it starts up, and also adds an option to clear all Flash cookies to the dialog for clearing your browsing history. If you use Firefox and want privacy, this add on is very valuable.

In addition to deleting cookies, you can prevent them from ever being stored, but the method is a bit weird. You need to adjust the settings of your Flash player through Adobe’s web site. Go to the Settings Manager, and select Global Storage Settings. Note that it is not the Privacy settings you want here, it is the Storage settings. In the window it brings up, set your storage to None (all the way to the left), and place a check mark in Never Ask Again, and remove the check mark for Allow third-party Flash content to store data on your computer. Note that this may cause some sites to stop working, and it may turn out to be sites you need to work with. In that case, allow third-party Flash content again, and take out the check mark for Never Ask Again. If you leave the storage set to None, it will have to ask you each time if it can have permission to store a cookie.

Adobe Acrobat (PDF)

The problem here is that someone at Adobe had the bright idea that PDF files ought to able to run Javascript. Now, from a security perspective you can argue that browsers should not be allowed to run Javascript. It is one big huge security vulnerability waiting to bite you, and if you are not careful about controlling it, it will eventually get you. But because virtually all of the major sites use it, you often feel like you have no choice. Still, there is an excellent add-on for Firefox and other Mozilla-based browsers called NoScript that gives you pretty good control. In a PDF file, I can only assume that insanity has taken hold at Adobe to add Javascript capability. (Either that, or a pact with Satan. You make the call.) This is just horrible. But what can you do?

Fortunately, this is pretty simple. Open your Acrobat Reader, go to Edit –> Preferences –> Javascript, and remove the checkmark in Enable Acrobat Javascript. This is easy to do, but you want to make sure you do it. There are already exploits in the wild that take advantage of this gaping security hole, and you want to be protected. There is no good reason at all to have Javascript in a PDF document. PDF was created for one reason: To have control over the page layout of documents that are electronically distributed. And Javascript is completely unnecessary for that.