InformAction Forums

Posted: **Thu Nov 25, 2010 10:34 am**

I disabled JavaScript, multimedia operations and attachment opening in Acrobat Reader. Can I always allow PDFs without any concern?

Posted: **Thu Nov 25, 2010 12:31 pm**

What does this have to do with NoScript?

Posted: **Thu Nov 25, 2010 1:55 pm**

Lucas Malor wrote:I disabled JavaScript, multimedia operations and attachment opening in Acrobat Reader. Can I always allow PDFs without any concern?

I assume you're referring to this section of http://noscript.net/features#contentblocking, Lucas.

You can configure some exception to the Forbid Other Plugins option by setting the noscript.allowedMimeRegExp about:config preference to a pattern matching the content types you want to allow. For instance, setting it to "application/pdf" will let PDF document load automatically on every site. That said, are you sure you need to? Adobe Acrobat Reader plugin got its share of vulnerabilites so far, and after all, you can still allow individual PDF documents from untrusted sites just clicking on their placeholders.

That said, I don't know if you can "always allow PDFs without any concern" with the Acrobat Reader configuration you describe. It might be sufficient protection from known pdf vulnerabilities, but not for a zero-day exploit yet to be discovered.

Edit: Do you have a particular site in mind where using placeholders for PDF is a problem?

Posted: **Thu Nov 25, 2010 2:38 pm**

Alan Baxter wrote:I assume you're referring to this section of http://noscript.net/features#contentblocking, Lucas.

Yes.

Alan Baxter wrote:It might be sufficient protection from known pdf vulnerabilities, but not for a zero-day exploit yet to be discovered.

Well, you make good points. Anyway I think that if the pdf is not embedded, I opened it myself. This can be not true when the domain is whitelisted and embedded contents are not applied to whitelisted domains too.

The problem is NoScript blocks PDFs even if they are not embedded. How can I avoid this, without allowing embedded ones too adding "application/pdf" to noscript.allowedMimeRegExp ?

Alan Baxter wrote:Do you have a particular site in mind where using placeholders for PDF is a problem?

No.

Posted: **Thu Nov 25, 2010 2:45 pm**

Lucas Malor wrote:The problem is NoScript blocks PDFs even if they are not embedded. How can I avoid this, without allowing embedded PDFs too adding "application/pdf" to noscript.allowedMimeRegExp

You can't, and for a good reason.
There's no difference between an embedded PDF and one opened as a top-level document in the browser, from an attacker standpoint.
Both

Code: Select all

<iframe src="some-malicious.pdf"></iframe>

(embedding) and

Code: Select all

<meta http-equiv="refresh" content="0;url=some-malicious.pdf">

(top-level) are equally effective at launching an automated PDF-based attack on you, and therefore if you're blocking PDFs for security reasons both cases need to be equally covered.

InformAction Forums

[SOLVED] Safe to allow pdf?

[SOLVED] Safe to allow pdf?

Re: Safe to allow pdf?

Re: Safe to allow pdf?

Re: Safe to allow pdf?

Re: Safe to allow pdf?