NSA: Securing Cloud-Related PDFs Shouldn’t Mean Sacrificing Usability

The National Security Agency is embracing the increased ubiquity of modifiable portable document files—or PDFs—by advising users to employ security features that allow greater collaboration instead of disabling the programming language that facilitates higher functionality.  

“JavaScript is commonly used in electronic forms for recipients to complete, sign, and return documents electronically,” the NSA wrote in guidance released Thursday. “Because JavaScript usage in PDFs is becoming more frequent, NSA recommends that administrators not change the default setting for [Adobe Acrobat Reader DC] that allows JavaScript. Protected Mode and Enhanced security … will help mitigate some of the security concerns due to allowing JavaScript within PDFs.”

The emphasis is NSA’s. PDFs have long presented risks—in addition to links sent by email—associated with phishing as they can contain code to target vulnerabilities in PDF readers built into web browsers or in the applications specifically designed for reading and creating them. 

“Malicious PDFs continue to be an access vector to compromise networks,” NSA Cybersecurity Director Rob Joyce said. “Follow these recommendations to secure your Adobe Reader and make it harder for the adversary to find a way in.”

Recent versions of the Adobe reader referred to in the guidance offer “sandbox” technology to contain the reach of code included in PDFs. Foundationally, users can run all features of the application in “Protected Mode.” This sandboxing capability uses security controls within the operating system to draw up boundaries beyond which the code cannot be executed unless permission is granted. 

“A process inside the sandbox cannot access processes outside the sandbox without going through a trusted broker process,” NSA explains. “The sandbox restricts access to system resources, such as the file system and the registry.” 

Once in “Protected Mode,” users should also employ “Protected View” as a way to implement security at scale. This allows the ability to examine a PDF for red flags before being able to tap into all of its functionality.

“Protected View is essential to prevent users from inadvertently opening and executing malicious active content,” NSA says. “Allowing the user to view the document prior to enabling active content can prevent many phishing and other attacks. Once the user views the document and enables the content, Reader adds the document as a privileged location for that user and bypasses protected view on subsequent openings of that document.”

The Protected Mode is turned on by default in the reader, but users can turn it off through a graphical user interface. The NSA says the sandboxing capabilities should be locked down and that administrators should disallow end-users from disabling them.  

The guidance highlights the release of the latest version of the Adobe reader, which introduces “DC,” meaning “document cloud.” NSA warned of hazards associated with cloud storage but noted Adobe Acrobat Reader DC is approved by the General Services Administration's cloud certification program. 

“As with any cloud-based service, it is important to consider the implications of storing data outside of the local network,” the agency wrote. “Federal data should not be stored in a commercial cloud without authorization from the organization and accreditation through the Federal Risk and Authorization Management Program (FedRAMP).”