Thursday, February 25, 2010

Adobe blacklisting framework


As abode said it is not practically feasible to disable whole of javascript in adobe, it introduced a feature called black listing. This allows users to define any specific javascript API as a black list item, which then it wont be allow it to be called. Say we found a vulnerability in docmedia.newplayer, you can add this to black list and hence you can safeguard your system by doing so.
By putting that into the black list, then any PDF document that it attempts to call that, that call will be denied.  And so, it’ll deny valid calls as well as malicious calls that try to corrupt the call in order to create a crash. And this is something individual users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key. Below video should demonstrate on how to add a javascript function to blacklist item.
Given that Adobe currently has no automatic updates in place, my question is how will a normal user will get to know what needed to be blacklisted. This fix may help the technical users but for average user they have to wait for adobe's next major update which is likely to be within next three months.