Attachments as security risks in Acrobat and Acrobat Reader

Note:

For a full list of articles about security, see Overview of security in Acrobat and PDF content.

Attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications. Acrobat and Acrobat Reader always let you open and save PDF and FDF file attachments. Acrobat and Acrobat Reader recognize certain files, such as those whose names end in .bin, .exe, and .bat, as threats. You can’t attach such files. Acrobat does allow you to attach files that cannot be saved or opened from Acrobat, such as ZIP files. However, this practice is not recommended.

Acrobat and Acrobat Reader maintain a white list of file types that can be opened or saved, and a black list of file types that cannot. You are allowed to attach file types that are not on either list. However, when you open or save a file of an “unrecognized” type, you see a dialog box asking whether you trust the file type.

For details, see the Application Security Guide at www.adobe.com/go/learn_acr_appsecurity_en.

Manually add a file type to a black or white list

Administrators can modify the black or white list through the registry. Users can manually add a new file type to a black or white list by attaching the file and then trying to open it.

  1. Choose Tools > Edit PDF > More Attach A File.

  2. Add a file type that is not in the black or white list.

    If you attach an executable (.exe) file, .bin, or .bat file, you get the following warning dialog:

  3. Right-click the file in the Attachments pane on the left and choose Open Attachment.

  4. In the Launch Attachment dialog box, select one of the following options, and then click OK:

    Launch attachment dialog

    Open This File:

    Opens the file without changing the registry list.

    Always Allow Opening Files Of This Type:

    Adds the file type to the white list and prevents future warnings.

    Never Allow Opening Files Of This Type:

    Adds the file type to the black list and does not open it. You can possibly attach a file of this type to a PDF, but you can’t open it.

    In case you have attached an executable (.exe) file, .bin, or .bat file, you get the following dialog box:

    Note:

    To restrict a file type that you permitted in the past, reset (restore) attachment permissions in the Trust Manager Preferences.

In Acrobat Reader, you cannot attach files. To add the existing attachment of the PDF to black or white list, follow the steps below:

  1. Right-click the file in the Attachments pane on the left and choose Open Attachment.

  2. In the Launch Attachment dialog box, select one of the following options, and then click OK:

    Launch attachment dialog

    Open This File:

    Opens the file without changing the registry list.

    Always Allow Opening Files Of This Type:

    Adds the file type to the white list and prevents future warnings.

    Never Allow Opening Files Of This Type:

    Adds the file type to the black list and does not open it. You can possibly attach a file of this type to a PDF, but you can’t open it.

    In case you have attached an executable (.exe) file, .bin, or .bat file, you get the following dialog box:

    Note:

    To restrict a file type that you permitted in the past, reset (restore) attachment permissions in the Trust Manager Preferences.

Reset (restore) attachment permissions

Because the list of allowed and disallowed file attachment types can grow over time, you can reset the lists to their original state. This state can sometimes provide the highest level of security.

  1. Choose Edit > Preferences (Windows) or Acrobat / Acrobat Reader > Preferences (Mac OS).

  2. From the Categories on the left, select Trust Manager.

  3. In the PDF File Attachments section, click Restore. The Restore button is available only if you changed the attachment defaults.

Allow attachments to start applications

The Trust Manager lets you control whether non-PDF attachments can start their associated applications.

  1. In the Preferences dialog box, select Trust Manager from the Categories on the left.

  2. Select the option Allow Opening Of Non-PDF File Attachments With External Applications. You must have the external applications to open the files.

Get help faster and easier

New user?