Attachments

Acrobat products provide a way for you to add, remove, open, and save file attachments. However, attachments represent a potential security risk because they can contain malicious content, open other dangerous file, or launch applications. Certainly most users do perceive certain file types as dangerous, including s .bin, .exe, .bat, and so on.

To mitigate the risk inherent in attachments, you should:

  • Know what the content is and from where it originated.

  • Be aware of dangerous file types and how the application manages those types. Adobe applications maintain Black lists and white lists which control application behavior.

  • Prevent attachments from opening other files and launching applications. This is the default behavior.

Basic configuration

Note that the settings described below work in tandem; that is, if any of bAllowOpenFile, bSecureOpenFile, and tBuiltInPermsList are set to prevent the opening of an attachment, then the attachment type won’t open (or all attachments depending on the setting).

Attachments and 3rd party apps

bAllowOpenFile specifies whether to open non-PDF attachments in their native application. If can be set by checking Preferences > Trust Manager > Attachment panel > Allow opening of Non-PDF file attachments with external applications.

The registry setting is:

[HKEY_CURRENT_USER\Software\Adobe\(Product name)\(version)\Originals]"bAllowOpenFile"=dword:00000001

Opening non-PDF file types

bSecureOpenFile specifies whether to allow opening attachments which are not PDF. There is no corresponding user interface item.

The registry setting is:

[HKEY_CURRENT_USER\Software\Adobe\(Product name)\(version)\Originals]"bSecureOpenFile"=dword:00000001

Setting file type permissions

The default application behavior for file types in the attachment list can be modified manually as needed. New file extensions can be added to the list, existing ones removed, and the behavior changed for file types already in the list.

Permissions settings are as follows:

  • 0: User is warned that the file may be unsafe and is given two choices: open or permanently set the behavior to Prohibited.

  • 1: User is warned that the file may be unsafe and is given three choices: open or permanently set the behavior to Allowed or Prohibited.

  • 2: Always open this file type.

  • 3: This file type does not open and a warning message appears.

Windows

Modifying the registry settings in HKLM requires administrator rights. To modify file attachments permissions:

  1. On 64 bit machines, navigate to HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown\cDefaultLaunchAttachmentPerms.

  2. Double click the tBuiltInPermList value.

  3. Edit or add an extension and value in the format of .extension>:#. For example, zip:1. This is a simple, pipe-separated list (e.g. |doc|docx|dv|emf|). Refer to the actual preference values for a list of current settings.

Note

The ordering of the entries is irrelevant, but it is important that the list has no duplicate entries.

Attachment permissions example

version:1|.ade:3|.adp:3|.app:3|.arc:3|.arj:3|.asp:3|.bas:3|.bat:3|.bz:3|.bz2:3|.cab:3|.chm:3|.class:3|

Macintosh

To edit the registry to modify the default behavior of file attachments in Macintosh:

  1. Locate the FeatureLockDown file and edit it in a text editor. This file is normally located in Applications/<application> <version number><product name>/<application> [version number] Professional/Contents/MacOS/Preferences.

  2. Hold the Ctrl key and click the application file in Applications/Adobe Acrobat <product name>.

  3. Choose Show Package Contents.

  4. Navigate to Contents > MacOS > Preferences.

  5. Locate the FeatureLockDown file in the Preferences folder, and open it in a text editor.

  6. Find BuiltInPermList [/s.

  7. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.

Linux

To edit the registry to modify the default behavior of file attachments in Linux:

  1. Navigate to <install location>/Adobe/<application and version/Reader/globalPrefs.

  2. Open AttachmentPerms in a text editor.

  3. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.

Adding Custom Attachment Extensions

To add custom extensions, add your own file extension entries to the very end of the list. The method is the same on both Windows and Macintosh. Use the following format for each custom extension:

|.FILEEXTENSION:PERMVALUE

For example, to add the extension .`ext` with a value of Always Allowed, you would add:

.ext:2

Attachment user interface

Resetting attachment permissions

Because the registry list could grow over time and users do not have direct access to the lists through the user interface, resetting the list to its original state may result in the highest level of security.

To reset the black and white lists:

  1. Choose Preferences > Trust Manager.

  2. In the PDF File Attachments panel, choose Restore.

Attachment panel in Trust Manager

_images/trustmanager_attach.gif

Allowing attachments to launch applications

The Trust Manager enables users to control whether or not non-PDF attachments can open with other applications. By default, this option is enabled so that common file types such as .doc (not on the application’s black list) can be easily opened in the appropriate application.

To set attachment preferences:

  1. Choose Preferences > Trust Manager.

  2. Configure Allow opening of non-PDF file attachments with external applications:

    • Checked: Default. The application uses its stored black list to determine whether Acrobat should let the attachment launch an application action, so the attachment can be opened.

    • Unchecked: Clicking or opening an attachment will never result in launching it’s associated viewing application. Use this option if a higher level of security is needed.

Modifying permissions on-the-fly

Users can indirectly manage the registry list of which file types can be opened and saved. In other words, the list in Attachment black list can be extended one at a time as each attached file is opened. Administrators can modify the registry.

To add a file to a black or white list, attach the new file type to a document and then try to open it:

  1. Acrobat: Choose Document > Attach a File and attach a file type not on the black or white list (e.g. yfile.xyz)

  2. Open the file by highlighting it in the Attachments pane and choosing Open.

  3. When the Launch Attachment dialog appears, choose one of the following:

    • Open this file: Opens the files without changing the registry list.

    • Always allow opening files of this type: Adds the file type to the white list and prevents future warnings.

    • Never allow opening files of this type: Adds the file type to the black list and does not open it.

  4. Choose OK.

Launch Attachment dialog

_images/attachment_launch.gif

Black lists and white lists

Acrobat products store a list of some of these good (whitelisted) and bad (blacklisted) file types in the registry. Application behavior is controlled by the file type’s membership in a list:

  • File types on the white list: These can be attached and may be opened or saved if the file extension is associated with the requisite program.

  • File types on the black list: These can be attached, but a warning dialog appears stating that they cannot be saved or opened from the application. No actions are available for these files.

  • File types not on any list: These can be attached without a warning dialog. Trying to open or save them invokes a dialog which allows the user to perform the action just once or to add them to the good type (white) list or bad type (black) list.

Attachment: Dangerous type warning

_images/attachment_type_warn.gif

You can attach file types that are on the black list because a document recipient may have a less restrictive black list than you (the sender). While the recipient may be able to open the file, the attacker will not be able to execute or open it from within the application. Attempting to open a prohibited file type results in a warning that the action is not allowed.

Attachment: “Cannot open” warning

_images/attachment_no_open.gif

Blacklisted extensions

This is a partial list and new items are regularly added. Refer to the product registry for the latest list.

Attachment black list

Extension

Description

.ade

Access Project Extension (Microsoft)

.adp

Access Project (Microsoft)

.app

Executable Application

.asp

Active Server Page

.bas

BASIC Source Code

.bat

Batch Processing

.bz

Bzip UNIX Compressed file

.bz2

Bzip 2 UNIX Compressed file (replaces BZ)

.cer

Internet Security Certificate file (MIME x-x509-ca-cert)

.chm

Compiled HTML Help

.class

Java Class file

.cmd

DOS CP/M Command file, Command file for Windows NT

.com

Command

.command

Mac OS Command Line executable

.cpl

Windows Control Panel Extension (Microsoft)

.crt

Certificate file

.csh

UNIX csh shell script

.exe

Executable file

.fxp

FoxPro Compiled Source (Microsoft)

.gz

Gzip Compressed Archive

.hex

Macintosh BinHex 2.0 file

.hlp

Windows Help file

.hqx

Macintosh BinHex 4 Compressed Archive

.hta

Hypertext Application

.inf

Information or Setup file

.ini

Initialization/Configuration file

.ins

IIS Internet Communications Settings (Microsoft)

.isp

IIS Internet Service Provider Settings (Microsoft)

.its

Internet Document Set, International Translation

.jar

Java Archive

.job

Windows Task Scheduler Task Object

.js

JavaScript Source Code

.jse

JScript Encoded Script file

.ksh

UNIX ksh shell script

.lnk

Windows Shortcut file

.lzh

Compressed archive (LH ARC)

.mad

Access Module Shortcut (Microsoft)

.maf

Access (Microsoft)

.mag

Access Diagram Shortcut (Microsoft)

.mam

Access Macro Shortcut (Microsoft)

.maq

Access Query Shortcut (Microsoft)

.mar

Access Report Shortcut (Microsoft)

.mas

Access Stored Procedures (Microsoft)

.mat

Access Table Shortcut (Microsoft)

.mau

Media Attachment Unit

.mav

Access View Shortcut (Microsoft)

.maw

Access Data Access Page (Microsoft)

.mda

Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)

.mde

Access MDE Database file (Microsoft)

.mdt

Access Add-in Data (Microsoft)

.mdw

Access Workgroup Information (Microsoft)

.mdz

Access Wizard Template (Microsoft)

.msc

Microsoft Management Console Snap-in Control file (Microsoft)

.msi

Windows Installer file (Microsoft)

.msp

Windows Installer Patch

.mst

Windows SDK Setup Transform Script

.ocx

Microsoft Object Linking and Embedding (OLE) Control Extension

.ops

Office Profile Settings file

.pcd

Visual Test (Microsoft)

.pkg

Mac OS X Installer Package

.pif

Windows Program Information file (Microsoft)

.prf

Windows System file

.prg

Program file

.pst

MS Exchange Address Book file, Outlook Personal Folder file (Microsoft)

.rar

WinRAR Compressed Archive

.reg

Registration Information/Key for Windows 95/98, Registry Data file

.scf

Windows Explorer Command

.scr

Windows Screen Saver

.sct

Windows Script Component, Foxpro Screen (Microsoft)

.sea

Self-expanding archive (used by Stuffit for Mac files and possibly by others)

.shb

Windows Shortcut into a Document

.shs

Shell Scrap Object file

.sit

Compressed archive of Mac files (Stuffit)

.tar

Tape Archive file

.tgz

UNIX Tar file Gzipped

.tmp

Temporary file or Folder

.url

Internet Location

.vb

VBScript file or Any VisualBasic Source

.vbe

VBScript Encoded Script file

.vbs

VBScript Script file, Visual Basic for Applications Script

.vsmacros

Visual Studio .NET Binary-based Macro Project (Microsoft)

.vss

Visio Stencil (Microsoft)

.vst

Visio Template (Microsoft)

.vsw

Visio Workspace file (Microsoft)

.webloc

Mac OS Finder Internet Location

.ws

Windows Script file

.wsc

Windows Script Component

.wsf

Windows Script file

.wsh

Windows Script Host Settings file

.zip

Compressed Archive file

.zlo

ZoneLabs ZoneAlarm Mailsafe Renamed .PIF file

.zoo

An early compressed file format