1 HOME


© 2013 Adobe Systems, Inc. All rights reserved.

Updated Sep 15, 2014.

6   Attachments

Acrobat products provide a way for you to add, remove, open, and save file attachments. However, attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications. Certainly file types such as .bin, .exe, .bat, and so on will be recognized as threats by most users and are not allowed as attachments.

To mitigate the risk inherent in attachments:

6.1   Black lists and white lists

The applications store a list of some of these good (white) and bad (black) file types in the registry. Application behavior is controlled by the file type’s membership in a list:

  • File types on the white list: These can be attached and may be opened or saved if the file extension is associated with the requisite program.
  • File types on the black list: These can be attached, but a warning dialog appears stating that they cannot be saved or opened from the application. No actions are available for these files.
  • File types not on any list: These can be attached without a warning dialog. Trying to open or save them invokes a dialog which allows the user to perform the action just once or to add them to the good type (white) list or bad type (black) list.

Attachment: Dangerous type warning

_images/attachment_type_warn.gif

You can attach file types that are on the black list because a document recipient may have a less restrictive black list than you (the sender). While the recipient may be able to open the file, the attacker will not be able to execute or open it from within the application. Attempting to open a prohibited file type results in a warning that the action is not allowed.

Attachment: “Cannot open” warning

_images/attachment_no_open.gif

6.2   Configuration

6.2.1   UI and registry config

The default application behavior for file types in the attachment list can be modified manually as needed. New file extensions can be added to the list, existing ones removed, and the behavior changed for file types already in the list.

Permissions settings are as follows:

  • 0: User is warned that the file may be unsafe and is given two choices: open or permanently set the behavior to Prohibited.
  • 1: User is warned that the file may be unsafe and is given three choices: open or permanently set the behavior to Allowed or Prohibited.
  • 2: Always open this file type.
  • 3: This file type does not open and a warning message appears.

Windows

Note

This HKLM setting does not work for any version of Reader 10.x with Protected Mode enabled.

Modifying the registry settings in HKLM requires administrator rights. To edit the registry to modify the default behavior of file attachments in Windows:

  1. Navigate to HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms.
  2. Double click the tBuiltInPermList value.
  3. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, zip:1.

Note

The ordering of the entries is irrelevant, but it is important that the list has no duplicate entries.

Attachment permissions by file type

version:1|.ade:3|.adp:3|.app:3|.arc:3|.arj:3|.asp:3|.bas:3|.bat:3|.bz:3|.bz2:3|
.cab:3|.chm:3|.class:3|.cmd:3|.com:3|.command:3|.cpl:3|.crt:3|.csh:3|.desktop:3|
.dll:3|.exe:3|.fxp:3|.gz:3|.hex:3|.hlp:3|.hqx:3|.hta:3|.inf:3|.ini:3|.ins:3|
.isp:3|.its:3|.job:3|.js:3|.jse:3|.ksh:3|.lnk:3|.lzh:3|.mad:3|.maf:3|.mag:3|.mam:3|
.maq:3|.mar:3|.mas:3|.mat:3|.mau:3|.mav:3|.maw:3|.mda:3|.mdb:3|.mde:3|.mdt:3|.mdw:3|
.mdz:3|.msc:3|.msi:3|.msp:3|.mst:3|.ocx:3|.ops:3|.pcd:3|.pi:3|.pif:3|.prf:3|.prg:3|
.pst:3|.rar:3|.reg:3|.scf:3|.scr:3|.sct:3|.sea:3|.shb:3|.shs:3|.sit:3|.tar:3|.taz:3|
.tgz:3|.tmp:3|.url:3|.vb:3|.vbe:3|.vbs:3|.vsmacros:3|.vss:3|.vst:3|.vsw:3|.webloc:3|
.ws:3|.wsc:3|.wsf:3|.wsh:3|.z:3|.zip:3|.zlo:3|.zoo:3|.pdf:2|.fdf:2|.jar:3|.pkg:3|
.tool:3|.term:3

Macintosh

To edit the registry to modify the default behavior of file attachments in Macintosh:

  1. Locate the FeatureLockDown file and edit it in a text editor. This file is normally located in Applications/<application> <version number><product name>/<application> [version number] Professional/Contents/MacOS/Preferences.
  2. Hold the Ctrl key and click the application file in Applications/Adobe Acrobat <product name>.
  3. Choose Show Package Contents.
  4. Navigate to Contents > MacOS > Preferences.
  5. Locate the FeatureLockDown file in the Preferences folder, and open it in a text editor.
  6. Find BuiltInPermList [/s.
  7. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.

Linux

To edit the registry to modify the default behavior of file attachments in Linux:

  1. Navigate to <install location>/Adobe/<application and version/Reader/globalPrefs.
  2. Open AttachmentPerms in a text editor.
  3. Edit or add an extension and value in the format of <.extension>:<0-3>. For example, .zip:1.

Adding Custom Attachment Extensions

To add custom extensions, add your own file extension entries to the very end of the list. The method is the same on both Windows and Macintosh. Use the following format for each custom extension:

|.FILEEXTENSION:PERMVALUE

For example, to add the extension .`ext` with a value of Always Allowed, you would add:

.ext:2

6.2.2   Resetting attachment permissions

Because the registry list could grow over time and users do not have direct access to the lists through the user interface, resetting the list to its original state may result in the highest level of security.

To reset the black and white lists:

  1. Choose Preferences > Trust Manager.
  2. In the PDF File Attachments panel, choose Restore.

Attachment panel in Trust Manager

_images/trustmanager_attach.gif

6.2.3   Allowing attachments to launch applications

The Trust Manager enables users to control whether or not non-PDF attachments can open with other applications. By default, this option is enabled so that common file types such as .doc (not on the application’s black list) can be easily opened in the appropriate application.

To set attachment preferences:

  1. Choose Preferences > Trust Manager.

  2. Configure Allow opening of non-PDF file attachments with external applications:

    • Checked: Default. The application uses its stored black list to determine whether Acrobat should let the attachment launch an application action, so the attachment can be opened.
    • Unchecked: Clicking or opening an attachment will never result in launching it’s associated viewing application. Use this option if a higher level of security is needed.

6.2.4   Modifying permissions on-the-fly

Users can indirectly manage the registry list of which file types can be opened and saved. In other words, the list in Attachment black list can be extended one at a time as each attached file is opened. Administrators can modify the registry.

To add a file to a black or white list, attach the new file type to a document and then try to open it:

  1. Acrobat: Choose Document > Attach a File and attach a file type not on the black or white list (e.g. yfile.xyz)

  2. Open the file by highlighting it in the Attachments pane and choosing Open.

  3. When the Launch Attachment dialog appears, choose one of the following:

    • Open this file: Opens the files without changing the registry list.
    • Always allow opening files of this type: Adds the file type to the white list and prevents future warnings.
    • Never allow opening files of this type: Adds the file type to the black list and does not open it.
  4. Choose OK.

Launch Attachment dialog

_images/attachment_launch.gif

6.3   Blacklisted extensions

Attachment black list
Extension Description
.ade Access Project Extension (Microsoft)
.adp Access Project (Microsoft)
.app Executable Application
.asp Active Server Page
.bas BASIC Source Code
.bat Batch Processing
.bz Bzip UNIX Compressed file
.bz2 Bzip 2 UNIX Compressed file (replaces BZ)
.cer Internet Security Certificate file (MIME x-x509-ca-cert)
.chm Compiled HTML Help
.class Java Class file
.cmd DOS CP/M Command file, Command file for Windows NT
.com Command
.command Mac OS Command Line executable
.cpl Windows Control Panel Extension (Microsoft)
.crt Certificate file
.csh UNIX csh shell script
.exe Executable file
.fxp FoxPro Compiled Source (Microsoft)
.gz Gzip Compressed Archive
.hex Macintosh BinHex 2.0 file
.hlp Windows Help file
.hqx Macintosh BinHex 4 Compressed Archive
.hta Hypertext Application
.inf Information or Setup file
.ini Initialization/Configuration file
.ins IIS Internet Communications Settings (Microsoft)
.isp IIS Internet Service Provider Settings (Microsoft)
.its Internet Document Set, International Translation
.jar Java Archive
.job Windows Task Scheduler Task Object
.js JavaScript Source Code
.jse JScript Encoded Script file
.ksh UNIX ksh shell script
.lnk Windows Shortcut file
.lzh Compressed archive (LH ARC)
.mad Access Module Shortcut (Microsoft)
.maf Access (Microsoft)
.mag Access Diagram Shortcut (Microsoft)
.mam Access Macro Shortcut (Microsoft)
.maq Access Query Shortcut (Microsoft)
.mar Access Report Shortcut (Microsoft)
.mas Access Stored Procedures (Microsoft)
.mat Access Table Shortcut (Microsoft)
.mau Media Attachment Unit
.mav Access View Shortcut (Microsoft)
.maw Access Data Access Page (Microsoft)
.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mde Access MDE Database file (Microsoft)
.mdt Access Add-in Data (Microsoft)
.mdw Access Workgroup Information (Microsoft)
.mdz Access Wizard Template (Microsoft)
.msc Microsoft Management Console Snap-in Control file (Microsoft)
.msi Windows Installer file (Microsoft)
.msp Windows Installer Patch
.mst Windows SDK Setup Transform Script
.ocx Microsoft Object Linking and Embedding (OLE) Control Extension
.ops Office Profile Settings file
.pcd Visual Test (Microsoft)
.pkg Mac OS X Installer Package
.pif Windows Program Information file (Microsoft)
.prf Windows System file
.prg Program file
.pst MS Exchange Address Book file, Outlook Personal Folder file (Microsoft)
.rar WinRAR Compressed Archive
.reg Registration Information/Key for Windows 95/98, Registry Data file
.scf Windows Explorer Command
.scr Windows Screen Saver
.sct Windows Script Component, Foxpro Screen (Microsoft)
.sea Self-expanding archive (used by Stuffit for Mac files and possibly by others)
.shb Windows Shortcut into a Document
.shs Shell Scrap Object file
.sit Compressed archive of Mac files (Stuffit)
.tar Tape Archive file
.tgz UNIX Tar file Gzipped
.tmp Temporary file or Folder
.url Internet Location
.vb VBScript file or Any VisualBasic Source
.vbe VBScript Encoded Script file
.vbs VBScript Script file, Visual Basic for Applications Script
.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)
.vss Visio Stencil (Microsoft)
.vst Visio Template (Microsoft)
.vsw Visio Workspace file (Microsoft)
.webloc Mac OS Finder Internet Location
.ws Windows Script file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file
.zip Compressed Archive file
.zlo ZoneLabs ZoneAlarm Mailsafe Renamed .PIF file
.zoo An early compressed file format