For Adobe Reader's Protected-Mode, I'm using a policy exception of FILES_ALLOW_READONLY, and I'm wondering if it is a reasonable security risk?
I'm using an Adobe Reader Javascript program to save and restore open tabs: Adobe Acrobat Reader Tabs Saving And Autoloading
This program does not work for some pdf files, due to Acrobat Reader's default Protected-Mode policies. In the program's LoadTabs function, app.openDoc fails for some files, e.g. files under c:\users\myUserid
The default Protected-Mode policies are here: https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedmode.html
The problem can be bypassed by turning off Protected Mode, but that seems too risky. (Preferences -> Security (Enhanced) -> "Enable Protected Mode at startup")
A less risky solution is to create a policy file, with the rule: FILES_ALLOW_READONLY=c:\users\myUserid\*
For a typical workstation, is this rule a reasonable risk?
EDIT: I later read this in the Protected-Mode policy specs (link is above), "In 11.0, Reader’s Protected Mode does prevent the sandbox from reading arbitrary files in these locations [(e.g., MyDocuments)]. This enhancement [in 11.0] makes it harder for malicious PDFs to steal user’s confidential information."
So, my use of FILES_ALLOW_READONLY creates a vulnerability that potentially allows malicious PDFs to steal info under c:\users\myUserid\*
It appears the vulnerability can be reduced by disabling Acrobat Javascript as described at this link. https://helpx.adobe.com/acrobat/using/javascripts-pdfs-security-risk.html
After disabling Acrobat Javascript, the tab Javascript functions still work. However, I don't know how much the vulnerability is reduced, or how much usability will be negatively affected.
Regarding whether that rule is a reasonable risk depends on the likelihood of the vulnerability being exploited. How likely is such an exploit, for a typical workstation?
