18 November 2007

SARS Tax Returns vs. Acrobat Reader

Those using the South African Revenue Service (SARS) e-filing facility may find non-default safety settings within Adobe Acrobat Reader get in the way.

How to fix

Most likely you need only enable JavaScript, but when I had to troubleshoot this in the field, I applied all of the following settings...

Run Adobe Acrobat Reader 8.x

Edit menu, Preferences

JavaScript icon, [x] Enable Acrobat JavaScript

Multimedia Trust icon, Trusted Documents radio button, [x] Allow Multimedia Operations

Multimedia Trust icon, Other Documents radio button, [x] Allow Multimedia Operations

Trust Manager icon, [x] Allow Opening of Non-PDF File Attachments with External Applications

...and reversed them for safety when done.

Why use safer settings?

If these non-default settings stop things like SARS e-filing from working, why apply them? 

Because Acrobat files are already being exploited by spam, and a significant safety gap exists between what you think a .PDF is (i.e. a data format that is safe to read) and what it can do (automate your system via JavaScript, launching of other files and code, etc.).

Acrobat Reader is an exploitable surface that has often been patched to "fix" it, and for which unpatched vulnerabilities often exist.  Commercial enterprises have already exploited the by-design safety gap, e.g. by having .PDF documents "call home" when they are read, so that their usage can be tracked. 

So one should keep Acrobat Reader on a very short leash, or use something else to "open" .PDF and other Acrobat file types.

7 comments:

netjustin said...

Chris,

You mention using something other than AcroRead to open PDF documents; what about the idea of using another document format altogether? Microsoft is apparently serious about offering its PDF alternative.

Pardon the popups from ComputerWorld, but it is a very good article:

With XPS as PDF killer, Microsoft opens second front on Adobe
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017438

Chris Quirke said...

Using a different data format isn't your choice, if you are "consuming" someone else's document (in this case, the tax service's submission form).

IMO, MS could have scooped .PDF by building .HLP authoring support into MS Word, back in the days before Windows 98 - though it's been stated that .HLP doesn't support text searching, which hurts.

netjustin said...

I hadn't heard of that HLP format before. Thanks for that perspective!

On a related note, I was looking at moving out a bunch of the Adobe Reader plugins to cut the program's load time. If I can look forward to people (America's IRS?) using PDF and its advanced tracking and form submission features then I won't bother trying to streamline it.

Anonymous said...

Chris were you at UCT 1970-80's ?

Chris Quirke said...

Yes, I was at UCT in that time frame.

Does Private File ring a bell?

Anonymous said...

So has anyone found a non-adobe bloatware reader that can actually handle what SARS did to their PDF output ?
The file header says PDF1.7 but none of the alternative freeware readers get past the insistence on installing the monster shyteware.

Chris Quirke said...

Good question, and there are other problems with the knee-jerk "use Foxit instead" approach to .PDF

Specifically, I've seen comments that the sort of exploits possible against Acrobat Reader are quite likely to apply to the alternatives.

If that's the case, you lose the safety of obscurity that you'd have where a small-vendor, seldom-patched alternative had its own exploitable defects (that didn't attract attention due to small market share).

Modern Acrobat (Adobe) Reader also waves Flash around to exploited, too.

What makes all this worse, is that several accounting apps etc. build .PDF files and then automate the sending of these as emaul attackments, attached to generic (and thus malware-forgeable) messages.