Good Things To Do (PSA-ish)
Adobe has been subjecting us to quite the parade of zero-day security vulnerabilities, lately. Here are two steps I took not too long ago to reduce exposure, which I'd recommend to most everyone:
ETA2: The IE8 per-domain add-on control mechanism is a bit lacking in editing features. In particular, you can add sites to the list, but AFAICT you can only remove them by removing all sites and starting over, which is kind of ridiculous. However, it looks like the list of domains is stored as a series of keys at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\AllowedDomains (for Flash 10, at least), which you can easily edit by hand once it's been set up.
- Disable Flash except for selected websites.
Flash has become ubiquitous, yet the most common use is for displaying annoying animated ads. This doesn't justify the security exposure, as far as I'm concerned! IE8 has a built-in, rather under-advertised feature for enabling plugins on a domain-by-domain basis. Go to Tools->Manage Add-ons, change the "Show: Currently loaded add-ons" dropdown to "Show: All add-ons", locate Shockwave Flash Object under Adobe Systems Incorporated, right click -> More Information, press the 'Remove all sites' button, and then click Close. Now, whenever a site tries to use Flash, the information bar will come up at the top of the browser window. To permanently enable Flash for all sites on that domain, click the information bar and hit Run Add-On. Now, that domain will have access to Flash no questions asked. This approach does have the mildly annoying consequence that the information bar hangs around indefinitely for all sites where you refuse to authorize Flash, but I don't find it very intrusive (though I do make sure my window size is wide enough that it doesn't wrap to two lines).
Firefox requires some sort of add-on to do the same, so I hear, but Firefox users already know everything and don't need my pontificating, right? ;)
- Disable JavaScript in Acrobat Reader.
Why do we need dynamic scripting capabilities inside what are supposed to be pre-rendered, durable documents? Oh, right, Adobe wants to wedge PDF into more dubious application scenarios in order to expand their market. Too bad we're along for the ride.
JavaScript is only one of many potential sources of vulnerabilities, but it is often instrumental in effectively exploiting vulnerabilities elsewhere and is often assumed by exploits. (See http://www.fortiguard.com/analysis/pdfanalysis.html for an interesting though overly technical case study.) Fortunately, unlike many unwanted Acrobat features, there is an option to disable it. In my version (AR 8), just uncheck "Enable Acrobat JavaScript" under Edit -> Preferences -> JavaScript. I honestly haven't missed it!
ETA2: The IE8 per-domain add-on control mechanism is a bit lacking in editing features. In particular, you can add sites to the list, but AFAICT you can only remove them by removing all sites and starting over, which is kind of ridiculous. However, it looks like the list of domains is stored as a series of keys at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\AllowedDomains (for Flash 10, at least), which you can easily edit by hand once it's been set up.