Skip navigation
dancablam
Currently Being Moderated

Allow Zip Files as Attachments in PDFs

Nov 8, 2009 9:16 PM

As many of you are aware, newer versions of Acrobat have removed the ability to open or save zip files attached to a PDF (without a complex registry hack).

 

Notice that I've attached a zip file to this post. Adobe: If you've deemed zip files safe enough to be hosted and delivered in your own forums, maybe they're safe enough to be reinstated in PDFs?

 

I believe no product should force security on its users without providing them any practical way to override. Web browsers, email clients, and operating systems warn you of potentially dangerous files and then let the client make the choice. What if it's a zip file from a trusted source full of harmless text documents? Too bad - because Acrobat says so. Acrobat makes no attempt to examine the zip file to see if perhaps its contents are dangerous - it just sweepingly decides zips are far too dangerous to let the user have any voice in the matter. I fundamentally disagree.

 

I think Adobe got this one wrong - and I cast a vote that they loosen the noose on zip files on a future release. I'd like to hear other users' thoughts on this issue. Adobe is good at listening to their users - so tell them what you think.

 

Cheers,

Dan

Attachments:
 
Replies
  • Currently Being Moderated
    Mar 1, 2010 4:14 AM   in reply to dancablam

    I was hoping it  can include zip files so I can deliver my product in one pdf than maintain a download website.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 23, 2010 9:22 PM   in reply to dancablam

    Agree!

    Adobe should not decide for the user.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 15, 2010 12:12 PM   in reply to dancablam

    This information is for Acrobat Professional users in Windows XP. I don't know if it

    is valid for PCs using only Acrobat Reader.

     

    Adobe is wrong but that doesn't mean we have to live with their problem.

    Since when does anyone open attachments from unknown or unsolicited sources?

    Some zip files can be or contain executables (.exe) but that is no excuse for not

    knowing where your emails or files come from and not having up to date virus software.

     

    Adobe did not disallow zip file attachments, they just buried the enable so deep

    that the average user would never find it and using an editor (regedit) that most users

    have never heard of. As far as I am concernced, without any word from the Adobe

    Tower, this is pure marketing.

     

    I have inserted a jpeg photo that shows, for Windows XP, where to find the hidden enable

    and how to edit to allow opening OR saving (recommended) zip files. This is the

    file I have been passing to my Engineers and suppliers. The information comes from

    a help call I put in to Adobe.

     

    Editting the registry is not difficult, you just need to be sure that nothing unusual

    happens while editting the text or saving after done. Have an IT person or other

    superuser do the edit if you are unsure. After editting and saving, select  BuiltInPermList,

    then pulldown  File   and click   Export. This produces a one-click edit that will fix the

    problem on any Windows XP computer.

     

    Adobe is also blocking rar, tar and tgz compressions.

    This edit needs to repeated anytime Acrobat is reinstalled.

     

     

    Cannot Open ZIPs Attached to PDFs.jpg

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 16, 2010 7:32 AM   in reply to zippedup

    There's no point in manually configuring your system to allow compressed file attachments if your recipients won't be able to open them. There are valid security reasons why ZIP, RAR, etc. are disabled by default, and while it's possible to override that decision it's not a practicable workflow for a file you intend to distribute to a general audience.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 16, 2010 10:36 AM   in reply to Dave Merchant

    But it is an ideal way to transport under 5M of machine or computer files on a pdf drawing between companies doing

    business together via email. There are valid securtiy reasons for not driving to work too. What is needed is a positive

    'how to' and a little less corporate 'can't do'.  If Adobe were not sensitive to thousands of users, why the phase-out?

    Why not just disable these files completely?

    I'd suggest helpful topics on setting up FTP, remote 3rd party servers and cloud connections with business partners.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 17, 2010 1:53 AM   in reply to zippedup

    I can't discuss precisely how compressed files can be used to attack a system, but one reason for the change is that many enterprise AV software operating at the firewall/mailserver level cannot reliably extract and scan the contents of a ZIP file which is itself inside a PDF - if the individual user who opens the file hasn't got strong desktop-level protection or the malicious attachment is a trojan rather than a virus, it can run riot. It's the same reason that malicious files shared through P2P tend to be ZIPs inside RARs inside RARs...

     

    Adobe has always worked hard to ensure the PDF format is as trustworthy as possible, and where appropriate has restricted features of its software when the balance of probability suggests that feature will be used for malicious intent. There's nothing to stop someone putting a PDF inside a ZIP (which is easily scanned by AV software), it's just putting a ZIP inside a PDF that's disabled. Yes, the blacklist is editable for special situations, but the default block is to protect the type of user who is least able to understand the implications of opening the attachment.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 8, 2011 1:35 AM   in reply to dancablam

    I'm sorry, but this is extremely frustrating, especially since my current bank insists on sending me PDFs with a Zip file embedded, except I can't extract it, because Adobe Acrobat doesn't even allow the option for doing so.

     

    I'm not tech savvy enough to edit the register without messing something up, and I've been unable to install older versions of Acrobat on my PC. Does anyone have a link to an older version of Acrobat that I can download that will let me open up zip attachments in PDFs?

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 8, 2011 4:19 AM   in reply to omurphy27

    I'm afraid the fault is with your bank - they are using a combination of formats which is not supported by Adobe Reader and has not been for some time. Given Adobe Reader dominates the PDF consumption market on desktops, they need to change their workflow to reflect what is and is not allowed. There's no reason why a PDF attachment needs to be ZIP compressed; if it's a size issue then they should add the attachment to the PDF and *then compress the PDF*, or deliver it as a standalone file.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 8, 2011 4:22 AM   in reply to Dave Merchant

    Fair enough, I just wish there was an easier work around.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 8, 2011 6:03 AM   in reply to omurphy27

    It was a security-related decision to remove the support for compressed attachments, so it's intentional that bypassing it is not easy. The registry entries that control blacklisting are designed for enterprise users who have a closed-loop workflow that has to support files which would otherwise be untrustworthy, but changing the blacklist and then opening files from general circulation is, to say the least, not recommended.

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 17, 2011 9:17 AM   in reply to Dave Merchant

    What I find annoying is that the files are allowed to be attached in the first place without a warning.Users of a system I wrote attach zip files that cannot be viewed by users down the line in the workflow.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 25, 2011 2:39 AM   in reply to Dave Merchant

    Back in 2005 while writing my thesis (with LaTex) I compiled the source into a nice PDF.

    Under Acrobat Pro 6.x (or was it 7.x already?) I decided for more safety to attach a zip archive of the source code to my beloved printer-ready pdf. 6 years later, I'm working at a university and would like to reuse part of *my* old code, still embedded somewhere in *my* original PDF (along with a ppt of my oral defense which, possibly, contained harmful macros, but who cares).

    Oh, wait. Adobe now prevents me to do it. Can save the ppt, can't save the zip. You can't explain that.

    And unfortunately I cannot mess with the registry. You see, this little dirty hack would precisely be a security breach if any end-user can access the windows registry (to disable antiviruses, firewalls... for instance). So our admins forbid it, and Adobe does not offer any solution to what is an otherwise trivial feature found in any email software out there (= save attachments after eventually displaying a warning message, running them through the installed antivirus, or...).

     

    This unilateral "security" gibberish from Adobe is just plain nonsense. If the folks at Adobe think their user basis is made of dummies (hmmm, could very well be!) and are so concerned with the safety of the aforementioned, let's just include an optional anti-malware module within Acrobat. They could even charge for an Adobe Antivirus, tee-hee-hee.

     
    |
    Mark as:
  • JR_Boulay
    485 posts
    Nov 23, 2008
    Currently Being Moderated
    Nov 29, 2011 4:34 AM   in reply to dancablam

    Hi,

     

     

    CEASE FIRE !

     

    ==> there is no need to previously ZIP an attached file since a PDF-attachment is still zipped !

     

     

    Seach for "ZIP files in PDF Portfolios" on this page: http://blogs.adobe.com/pdfdevjunkie/category/acrobat/pdf-portfolios/pa ge/2

     

    It's about Portfolios but it's exactly the same thing for "single" PDF files.

    You should also Google-translate this french page: http://abracadabrapdf.net/articles.php?lng=fr&pg=637

     

    The attachments navigation panel gives these infos in Reader and in Acrobat: "Size" and "Compressed size" are displayed.

    Here is a (french) screengrab:

     

    http://abracadabrapdf.net/img/Zip-et-PDF_01.png

    (Fichier means File, Taille means Size, Taille compressée means Compressed size, and Ko means Kb)

     

     

    ;-)

     

    Message was edited by: JR_Boulay

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 1, 2013 2:55 AM   in reply to JR_Boulay

    @JR_Boulay:

    The point of attaching an archive file like .zip is not the compression, we all know that PDF does this for us.

     

    The reason is to be able to keep your attachment count low and preserve any folder structure present in the zip-compressed files. I tried for example to attach the source of my thesis to the final PDF file: thats around a dozen LaTeX files, dozens of images, bibliography, tables, diagrams, etc -- all distributed and organized over a clear folder hierarchy...

     

    You cant be suggesting to manually attach each and every one of these files, therby also losing the correct folder structure?

     
    |
    Mark as:
  • JR_Boulay
    485 posts
    Nov 23, 2008
    Currently Being Moderated
    Mar 1, 2013 5:17 AM   in reply to fsgysin

    Hi,

     

    If you need to preserve folder structure you should take a look to PDF Portfolios:

    http://help.adobe.com/en_US/acrobat/X/pro/using/WS8AC2CE72-864F-4d65-8 15A-4AFCAB0B46FA.html

     

    Adobe's Layouts (Themes) built-in Acrobat X and XI are ugly but you can find some nicest here: http://blog.practicalpdf.com/portfolios/

    (With a particular mention for the Grid with Preview theme.)

     

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 1, 2013 5:49 AM   in reply to JR_Boulay

    I am  ten and what is this?

     

    No, joke aside: I have never heard of such a thing before. I am fairly certain none of my friends and colleagues have heard of or worked with PDF porfolios before.

    Then you seem to need some Adobe pro version to even be able to work with it properly. Also it is not clear if all file types are supported, but things like "The files in a PDF Portfolio can be in a wide range of file types created in different applications" do not make me optimistic.

     

    Last but not least, the one important funtionality everyone here is asking for -- extracting the attached content afterwards and saving it to your disk independent of the PDF(-portfolio) it was shipped with -- is not listed on the page you linked and I would bet a fair amount of money that it's not possible...

     
    |
    Mark as:
  • JR_Boulay
    485 posts
    Nov 23, 2008
    Currently Being Moderated
    Mar 1, 2013 6:00 AM   in reply to fsgysin

    extracting the attached content afterwards and saving it to your disk

    Yes, no problemo.

    More: attachments can be edited/saved even if they stays inside the PDF Portfolio.

    Any file type can be embedded, except those considered as potential security issue (.zip, .exe, .js, etc.)

     

    Otherwise, the most common workaround is to add another extension to the restricted file type, as MyFile.zip.txt

    But the end-user have to be aware of that and must know how to remove it when/after extracting the file.

     


     
    |
    Mark as:
  • Currently Being Moderated
    Mar 20, 2013 7:11 AM   in reply to zippedup

    What is funny is that setting the value 1 for the considered extension has exactly the behaviour one is likely to expect:

     

    • User is warned that the file may be unsafe and is given three choices: open, or permanently set the behavior to Allowed or Prohibited.

     

    • Dialog: "The file attachment filename may contain programs, macros, or virus that could potentially harm your computer. Open the file only if you are sure it is safe. Would you like to: -- Open the file-- Always allow opening files of this type-- Never allow opening files of this type"*

      * The user will always be prompted each time a file of the same type is opened, regardless of which option they choose in the dialog. In addition, the setting in the registry will not change.

     

    Why do not use this by default ???

     

    Source: http://andrewalbrecht.com/content.php?pageID=106

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 2, 2013 7:33 AM   in reply to Amandilh

    Foxit Reader allows one to open and save zip attachments to pdfs.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 3, 2013 3:44 AM   in reply to Amandilh

    There are three reasons why ZIP archives aren't allowed in PDF files:

     

    1. Attachments can be accessed  by scripts in a PDF file without the user necessarily knowing what's going on.
    2. Not all firewall and AV programs will scan attachments to a PDF file, so there's a real concern from enterprises that a malicious file could pass through perimeter security.
    3. While there is a warning message shown if you manually change the settings, the very people who are most likely to be duped by a malicious file are least likely to read and understand the prompts.

     

    It's not a theoretical risk - before the setting was introduced, malware-laden attachments were very common and quite effective at luring people into opening the file, despite the warnings. Often the PDF file itself looked perfectly genuine, it was only the attachment that contained malware - unlike a phishing email offering you $500,000,000,000 from a Nigerian minister, until you opened the attachment there was no real indication of anything suspicious. By then it was too late.

     

    In a closed environment there can still be advantages to being able to attach ZIPs which is why Adobe allows an enterprise administrator to change the defaults - but this has to happen on both ends, and in turn exposes that machine to malware from outside the enterprise; so it's only suggested for sandboxed networks.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)