Educause Security Discussion mailing list archives
Re: Adobe Reader CVE-2009-4324 workaround
From: Theodore Pham <telamon () CMU EDU>
Date: Wed, 16 Dec 2009 14:48:25 -0500
It should be noted that prior to Adobe Reader and Acrobat 9.2 and 8.1.7, the UI encountered when opening a PDF with embedded JavaScript was very obtrusive. Each time a new block of embedded Javascript is encountered while rendering, a new dialog box pops up warning the user that content may not appear correctly unless they re-enable Javascript and doing so re-enabled it permanently. I've seen forms where I had to click through the dialog at least three times and you cannot interact with the application until the dialog is cleared. Starting with 9.2 and 8.1.7, opening a PDF containing Javascript with Javascript disabled causes a gold bar to appear at the top and gives you the option to enable Javascript just for this document one time only or for this document always. The bar does not interfere with interacting with the application as the old dialog did. If you choose to enable Javascript for this document always, then the document's path is added to the following registry key: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager\cTrustedFolders\cAlwaysTrustedForJavaScript As a string value with name: t<#> =<doc path> However, there seems to be a bug with adding more than one Javascript trusted doc. The first time I added a doc this way, the <#> value was 1. The second time the <#> value was 2, but the t1 value was deleted and opening the doc that was referenced by t1 resulted in a gold bar saying Javascript was disabled for the PDF. Subsequent attempts to add more docs results in t2 being reused, but with only the path to the latest doc added. So at least through the UI it looks like you can only have one Javascript trusted doc at time. Artificially using regedit to create t1, t2, t3, ..., t<n> etc.. values pointing to various PDFs allows you to have more than one Javascript trusted PDF, but as soon as you use the UI to add another one, all the t<*> values are deleted and replaced with a single t<n+1> value containing the path to the latest doc you are trying to trust. I repeated this testing on two different machines running Reader 9.2.0.124 under Windows XP SP3 fully patched. So all in all, the new gold bar interface definitely makes it more user friendly to disable Javascript in Reader/Acrobat, but the UI still has some bugs to work out. Ted Pham Information Security Office Carnegie Mellon University Brad Judy wrote:
This is a multi-part message in MIME format. ------=_NextPart_000_0051_01CA7E4E.7B4F3DA0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit As a quick follow-up, Adobe's first recommendation is to use the JavaScript blacklist feature to protect from this exploit. They provide instructions on that here: http://kb2.adobe.com/cps/532/cpsid_53237.html which include a link to a set of registry files to set [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cJavaScriptPerms] "tBlackList"="DocMedia.newPlayer" Altering the JavaScript settings within Adobe Reader may break the ability to submit PDF forms, so use with caution. Brad Judy Emory University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Wednesday, December 16, 2009 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Adobe Reader CVE-2009-4324 workaround The current Adobe advisory (http://www.adobe.com/support/security/advisories/apsa09-07.html) regarding the new Adobe Reader zero-day exploit instructs to disable Javascript within Adobe Reader as a workaround. I just did a quick test and confirmed that this setting uses the following registry key, which could be used to disable Javascript within Adobe Reader en masse within your organization (via GPO or desktop management software). HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs "bEnableJS"=dword:00000000 After a patch is deployed, setting it back to a value of 1 will enable Javascript within Adobe Reader. Brad Judy Emory University ------=_NextPart_000_0051_01CA7E4E.7B4F3DA0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" = xmlns:a=3D"urn:schemas-microsoft-com:office:access" = xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" = xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" = xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" = xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" = xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" = xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" = xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" = xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" = xmlns:html=3D"http://www.w3.org/TR/REC-html40" = xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" = xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" = xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" = xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" = xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" = xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" = xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" = xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" = xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" = xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" = xmlns:udc=3D"http://schemas.microsoft.com/data/udc" = xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" = xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"= xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" = xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" = xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" = xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" = xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" = xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" = xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" = xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" = xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" = xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" = xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig= nature" = xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006= " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi= ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" = xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"= = xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag= es" = xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/= " = xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub= lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" = xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:windowtext;} span.EmailStyle18 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><span style=3D'color:#1F497D'>As a quick follow-up, = Adobe’s first recommendation is to use the JavaScript blacklist feature to = protect from this exploit. They provide instructions on that here: <a href=3D"http://kb2.adobe.com/cps/532/cpsid_53237.html">http://kb2.adobe.c= om/cps/532/cpsid_53237.html</a> which include a link to a set of registry files to set = <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'>[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrob= at Reader\9.0\FeatureLockDown\cJavaScriptPerms]<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'>"tBlackList"=3D"DocMedia.newPlayer= "<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Altering the = JavaScript settings within Adobe Reader may break the ability to submit PDF forms, so use = with caution.<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <div> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Brad = Judy<o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Emory = University<o:p></o:p></span></p> </div> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <div> <div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt = 0in 0in 0in'> <p class=3DMsoNormal><b><span = style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>= </b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> The = EDUCAUSE Security Constituent Group Listserv = [mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On Behalf Of </b>Brad Judy<br> <b>Sent:</b> Wednesday, December 16, 2009 8:46 AM<br> <b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br> <b>Subject:</b> [SECURITY] Adobe Reader CVE-2009-4324 = workaround<o:p></o:p></span></p> </div> </div> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>The current Adobe advisory (<a href=3D"http://www.adobe.com/support/security/advisories/apsa09-07.html">= http://www.adobe.com/support/security/advisories/apsa09-07.html</a>) regarding the new Adobe Reader zero-day exploit instructs to = disable Javascript within Adobe Reader as a workaround. <o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>I just did a quick test and confirmed that this = setting uses the following registry key, which could be used to disable Javascript = within Adobe Reader en masse within your organization (via GPO or desktop = management software).<o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>HKEY_CURRENT_USER\Software\Adobe\Acrobat = Reader\9.0\JSPrefs<o:p></o:p></p> <p = class=3DMsoNormal>"bEnableJS"=3Ddword:00000000<o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>After a patch is deployed, setting it back to a = value of 1 will enable Javascript within Adobe Reader.<o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>Brad Judy<o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> <p class=3DMsoNormal>Emory University<o:p></o:p></p> <p class=3DMsoNormal><o:p> </o:p></p> </div> </body> </html> ------=_NextPart_000_0051_01CA7E4E.7B4F3DA0--
Current thread:
- Adobe Reader CVE-2009-4324 workaround Brad Judy (Dec 16)
- <Possible follow-ups>
- Re: Adobe Reader CVE-2009-4324 workaround Brad Judy (Dec 16)
- Re: Adobe Reader CVE-2009-4324 workaround Theodore Pham (Dec 16)