Educause Security Discussion mailing list archives
Re: Adobe Reader CVE-2009-4324 workaround
From: Theodore Pham <telamon () CMU EDU>
Date: Wed, 16 Dec 2009 14:48:25 -0500
It should be noted that prior to Adobe Reader and Acrobat 9.2 and 8.1.7, the UI encountered when opening a PDF with embedded JavaScript was very obtrusive. Each time a new block of embedded Javascript is encountered while rendering, a new dialog box pops up warning the user that content may not appear correctly unless they re-enable Javascript and doing so re-enabled it permanently. I've seen forms where I had to click through the dialog at least three times and you cannot interact with the application until the dialog is cleared. Starting with 9.2 and 8.1.7, opening a PDF containing Javascript with Javascript disabled causes a gold bar to appear at the top and gives you the option to enable Javascript just for this document one time only or for this document always. The bar does not interfere with interacting with the application as the old dialog did. If you choose to enable Javascript for this document always, then the document's path is added to the following registry key: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager\cTrustedFolders\cAlwaysTrustedForJavaScript As a string value with name: t<#> =<doc path> However, there seems to be a bug with adding more than one Javascript trusted doc. The first time I added a doc this way, the <#> value was 1. The second time the <#> value was 2, but the t1 value was deleted and opening the doc that was referenced by t1 resulted in a gold bar saying Javascript was disabled for the PDF. Subsequent attempts to add more docs results in t2 being reused, but with only the path to the latest doc added. So at least through the UI it looks like you can only have one Javascript trusted doc at time. Artificially using regedit to create t1, t2, t3, ..., t<n> etc.. values pointing to various PDFs allows you to have more than one Javascript trusted PDF, but as soon as you use the UI to add another one, all the t<*> values are deleted and replaced with a single t<n+1> value containing the path to the latest doc you are trying to trust. I repeated this testing on two different machines running Reader 9.2.0.124 under Windows XP SP3 fully patched. So all in all, the new gold bar interface definitely makes it more user friendly to disable Javascript in Reader/Acrobat, but the UI still has some bugs to work out. Ted Pham Information Security Office Carnegie Mellon University Brad Judy wrote:
This is a multi-part message in MIME format.
------=_NextPart_000_0051_01CA7E4E.7B4F3DA0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
As a quick follow-up, Adobe's first recommendation is to use the JavaScript
blacklist feature to protect from this exploit. They provide instructions
on that here: http://kb2.adobe.com/cps/532/cpsid_53237.html which include a
link to a set of registry files to set
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat
Reader\9.0\FeatureLockDown\cJavaScriptPerms]
"tBlackList"="DocMedia.newPlayer"
Altering the JavaScript settings within Adobe Reader may break the ability
to submit PDF forms, so use with caution.
Brad Judy
Emory University
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, December 16, 2009 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Adobe Reader CVE-2009-4324 workaround
The current Adobe advisory
(http://www.adobe.com/support/security/advisories/apsa09-07.html) regarding
the new Adobe Reader zero-day exploit instructs to disable Javascript within
Adobe Reader as a workaround.
I just did a quick test and confirmed that this setting uses the following
registry key, which could be used to disable Javascript within Adobe Reader
en masse within your organization (via GPO or desktop management software).
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs
"bEnableJS"=dword:00000000
After a patch is deployed, setting it back to a value of 1 will enable
Javascript within Adobe Reader.
Brad Judy
Emory University
------=_NextPart_000_0051_01CA7E4E.7B4F3DA0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing"; =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/"; =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/"; =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"; =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart"; =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/"; =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup"; =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig"; =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages"; =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>As a quick follow-up, =
Adobe’s
first recommendation is to use the JavaScript blacklist feature to =
protect from
this exploit. They provide instructions on that here: <a
href=3D"http://kb2.adobe.com/cps/532/cpsid_53237.html";>http://kb2.adobe.c=
om/cps/532/cpsid_53237.html</a>
which include a link to a set of registry files to set =
<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrob=
at
Reader\9.0\FeatureLockDown\cJavaScriptPerms]<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>"tBlackList"=3D"DocMedia.newPlayer=
"<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>Altering the =
JavaScript settings
within Adobe Reader may break the ability to submit PDF forms, so use =
with
caution.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>Brad =
Judy<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'color:#1F497D'>Emory =
University<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>
<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> The =
EDUCAUSE
Security Constituent Group Listserv =
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] <b>On
Behalf Of </b>Brad Judy<br>
<b>Sent:</b> Wednesday, December 16, 2009 8:46 AM<br>
<b>To:</b> SECURITY () LISTSERV EDUCAUSE EDU<br>
<b>Subject:</b> [SECURITY] Adobe Reader CVE-2009-4324 =
workaround<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>The current Adobe advisory (<a
href=3D"http://www.adobe.com/support/security/advisories/apsa09-07.html";>=
http://www.adobe.com/support/security/advisories/apsa09-07.html</a>)
regarding the new Adobe Reader zero-day exploit instructs to =
disable
Javascript within Adobe Reader as a workaround. <o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>I just did a quick test and confirmed that this =
setting uses
the following registry key, which could be used to disable Javascript =
within
Adobe Reader en masse within your organization (via GPO or desktop =
management
software).<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>HKEY_CURRENT_USER\Software\Adobe\Acrobat =
Reader\9.0\JSPrefs<o:p></o:p></p>
<p =
class=3DMsoNormal>"bEnableJS"=3Ddword:00000000<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>After a patch is deployed, setting it back to a =
value of 1
will enable Javascript within Adobe Reader.<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Brad Judy<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Emory University<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0051_01CA7E4E.7B4F3DA0--
Current thread:
- Adobe Reader CVE-2009-4324 workaround Brad Judy (Dec 16)
- <Possible follow-ups>
- Re: Adobe Reader CVE-2009-4324 workaround Brad Judy (Dec 16)
- Re: Adobe Reader CVE-2009-4324 workaround Theodore Pham (Dec 16)