PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Disabling Acrobat JavaScript

From: gbugbear at gmail.com (Bugbear)
Date: Tue, 15 Jun 2010 15:44:16 -0400
that is very good news indeed, thanks for the info

On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin <Kevin.Dahl at ars.usda.gov> wrote:

Glad it was of some help. One caveat (and its a big one), if the pdf

has js in

it it will prompt the user to enable when opened. This will turn the

option back on. (Based my testing back in january)


That horrible "feature" no longer exists in v9.3.2 and v8.2.2 ?(possibly
9.3.1/8.2.1)

There is now a trust model and you can trust specific docs and/or
specific sites..... And the JS will only be allowed to run in those
docs/sites.....

If you have javascript disabled, you get a yellow bar across the top of
the document telling you the document has JS in it.....and then you have
the option of turning on JS for that PDF or for that whole site.....


K-Dee



-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Bugbear
Sent: Tuesday, June 15, 2010 6:05 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

Glad it was of some help. One caveat (and its a big one), if the pdf has
js in it it will prompt the user to enable when opened. This will turn
the option back on. (Based my testing back in january)

This one reason I also use the blacklisting option as well (see vrt lin
earlier)

In addition to gpo's, if you have a patch mgmt system that supports
autofix on a set interval, you could certainly script it

This would be very useful in situations where computers do not get
logged off or rebooted for long periods of time

Combined with no admin rights, av, ips, email filtering I rarely see
exploitation

Would love to see a way to perm disable however.

@bradarkin on twitter has very responsive to my suggestions regarding
advisories, etc... Would likw to see more people make suggestions like
this (apply some pressure if you will)

Tim
@bug_bear

On 6/11/10, Craig Freyman <craigfreyman at gmail.com> wrote:

I ended up using BugBear's suggestion. It's working great.

On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage <
j2mccluggage at adelphia.net> wrote:


Have you tried using Group Policy Preferences? ?I have had better
luck managing registry settings using them. ?They were first included



with Windows 2008 and are included in 7 but can be downloaded and
installed on XP and Vista too.

Jody

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Gibson,
Samuel
Sent: Thursday, June 10, 2010 8:43 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

I have had mixed luck with the ADM template. If the user manually
enables javascript it seems to stay enabled. ?I ended up using the
instructions found here:


http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secu
re-usin
g-group-policy/

along with the registry values contained in the ADM template below to



create a GPO. ?In testing it seems to be working quite well. ?It also



disables javascript each time the employee logs in.


________________________________________
From: pauldotcom-bounces at mail.pauldotcom.com
[pauldotcom-bounces at mail.pauldotcom.com] on behalf of Bugbear
[gbugbear at gmail.com]
Sent: Tuesday, June 08, 2010 9:04 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

I use custom GPO or mgmt system that can edit HKCU

a logon script for the user is another option

Also check out the blacklist framework

post my ranting I have compiled some info here (hey it was the
holidays and I was annoyed)

http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html

and also VRT has done some good research here


http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blackli
st-fram
ework.html

here's an ADM template for GPO, hope this helps

CLASS USER

CATEGORY "Adobe Acrobat/Reader 7.x - 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 9.x"
KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY


POLICY "JavaScript Reader 8.x"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 8.x"
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Reader 7.x"
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 7.x"
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY



On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman
<craigfreyman at gmail.com>
wrote:

What have some of you done to disable JavaScript in Acrobat
Standard/Pro as well as Acrobat Reader from a corporate

perspective?

I am referring to installations that are already in place. ?Custom

GPO?

I've found a few articles describing the registry setting:
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
"bEnableJS"=dword:00000000 This will work for XP clients but this
key isn't in this place on my Windows
7 box. It is under HKEY_Users\(MY SID)\Software\Adobe.......
If this is the case, if I'll have to write a script that grabs the
user's SID before running the registry file on login. ?Any other
options people have used?

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





--
Sent from my mobile device
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: