Re: Adobe Reader CVE-2009-4324 workaround

[Brad Judy <win-hied () BRADJUDY COM>]

As a quick follow-up, Adobe's first recommendation is to use the JavaScript
blacklist feature to protect from this exploit.  They provide instructions
on that here: http://kb2.adobe.com/cps/532/cpsid_53237.html  which include a
link to a set of registry files to set



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat
Reader\9.0\FeatureLockDown\cJavaScriptPerms]

"tBlackList"="DocMedia.newPlayer"



Altering the JavaScript settings within Adobe Reader may break the ability
to submit PDF forms, so use with caution.



Brad Judy



Emory University



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, December 16, 2009 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Adobe Reader CVE-2009-4324 workaround



The current Adobe advisory
(http://www.adobe.com/support/security/advisories/apsa09-07.html)  regarding
the new Adobe Reader zero-day exploit instructs to disable Javascript within
Adobe Reader as a workaround.



I just did a quick test and confirmed that this setting uses the following
registry key, which could be used to disable Javascript within Adobe Reader
en masse within your organization (via GPO or desktop management software).



HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs

"bEnableJS"=dword:00000000



After a patch is deployed, setting it back to a value of 1 will enable
Javascript within Adobe Reader.



Brad Judy



Emory University