PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Disabling Acrobat JavaScript

From: "Dahl, Kevin" <Kevin.Dahl () ARS USDA GOV>
Date: Wed, 16 Jun 2010 09:28:25 -0600
If you lock down permissions on the following

HKCU\Software\Adobe\Adobe [Acrobat\Reader]\9.0\JSPrefs\ 

I believe the user will still be able to enable JS for a specific document or site via the yellow bar at the top..... 
but they won't be able to enable JS globally via the preferences checkbox....


K-Dee



-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
Sent: Wednesday, June 16, 2010 7:08 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

deja vu

I think you may have suggested that on this in the past. Or someone did ;)

certainly would work unless there were docs you needed js on


On Tue, Jun 15, 2010 at 6:37 PM, Jody & Jennifer McCluggage <j2mccluggage () adelphia net> wrote:

What about if you change the permissions on the registry values 
(assuming the end-user is not running with local administrator 
privileges)?  With this prevent the user from being able to re-enable JS?

Thanks,

Jody

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
Sent: Tuesday, June 15, 2010 3:44 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

that is very good news indeed, thanks for the info

On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin 
<Kevin.Dahl () ars usda gov>
wrote:

Glad it was of some help. One caveat (and its a big one), if the pdf

has js in

it it will prompt the user to enable when opened. This will turn the

option back on. (Based my testing back in january)


That horrible "feature" no longer exists in v9.3.2 and v8.2.2 
(possibly
9.3.1/8.2.1)

There is now a trust model and you can trust specific docs and/or 
specific sites..... And the JS will only be allowed to run in those 
docs/sites.....

If you have javascript disabled, you get a yellow bar across the top 
of the document telling you the document has JS in it.....and then 
you have the option of turning on JS for that PDF or for that whole site.....


K-Dee



-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear
Sent: Tuesday, June 15, 2010 6:05 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

Glad it was of some help. One caveat (and its a big one), if the pdf 
has js in it it will prompt the user to enable when opened. This will 
turn the option back on. (Based my testing back in january)

This one reason I also use the blacklisting option as well (see vrt 
lin
earlier)

In addition to gpo's, if you have a patch mgmt system that supports 
autofix on a set interval, you could certainly script it

This would be very useful in situations where computers do not get 
logged off or rebooted for long periods of time

Combined with no admin rights, av, ips, email filtering I rarely see 
exploitation

Would love to see a way to perm disable however.

@bradarkin on twitter has very responsive to my suggestions regarding 
advisories, etc... Would likw to see more people make suggestions 
like this (apply some pressure if you will)

Tim
@bug_bear

On 6/11/10, Craig Freyman <craigfreyman () gmail com> wrote:

I ended up using BugBear's suggestion. It's working great.

On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < 
j2mccluggage () adelphia net> wrote:


Have you tried using Group Policy Preferences?  I have had better 
luck managing registry settings using them.  They were first 
included



with Windows 2008 and are included in 7 but can be downloaded and 
installed on XP and Vista too.

Jody

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of 
Gibson, Samuel
Sent: Thursday, June 10, 2010 8:43 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

I have had mixed luck with the ADM template. If the user manually 
enables javascript it seems to stay enabled.  I ended up using the 
instructions found here:


http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-se
c
u
re-usin
g-group-policy/

along with the registry values contained in the ADM template below 
to



create a GPO.  In testing it seems to be working quite well.  It 
also



disables javascript each time the employee logs in.


________________________________________
From: pauldotcom-bounces () mail pauldotcom com
[pauldotcom-bounces () mail pauldotcom com] on behalf of Bugbear 
[gbugbear () gmail com]
Sent: Tuesday, June 08, 2010 9:04 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

I use custom GPO or mgmt system that can edit HKCU

a logon script for the user is another option

Also check out the blacklist framework

post my ranting I have compiled some info here (hey it was the 
holidays and I was annoyed)

http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html

and also VRT has done some good research here


http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-black
l
i
st-fram
ework.html

here's an ADM template for GPO, hope this helps

CLASS USER

CATEGORY "Adobe Acrobat/Reader 7.x - 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 9.x"
KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY


POLICY "JavaScript Reader 8.x"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 8.x"
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Reader 7.x"
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 7.x"
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY



On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman 
<craigfreyman () gmail com>
wrote:

What have some of you done to disable JavaScript in Acrobat 
Standard/Pro as well as Acrobat Reader from a corporate

perspective?

I am referring to installations that are already in place.  
Custom

GPO?

I've found a few articles describing the registry setting:
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] 
"bEnableJS"=dword:00000000 This will work for XP clients but this 
key isn't in this place on my Windows
7 box. It is under HKEY_Users\(MY SID)\Software\Adobe.......
If this is the case, if I'll have to write a script that grabs 
the user's SID before running the registry file on login.  Any 
other options people have used?

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com 
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





--
Sent from my mobile device
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: