> Glad it was of some help. One caveat (and its a big one), if the pdf has js in > it it will prompt the user to enable when opened. This will turn the option back on. (Based my testing back in january)
That horrible "feature" no longer exists in v9.3.2 and v8.2.2 (possibly 9.3.1/8.2.1) There is now a trust model and you can trust specific docs and/or specific sites..... And the JS will only be allowed to run in those docs/sites..... If you have javascript disabled, you get a yellow bar across the top of the document telling you the document has JS in it.....and then you have the option of turning on JS for that PDF or for that whole site..... K-Dee -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bugbear Sent: Tuesday, June 15, 2010 6:05 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript Glad it was of some help. One caveat (and its a big one), if the pdf has js in it it will prompt the user to enable when opened. This will turn the option back on. (Based my testing back in january) This one reason I also use the blacklisting option as well (see vrt lin earlier) In addition to gpo's, if you have a patch mgmt system that supports autofix on a set interval, you could certainly script it This would be very useful in situations where computers do not get logged off or rebooted for long periods of time Combined with no admin rights, av, ips, email filtering I rarely see exploitation Would love to see a way to perm disable however. @bradarkin on twitter has very responsive to my suggestions regarding advisories, etc... Would likw to see more people make suggestions like this (apply some pressure if you will) Tim @bug_bear On 6/11/10, Craig Freyman <[email protected]> wrote: > I ended up using BugBear's suggestion. It's working great. > > On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < > [email protected]> wrote: > >> Have you tried using Group Policy Preferences? I have had better >> luck managing registry settings using them. They were first included >> with Windows 2008 and are included in 7 but can be downloaded and >> installed on XP and Vista too. >> >> Jody >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Gibson, >> Samuel >> Sent: Thursday, June 10, 2010 8:43 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >> >> I have had mixed luck with the ADM template. If the user manually >> enables javascript it seems to stay enabled. I ended up using the >> instructions found here: >> >> >> http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secu >> re-usin >> g-group-policy/ >> >> along with the registry values contained in the ADM template below to >> create a GPO. In testing it seems to be working quite well. It also >> disables javascript each time the employee logs in. >> >> >> ________________________________________ >> From: [email protected] >> [[email protected]] on behalf of Bugbear >> [[email protected]] >> Sent: Tuesday, June 08, 2010 9:04 PM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >> >> I use custom GPO or mgmt system that can edit HKCU >> >> a logon script for the user is another option >> >> Also check out the blacklist framework >> >> post my ranting I have compiled some info here (hey it was the >> holidays and I was annoyed) >> >> http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html >> >> and also VRT has done some good research here >> >> >> http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blackli >> st-fram >> ework.html >> >> here's an ADM template for GPO, hope this helps >> >> CLASS USER >> >> CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" >> >> POLICY "JavaScript Reader 9.x" >> KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> POLICY "JavaScript Acrobat 9.x" >> KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> >> POLICY "JavaScript Reader 8.x" >> KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> POLICY "JavaScript Acrobat 8.x" >> KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> POLICY "JavaScript Reader 7.x" >> KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> POLICY "JavaScript Acrobat 7.x" >> KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" >> EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" >> VALUENAME "bEnableJS" >> VALUEON NUMERIC 1 >> VALUEOFF NUMERIC 0 >> END POLICY >> >> END CATEGORY >> >> >> >> On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman >> <[email protected]> >> wrote: >> > What have some of you done to disable JavaScript in Acrobat >> > Standard/Pro as well as Acrobat Reader from a corporate perspective? >> > I am referring to installations that are already in place. Custom GPO? >> > I've found a few articles describing the registry setting: >> > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] >> > "bEnableJS"=dword:00000000 This will work for XP clients but this >> > key isn't in this place on my Windows >> > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... >> > If this is the case, if I'll have to write a script that grabs the >> > user's SID before running the registry file on login. Any other >> > options people have used? >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > -- Sent from my mobile device _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
