that is very good news indeed, thanks for the info
On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin <[email protected]> wrote: >> Glad it was of some help. One caveat (and its a big one), if the pdf > has js in >> it it will prompt the user to enable when opened. This will turn the > option back on. (Based my testing back in january) > > > That horrible "feature" no longer exists in v9.3.2 and v8.2.2 (possibly > 9.3.1/8.2.1) > > There is now a trust model and you can trust specific docs and/or > specific sites..... And the JS will only be allowed to run in those > docs/sites..... > > If you have javascript disabled, you get a yellow bar across the top of > the document telling you the document has JS in it.....and then you have > the option of turning on JS for that PDF or for that whole site..... > > > K-Dee > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Bugbear > Sent: Tuesday, June 15, 2010 6:05 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript > > Glad it was of some help. One caveat (and its a big one), if the pdf has > js in it it will prompt the user to enable when opened. This will turn > the option back on. (Based my testing back in january) > > This one reason I also use the blacklisting option as well (see vrt lin > earlier) > > In addition to gpo's, if you have a patch mgmt system that supports > autofix on a set interval, you could certainly script it > > This would be very useful in situations where computers do not get > logged off or rebooted for long periods of time > > Combined with no admin rights, av, ips, email filtering I rarely see > exploitation > > Would love to see a way to perm disable however. > > @bradarkin on twitter has very responsive to my suggestions regarding > advisories, etc... Would likw to see more people make suggestions like > this (apply some pressure if you will) > > Tim > @bug_bear > > On 6/11/10, Craig Freyman <[email protected]> wrote: >> I ended up using BugBear's suggestion. It's working great. >> >> On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < >> [email protected]> wrote: >> >>> Have you tried using Group Policy Preferences? I have had better >>> luck managing registry settings using them. They were first included > >>> with Windows 2008 and are included in 7 but can be downloaded and >>> installed on XP and Vista too. >>> >>> Jody >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Gibson, >>> Samuel >>> Sent: Thursday, June 10, 2010 8:43 AM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>> >>> I have had mixed luck with the ADM template. If the user manually >>> enables javascript it seems to stay enabled. I ended up using the >>> instructions found here: >>> >>> >>> http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secu >>> re-usin >>> g-group-policy/ >>> >>> along with the registry values contained in the ADM template below to > >>> create a GPO. In testing it seems to be working quite well. It also > >>> disables javascript each time the employee logs in. >>> >>> >>> ________________________________________ >>> From: [email protected] >>> [[email protected]] on behalf of Bugbear >>> [[email protected]] >>> Sent: Tuesday, June 08, 2010 9:04 PM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>> >>> I use custom GPO or mgmt system that can edit HKCU >>> >>> a logon script for the user is another option >>> >>> Also check out the blacklist framework >>> >>> post my ranting I have compiled some info here (hey it was the >>> holidays and I was annoyed) >>> >>> http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html >>> >>> and also VRT has done some good research here >>> >>> >>> http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blackli >>> st-fram >>> ework.html >>> >>> here's an ADM template for GPO, hope this helps >>> >>> CLASS USER >>> >>> CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" >>> >>> POLICY "JavaScript Reader 9.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 9.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> >>> POLICY "JavaScript Reader 8.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 8.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Reader 7.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 7.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> END CATEGORY >>> >>> >>> >>> On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman >>> <[email protected]> >>> wrote: >>> > What have some of you done to disable JavaScript in Acrobat >>> > Standard/Pro as well as Acrobat Reader from a corporate > perspective? >>> > I am referring to installations that are already in place. Custom > GPO? >>> > I've found a few articles describing the registry setting: >>> > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] >>> > "bEnableJS"=dword:00000000 This will work for XP clients but this >>> > key isn't in this place on my Windows >>> > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... >>> > If this is the case, if I'll have to write a script that grabs the >>> > user's SID before running the registry file on login. Any other >>> > options people have used? >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> > > -- > Sent from my mobile device > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
