If you lock down permissions on the following HKCU\Software\Adobe\Adobe [Acrobat\Reader]\9.0\JSPrefs\
I believe the user will still be able to enable JS for a specific document or site via the yellow bar at the top..... but they won't be able to enable JS globally via the preferences checkbox.... K-Dee -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bugbear Sent: Wednesday, June 16, 2010 7:08 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript deja vu I think you may have suggested that on this in the past. Or someone did ;) certainly would work unless there were docs you needed js on On Tue, Jun 15, 2010 at 6:37 PM, Jody & Jennifer McCluggage <[email protected]> wrote: > What about if you change the permissions on the registry values > (assuming the end-user is not running with local administrator > privileges)? With this prevent the user from being able to re-enable JS? > > Thanks, > > Jody > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Bugbear > Sent: Tuesday, June 15, 2010 3:44 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript > > that is very good news indeed, thanks for the info > > On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin > <[email protected]> > wrote: >>> Glad it was of some help. One caveat (and its a big one), if the pdf >> has js in >>> it it will prompt the user to enable when opened. This will turn the >> option back on. (Based my testing back in january) >> >> >> That horrible "feature" no longer exists in v9.3.2 and v8.2.2 >> (possibly >> 9.3.1/8.2.1) >> >> There is now a trust model and you can trust specific docs and/or >> specific sites..... And the JS will only be allowed to run in those >> docs/sites..... >> >> If you have javascript disabled, you get a yellow bar across the top >> of the document telling you the document has JS in it.....and then >> you have the option of turning on JS for that PDF or for that whole site..... >> >> >> K-Dee >> >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Bugbear >> Sent: Tuesday, June 15, 2010 6:05 AM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >> >> Glad it was of some help. One caveat (and its a big one), if the pdf >> has js in it it will prompt the user to enable when opened. This will >> turn the option back on. (Based my testing back in january) >> >> This one reason I also use the blacklisting option as well (see vrt >> lin >> earlier) >> >> In addition to gpo's, if you have a patch mgmt system that supports >> autofix on a set interval, you could certainly script it >> >> This would be very useful in situations where computers do not get >> logged off or rebooted for long periods of time >> >> Combined with no admin rights, av, ips, email filtering I rarely see >> exploitation >> >> Would love to see a way to perm disable however. >> >> @bradarkin on twitter has very responsive to my suggestions regarding >> advisories, etc... Would likw to see more people make suggestions >> like this (apply some pressure if you will) >> >> Tim >> @bug_bear >> >> On 6/11/10, Craig Freyman <[email protected]> wrote: >>> I ended up using BugBear's suggestion. It's working great. >>> >>> On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < >>> [email protected]> wrote: >>> >>>> Have you tried using Group Policy Preferences? I have had better >>>> luck managing registry settings using them. They were first >>>> included >> >>>> with Windows 2008 and are included in 7 but can be downloaded and >>>> installed on XP and Vista too. >>>> >>>> Jody >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of >>>> Gibson, Samuel >>>> Sent: Thursday, June 10, 2010 8:43 AM >>>> To: PaulDotCom Security Weekly Mailing List >>>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>>> >>>> I have had mixed luck with the ADM template. If the user manually >>>> enables javascript it seems to stay enabled. I ended up using the >>>> instructions found here: >>>> >>>> >>>> http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-se >>>> c >>>> u >>>> re-usin >>>> g-group-policy/ >>>> >>>> along with the registry values contained in the ADM template below >>>> to >> >>>> create a GPO. In testing it seems to be working quite well. It >>>> also >> >>>> disables javascript each time the employee logs in. >>>> >>>> >>>> ________________________________________ >>>> From: [email protected] >>>> [[email protected]] on behalf of Bugbear >>>> [[email protected]] >>>> Sent: Tuesday, June 08, 2010 9:04 PM >>>> To: PaulDotCom Security Weekly Mailing List >>>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>>> >>>> I use custom GPO or mgmt system that can edit HKCU >>>> >>>> a logon script for the user is another option >>>> >>>> Also check out the blacklist framework >>>> >>>> post my ranting I have compiled some info here (hey it was the >>>> holidays and I was annoyed) >>>> >>>> http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html >>>> >>>> and also VRT has done some good research here >>>> >>>> >>>> http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-black >>>> l >>>> i >>>> st-fram >>>> ework.html >>>> >>>> here's an ADM template for GPO, hope this helps >>>> >>>> CLASS USER >>>> >>>> CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" >>>> >>>> POLICY "JavaScript Reader 9.x" >>>> KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> POLICY "JavaScript Acrobat 9.x" >>>> KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> >>>> POLICY "JavaScript Reader 8.x" >>>> KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> POLICY "JavaScript Acrobat 8.x" >>>> KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> POLICY "JavaScript Reader 7.x" >>>> KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> POLICY "JavaScript Acrobat 7.x" >>>> KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" >>>> EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" >>>> VALUENAME "bEnableJS" >>>> VALUEON NUMERIC 1 >>>> VALUEOFF NUMERIC 0 >>>> END POLICY >>>> >>>> END CATEGORY >>>> >>>> >>>> >>>> On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman >>>> <[email protected]> >>>> wrote: >>>> > What have some of you done to disable JavaScript in Acrobat >>>> > Standard/Pro as well as Acrobat Reader from a corporate >> perspective? >>>> > I am referring to installations that are already in place. >>>> > Custom >> GPO? >>>> > I've found a few articles describing the registry setting: >>>> > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] >>>> > "bEnableJS"=dword:00000000 This will work for XP clients but this >>>> > key isn't in this place on my Windows >>>> > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... >>>> > If this is the case, if I'll have to write a script that grabs >>>> > the user's SID before running the registry file on login. Any >>>> > other options people have used? >>>> > >>>> > _______________________________________________ >>>> > Pauldotcom mailing list >>>> > [email protected] >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> > Main Web Site: http://pauldotcom.com >>>> > >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >> >> -- >> Sent from my mobile device >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
