No problem.... I also found some inconsistencies between Acrobat v8 and Reader v9 (Didn't have Acrobat v9 to test on at the time) when viewing the PDF in the browser......
Things worked nicely in Reader v9 in terms of allowing the JS to run....when you clicked "allow for the this document only"....the yellow bar turned purple and all was well In Acrobat v8.... When you clicked allow.... It would open the PDF document in a new tab and the yellow bar still appeared at the top teeling you JS was disabled..... Didn't have any other sites to test with at the time, so I'm not sure if this problem was specific to that particular site..... K-Dee --------------------------------------------------- Kevin Dahl -- IT Specialist USDA / ARS / NPARL, Sidney, MT --------------------------------------------------- -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bugbear Sent: Tuesday, June 15, 2010 1:44 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript that is very good news indeed, thanks for the info On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin <[email protected]> wrote: >> Glad it was of some help. One caveat (and its a big one), if the pdf > has js in >> it it will prompt the user to enable when opened. This will turn the > option back on. (Based my testing back in january) > > > That horrible "feature" no longer exists in v9.3.2 and v8.2.2 > (possibly > 9.3.1/8.2.1) > > There is now a trust model and you can trust specific docs and/or > specific sites..... And the JS will only be allowed to run in those > docs/sites..... > > If you have javascript disabled, you get a yellow bar across the top > of the document telling you the document has JS in it.....and then you > have the option of turning on JS for that PDF or for that whole site..... > > > K-Dee > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Bugbear > Sent: Tuesday, June 15, 2010 6:05 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript > > Glad it was of some help. One caveat (and its a big one), if the pdf > has js in it it will prompt the user to enable when opened. This will > turn the option back on. (Based my testing back in january) > > This one reason I also use the blacklisting option as well (see vrt > lin > earlier) > > In addition to gpo's, if you have a patch mgmt system that supports > autofix on a set interval, you could certainly script it > > This would be very useful in situations where computers do not get > logged off or rebooted for long periods of time > > Combined with no admin rights, av, ips, email filtering I rarely see > exploitation > > Would love to see a way to perm disable however. > > @bradarkin on twitter has very responsive to my suggestions regarding > advisories, etc... Would likw to see more people make suggestions like > this (apply some pressure if you will) > > Tim > @bug_bear > > On 6/11/10, Craig Freyman <[email protected]> wrote: >> I ended up using BugBear's suggestion. It's working great. >> >> On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < >> [email protected]> wrote: >> >>> Have you tried using Group Policy Preferences? I have had better >>> luck managing registry settings using them. They were first >>> included > >>> with Windows 2008 and are included in 7 but can be downloaded and >>> installed on XP and Vista too. >>> >>> Jody >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Gibson, >>> Samuel >>> Sent: Thursday, June 10, 2010 8:43 AM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>> >>> I have had mixed luck with the ADM template. If the user manually >>> enables javascript it seems to stay enabled. I ended up using the >>> instructions found here: >>> >>> >>> http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-sec >>> u >>> re-usin >>> g-group-policy/ >>> >>> along with the registry values contained in the ADM template below >>> to > >>> create a GPO. In testing it seems to be working quite well. It >>> also > >>> disables javascript each time the employee logs in. >>> >>> >>> ________________________________________ >>> From: [email protected] >>> [[email protected]] on behalf of Bugbear >>> [[email protected]] >>> Sent: Tuesday, June 08, 2010 9:04 PM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript >>> >>> I use custom GPO or mgmt system that can edit HKCU >>> >>> a logon script for the user is another option >>> >>> Also check out the blacklist framework >>> >>> post my ranting I have compiled some info here (hey it was the >>> holidays and I was annoyed) >>> >>> http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html >>> >>> and also VRT has done some good research here >>> >>> >>> http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blackl >>> i >>> st-fram >>> ework.html >>> >>> here's an ADM template for GPO, hope this helps >>> >>> CLASS USER >>> >>> CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" >>> >>> POLICY "JavaScript Reader 9.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 9.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> >>> POLICY "JavaScript Reader 8.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 8.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Reader 7.x" >>> KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> POLICY "JavaScript Acrobat 7.x" >>> KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" >>> EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" >>> VALUENAME "bEnableJS" >>> VALUEON NUMERIC 1 >>> VALUEOFF NUMERIC 0 >>> END POLICY >>> >>> END CATEGORY >>> >>> >>> >>> On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman >>> <[email protected]> >>> wrote: >>> > What have some of you done to disable JavaScript in Acrobat >>> > Standard/Pro as well as Acrobat Reader from a corporate > perspective? >>> > I am referring to installations that are already in place. Custom > GPO? >>> > I've found a few articles describing the registry setting: >>> > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] >>> > "bEnableJS"=dword:00000000 This will work for XP clients but this >>> > key isn't in this place on my Windows >>> > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... >>> > If this is the case, if I'll have to write a script that grabs the >>> > user's SID before running the registry file on login. Any other >>> > options people have used? >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> > > -- > Sent from my mobile device > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
