Adobe Acrobat

2008-11-19 10:18:23

dthanna

Registered: Sep 28 2005

Posts: 248

Answered

With the great deal of flury surrounding the recient security vulnerability in the Adobe Reader JavaScript engine, I thought it would be helpful to post where that setting is stored and how to disable it.

Note: Ideally, the solution is to upgrade your instance of Adobe Reader to 9.0. There are a number of reasons to do this, beyond it taking care of the security issue. However, it is understood by the author that in many instances, especially corporate situations, the tear off and upgrade of Adobe Reader just cannot be implemented in a feaseable timeframe. This posting is to help those of you out in this situation.

Location of the registry update in question:

HKCU\Software\Adobe\Acroba Reader\x.0\JSPrefs
Where x is the major product version.

Keys and what they should be set to:
Name: bConsoleOpen
Type: REG_DWORD
Value: 0

Name: bEnableJS
Type: REG_DWORD
Value: 0

Name: bEnableMenuItems
Type: REG_DWORD
Value: 0

If you want a pre-canned .REG update. here it is...

---------- CUT HERE -------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\x.0\JSPrefs]
"bConsoleOpen"=dword:00000000
"bEnableJS"=dword:00000000
"bEnableMenuItems"=dword:00000000
---------- CUT HERE -------------
Don't forget to change the major version number and never forget to TEST TEST TEST!

I will continue to update this thread if I find more detail on how to prevent this - outside of rolling out Adobe Reader 8.1.3 or 9.0.0

Sincerely,

Doug Hanna

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

My Product Information:
Reader 7.0.9, Windows

2009-02-22 20:01:41

elros elrond

Registered: Feb 22 2009

Posts: 1

Hi,

Is there any way to make this registry changes to the whole system (not just the current user)?
I tried adding registry keys to HKLM\Software\Adobe\Acrobat Reader\x.0 but that didn't work.
Is it at all possible?

Thanks,
e.e

2009-02-23 01:01:44

UVSAR

Registered: Oct 29 2008

Posts: 1357

"Note: Ideally, the solution is to upgrade your instance of Adobe Reader to 9.0."

[b]Important[/b] - Doug's post from 2008 was talking about an earlier bug in Reader 8.1, which has been fixed. The current (Feb 2009) heap injection exploit is present in Acrobat 9.0 and Reader 9.0 as well as earlier versions. Until we get a patch, expected March 11 2009, [b]upgrading to 9.0 does not cure the problem reported in Bulletin APSA09-01[/b].

2009-02-23 06:23:59

dthanna

Registered: Sep 28 2005

Posts: 248

Elros,

Before rollout? Yes - bake them in the build using the Customization Wizard.

After rollout? No.
However, one trick we use is for Reg items that may get 'untied' during the day from our associates is to run a reg update script upon login. In there we have all the registry setAtings that we want applied. As this runs against each associate every time they login, we are guaranteed coverage of nasty HLCU keys. No matter if they are an existing user or first-timer, they will get the update.

One word of note, as this is run each and every time they login, only add the keys that are necessary for increased security, increased productivity or reduced service calls.

As for UVSAR responce - Correct. Upgrade to 9.0 does not resolve this. A patch is being worked on that is anticipated for release on 11 March 2009.

http://www.adobe.com/support/security/advisories/apsa09-01.php

Thanks and good luck.

- Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

2009-02-23 06:48:39

gkaiseril

Online

Registered: Feb 23 2006

Posts: 4307

You may also want to warn you users not to turn Acrobat's/Reader's JavaScript if prompted or manually editing the setting.

George Kaiser

2009-02-23 10:41:34

Dimitri

Registered: Nov 1 2005

Posts: 1389

And also tell your users to never go online in any circumstances at all- it's just too scary out here with the malicious browser scripts, pdf scripts, and just whole evil web sites whose only intention is too mess with your computer. I think this site uses scripts too- OOPS!

Dimitri
WindJack Solutions
www.pdfscripting.com
www.windjack.com

Dimitri Munkirs
WindJack Solutions
pdfscripting.com

2009-02-24 07:21:01

dthanna

Registered: Sep 28 2005

Posts: 248

Update (20090224)

Some of you may have run across this little posting regarding a patch or update to fix the underlying security hole reciently discovered.

http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.php

It is my professional opinion that efforts such as these, while cute, are less than helpful. In that the hack may, at best, make your system unstable. And may actually propagate a trojan, document scanner or some other sort of maleware on your system.

While the underlying JavaScript issue - in essance an extension of the JBIG2 exploit, this time trigged via the JavaScript interface - is severe, it is my understanding that targets have been rather few in number at this point.

The, best, short term solution is to disable JavaScript within your rollout environment (see the extensive documentation on how to do this) and await for the proper vendor coded and vetted solution.

Thanks.

-Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

2009-02-24 08:21:53

fargetta

Registered: Feb 24 2009

Posts: 1

I need to prevent that users enable the option "Enable Acrobat JavaScript", how can I do? I'm looking for a registry key to disable this menu item in preferences.

Actually I can only disable JS every time users made a log on to Windows but I cant prevent that they re-enable the option.

2009-02-24 09:16:00

dthanna

Registered: Sep 28 2005

Posts: 248

Fargetta,

It has to do with to things - the rights of the user logged on (they are high enough to generally change application settings) and where the settings are located - HKCU. Not in HKLM.

There has been a discussion going on for a while (years) regarding the correct balance between needs of the user and needs of the corporation in this regards. The current direction I have seen from Adobe is towards the needs of the user when the Customization Wizard is not used.

In double checking the Customization Wizard for Reader 9.0.0 there is no 'obvious' (GUI controls) setting for enabling or disabling JavaScript within the app. There are other options, such as the Registry modifier control and the Direct Editor. The Registry modifier control is what we are using.

Unless you truly know what you are doing, and are a product packaging expert, I would streneously advise against touching anything via the Direct Editor. All that will come out of there is nothing but 'pain and suffering'. And there is already enough of that in the world.

Don't hesitate to holler if you, or anyone else, has any additional questions.

There are no dumb questions.

-Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

2009-02-24 18:04:06

Dimitri

Registered: Nov 1 2005

Posts: 1389

Hi all,

Just an FYI- a blog post today from the Adobe Security team states-

"We have seen reports that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However,[b] the vulnerability is not in the scripting engine[/b] and, therefore, disabling JavaScript does not eliminate all risk."

Full post here-
http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue_1.php

Hope this helps,

Dimitri
WindJack Solutions
www.windjack.com
www.pdfscripting.com

Dimitri Munkirs
WindJack Solutions
pdfscripting.com

2009-02-25 06:37:52

#10

dthanna

Registered: Sep 28 2005

Posts: 248

As Dimitri pointed out, the JavaScript engine it self is not the culpret. In infectious disease parlance, it is the vector. The carrier. The actual target is in the JBIG2 decoding filter logic.

Folks are crafting JavaScript code to hammer the JBIG2 decoder causing some sort of an overflow (I'm not sure if it's a buffer or heap).

Several folks I know have been in contact with Adobe Systems regarding this issue (they are more than well aware of it) and what form the resulting update will be announced on or around the 11th of March. As soon as that info becomes available I will post some remediation instructions. Trying to find a way to roll it out as quickly and painlessly as possible.

Thanks.

-Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

2009-03-11 21:59:19

#11

tex2

Registered: Mar 11 2009

Posts: 1

please forgive me that question.

What should I set, completely disable "javascript" feature using customization wizard 9?

2009-03-12 10:21:57

#12

dthanna

Registered: Sep 28 2005

Posts: 248

Tex2,

That's entirely up to you, your business requirements and your level of healthy security paranoia.

On our end we are keeping JS enabled due to added flexability it gives us with product deployment. It allows us to knock out menu items we'd rather not have our employee base using. And/or adding menu items/toolbar buttons (e.g. Acrobuttons) to improve productivitiy.

But it comes at a cost - we have to have our security updates deployed in a more timely fashion.

I can't make the decision for you, but I can help you to understand the +'s and -'s to each way of thinking and how to do it once you've made that decision.

Thanks

-Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

2010-03-02 04:45:30

#13

oiz-workplace

Registered: Mar 2 2010

Posts: 1

Hi

I would like to switch off JavaScript (bEnableJS) with GPO.

How does the Registry path of this value in the policy string (HKLM\Software\Policies\Adobe\Acrobat Reader\x.0\FeatureLockDown\???)?

Thanks for your answer.

OIZ

2010-03-02 05:54:48

#14

dthanna

Registered: Sep 28 2005

Posts: 248

OIZ,

To completely disable JS, you need to set

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\x.0\JSPrefsName: bEnableJSType: REG_DWORDData: 1 = Enabled0 = Disabled

On a corporate basis, we have moved to the position of the complete disablement of JS in Reader by default. For Acrobat, it is still enabled.

For most of our associates this is working out just fine. For those that have to have JS in Reader they can enable it on their own.

For more information on Reader/Acrobat registry settings please see this excellent posting by Joel Geraci

http://blogs.adobe.com/pdfitmatters/2010/02/every_registry_setting_in_acro.php

It practically puts me out of a job with digging out registry settings :). In this case, I welcome the help.

Hope this helps.

-Doug

Douglas Hanna is a member of the Production Print Technology team at Aon.
www.aonhewitt.com

These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Disable JavaScript in Adobe Reader