Tuesday, February 24, 2009

Adobe Vulnerability APSB09-01

In Adobe's bulletin released last Friday there are 3 solutions to reduce your chances of getting exploited. The first is to disable JavaScript in Adobe Reader by going (in Adobe) Edit > Preferences > JavaScript and unchecking the "Enable Acrobat JavaScript" option. That is fine for the everyday user but not quite a good fix for an enterprise of any size. To accomplish this I found a script located on the internet and modified it to disable Acrobat's JavaScript.

I built the batch file to do a few things including:
a. Add a HKLM key at HKLM\Software\Adobe\Acrobat Reader\8.0\JSPrefs
b. Add a DWORD value under that key called "bEnableJS" with a value of 0
These two steps disable Acrobat JavaScript for all users except those people who have clicked the box manually and created other keys under HKCU.

Next I attempt to change the HKCU values (if generated) to 0 thus disabling the Acrobat JavaScript for all users.

Below is the script:

-------------------------Start Script ---------------------------------
setlocalset regpath=%SystemRoot%\system32\reg.exe
set keypath=Software\Adobe\Acrobat Reader\9.0\JSPrefs
set valuename=bEnableJS
:: update current user
set hive=HKCU
set key=%hive%\%keypath%
:: Add a Master Disable for all users by using HKLM
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /f >nul
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: Remove Javascript for all individual who have explicitly enabled it.
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: update all other users on the computer, using a temporary hive
set hive=HKLM\TempHive
set key=%hive%\%keypath%:: set current directory to "Documents and Settings"
cd /d %USERPROFILE%\..
:: enumerate all folders
for /f "tokens=*" %%i in ('dir /b /ad') do ( if exist ".\%%i\NTUSER.DAT" call :AddRegValue "%%i" ".\%%i\NTUSER.DAT")endlocalgoto :EOF:AddRegValue
set upd=Yif /I %1 equ "All Users" set upd=N
if /I %1 equ "LocalService" set upd=N
if /I %1 equ "NetworkService" set upd=Nif %upd% equ Y (
%regpath% load %hive% %2 >nul 2>&1
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul 2>&1 %regpath% unload %hive% >nul 2>&1
)
-----------------------End Script--------------------------
Note: Change all instances of "8.0" to "9.0" in the script for it to work with Acrobat Reader 9.0



Feel free to modify and use the script but like everything else, test it before you put it into production. I take no responsibility for what you do with it and any results that it might cause.

Thanks to the guys at http://www.ureader.com/ for the original script that I modified to get this running.

2 comments:

  1. I have more of a question than a comment.

    Does this solution apply if one is running Win2K3 and roaming profiles?

    I assume not as the "user" part of the profile is on a file share somewhere.

    ReplyDelete
  2. As you said in Adobe Vulnerability APSB09-01.I agree with you.There are 3 solutions to reduce your chances of getting exploited. The first is to disable JavaScript in Adobe Reader by going (in Adobe) Edit > Preferences > JavaScript and unchecking the ""Enable Acrobat JavaScript"" option. That is fine for the everyday user but not quite a good fix for an enterprise of any size.Its very handy.
    PDF signature

    ReplyDelete