Nice one, Chris! I happened to see a notice about this on a public forum.

I'll mention it in any product demos I have tomorrow

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: Benjamin.Lavalley@kaseya.com

Thank you to all for inspiration and legwork. I updated the script only to be anal about it creating registry keys for versions that may not be there, it is unlikely it would ever cause any harm, but thought I would share.

2 Scripts - 1st one checks for Adobe 9, 2nd one checks 8, then does 7. I also write entries in script log. You can generate report by filtering description on "Adobe - Security Flaw fixed"

=== Begin Script 1

Script Name: Adobe - Security Flaw - Step 1
Script Description: Per Recommendations - http://www.acrobatusers.com/forums/a...c.php?id=17210

Script will check for Adobe 9.0, and if present will Sets Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
Then Sets the Three Registry Keys for versions 9.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. Next will call Adobe - Security Flaw Step 2 so that keys for 8 and 7 can be set.

updated 2-24-2009 - VirtualAdministrator.com- Chris Amori

IF Test Registry Key
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0
Exists :
THEN
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 9.0 and IE
OS Type : 0
ELSE
Execute Script
Parameter 1 : Adobe - Security Flaw - Step 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
Parameter 2 :
Parameter 3 : 0
OS Type : 0

=== End Script 1

=== Begin Script 2

Script Name: Adobe - Security Flaw - Step 2
Script Description: Script called from Adobe - Security Flaw - Step 1.

Per Recommendations - http://www.acrobatusers.com/forums/a...c.php?id=17210

Script will check for Adobe 8.0, and if present will set Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
Then Sets the Three Registry Keys for versions 8.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. If 8.0 is not present, it will assume 7.0 and set same entries for that version.

updated 2-24-2009 - VirtualAdministrator.com- Chris Amori

IF Test Registry Key
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0
Exists :
THEN
Set Registry Value
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 8.0 and IE
OS Type : 0
ELSE
Set Registry Value
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 7.0 and IE
OS Type : 0

=== End Script 2

Enjoy, and again thanks to all. I did some basic testing on both Vista and XP, but please test again before mass deployment.

Chris Amori
Virtual Administrator

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: chris@networkdepot.com

I wrote and deployed a similar script the other day.

There are a few problems with the disable JS patch though:

1. The attack can still occur without the use of Javascript, although all known attacks are currently using Javascript.

2. Acrobat prompts users to re-enable Javascript when opening a document.

3. HKCU keys are a pain in the ass through Kaseya. User has to be logged in. Doesn't work on terminal server. Etc. (you're better off using a login script...)

I've got the script running once-daily in an attempt to remediate #2 and #3, but hopefully Adobe will get a patch out sooner than they announced.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: nevesis

Thanks Christo and Chris of this wonder script!

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: kennyho

I just want to point out that from what I understand. This script only protects against the current known vulnerability in Adobe Acrobat Reader, not the full version of Adobe Acrobat.

The registry keys to disable JavaScript are the same for Reader & Acrobat except the location those keys are in.

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\X.0\JSPrefs\

Where X.0 is either 7.0, 8.0 or 9.0

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: JosephM

We created the scripts for reader and acrobat so that they only ran for the versions that were actually installed. The problem is that these reg keys are not the only changes made by the setting modifications recommended in the CVE, and as stated earlier, the user simply can re-enable the function if the reg keys are changed, but if the changes are made as per the CVE they are not automatically prompted. This is one of those situations where users need to be involved in security. They need to be informed of the behaviour they will experience, along with the appropriate response to that prompt. Then you simply need to monitor those keys for changes back to the insecure mode and handle each exception with diplomacy rather than technology. I really wish Adobe would get on board and provide real tools for remote management of their software. The update that came out for flash the very next week was yet another example where it was not possible to remotely push the update without using packaging. The version of software available for distribution still contained the flaw, and they simply would not support direct deployment of the product.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: rdwilkerson