Home
»
Discussion Forums
»
Scripts & Agent Procedures
»
Adobe Security Flaw - javascript
Subscribe via RSS
Share this
Similar Posts
Shared Reports Security Flaw
by
Charles Surrett
on
Dec 2, 2010
KRC Clipboard Security Flaw
by
myArch-man
on
Oct 24, 2014
The IF statement is flawed
by
LegacyPoster
on
Apr 20, 2009
TIL - LANCACHE has security design flaws in default configuration, undocumented behaviours, questionable if suitable for enterprise environment.
by
jamiev
on
Jul 1, 2014
Adobe Security Notice
by
LegacyPoster
on
Jun 6, 2008
View More
Details
6
Replies
0
Subscribers
Posted
over 10 years ago
Scripts & Agent Procedures
Adobe Security Flaw - javascript
Posted by
LegacyPoster
on
Feb 23, 2009 11:39 PM
Just wanted to run this by everyone - since we are going to have to wait until March 11th for Adobe to fix this - here is a script to disable the Javascript as well as disabling IE auto-opening PDF files....
I WOULD LOVE FEEDBACK ON THIS!!!
--------------------
Script Name: Adobe - Security Flaw - IE Do not auto open
Script Description: Per Recommendations -
http://www.acrobatusers.com/forums/aucbb/viewtopic.php?id=17210
Sets Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF
Then Sets the Three Registry Keys for versions 9.0, 8.0 and 7.0 for the
bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0
IF True
THEN
Set Registry Value
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
ELSE
---------------------------------
Legacy Forum Name: Adobe Security Flaw - javascript,
Legacy Posted By Username: christo
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Feb 24, 2009 7:36 AM
Nice one, Chris! I happened to see a notice about this on a public forum.
I'll mention it in any product demos I have tomorrow
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Feb 25, 2009 12:38 PM
Thank you to all for inspiration and legwork. I updated the script only to be anal about it creating registry keys for versions that may not be there, it is unlikely it would ever cause any harm, but thought I would share.
2 Scripts - 1st one checks for Adobe 9, 2nd one checks 8, then does 7. I also write entries in script log. You can generate report by filtering description on "Adobe - Security Flaw fixed"
=== Begin Script 1
Script Name: Adobe - Security Flaw - Step 1
Script Description: Per Recommendations -
http://www.acrobatusers.com/forums/a...c.php?id=17210
Script will check for Adobe 9.0, and if present will Sets Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
Then Sets the Three Registry Keys for versions 9.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. Next will call Adobe - Security Flaw Step 2 so that keys for 8 and 7 can be set.
updated 2-24-2009 - VirtualAdministrator.com- Chris Amori
IF Test Registry Key
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0
Exists :
THEN
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 9.0 and IE
OS Type : 0
ELSE
Execute Script
Parameter 1 : Adobe - Security Flaw - Step 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
Parameter 2 :
Parameter 3 : 0
OS Type : 0
=== End Script 1
=== Begin Script 2
Script Name: Adobe - Security Flaw - Step 2
Script Description: Script called from Adobe - Security Flaw - Step 1.
Per Recommendations -
http://www.acrobatusers.com/forums/a...c.php?id=17210
Script will check for Adobe 8.0, and if present will set Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
Then Sets the Three Registry Keys for versions 8.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. If 8.0 is not present, it will assume 7.0 and set same entries for that version.
updated 2-24-2009 - VirtualAdministrator.com- Chris Amori
IF Test Registry Key
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0
Exists :
THEN
Set Registry Value
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 8.0 and IE
OS Type : 0
ELSE
Set Registry Value
Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
Parameter 2 : 00 00 00 00
Parameter 3 : REG_BINARY
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bConsoleOpen
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Set Registry Value
Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
Write Script Log Entry
Parameter 1 : Adobe - Security Flaw fixed for Adobe 7.0 and IE
OS Type : 0
=== End Script 2
Enjoy, and again thanks to all. I did some basic testing on both Vista and XP, but please test again before mass deployment.
Chris Amori
Virtual Administrator
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: chris@networkdepot.com
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Feb 26, 2009 2:22 AM
I wrote and deployed a similar script the other day.
There are a few problems with the disable JS patch though:
1. The attack can still occur without the use of Javascript, although all known attacks are currently using Javascript.
2. Acrobat prompts users to re-enable Javascript when opening a document.
3. HKCU keys are a pain in the ass through Kaseya. User has to be logged in. Doesn't work on terminal server. Etc. (you're better off using a login script...)
I've got the script running once-daily in an attempt to remediate #2 and #3, but hopefully Adobe will get a patch out sooner than they announced.
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: nevesis
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 2, 2009 12:37 PM
Thanks Christo and Chris of this wonder script!
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: kennyho
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 3, 2009 12:49 AM
I just want to point out that from what I understand. This script only protects against the current known vulnerability in
Adobe Acrobat Reader
, not the full version of Adobe Acrobat.
The registry keys to disable JavaScript are the same for Reader & Acrobat except the location those keys are in.
HKEY_CURRENT_USER\Software\Adobe\
Adobe Acrobat
\
X.0
\JSPrefs\
Where X.0 is either 7.0, 8.0 or 9.0
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: JosephM
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 5, 2009 4:21 AM
We created the scripts for reader and acrobat so that they only ran for the versions that were actually installed. The problem is that these reg keys are not the only changes made by the setting modifications recommended in the CVE, and as stated earlier, the user simply can re-enable the function if the reg keys are changed, but if the changes are made as per the CVE they are not automatically prompted. This is one of those situations where users need to be involved in security. They need to be informed of the behaviour they will experience, along with the appropriate response to that prompt. Then you simply need to monitor those keys for changes back to the insecure mode and handle each exception with diplomacy rather than technology. I really wish Adobe would get on board and provide real tools for remote management of their software. The update that came out for flash the very next week was yet another example where it was not possible to remotely push the update without using packaging. The version of software available for distribution still contained the flaw, and they simply would not support direct deployment of the product.
Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: rdwilkerson
You have posted to a forum that requires a moderator to approve posts before they are publicly available.