Kaseya Community

Adobe Security Flaw - javascript

  • Just wanted to run this by everyone - since we are going to have to wait until March 11th for Adobe to fix this - here is a script to disable the Javascript as well as disabling IE auto-opening PDF files....

    I WOULD LOVE FEEDBACK ON THIS!!!

    --------------------

    Script Name: Adobe - Security Flaw - IE Do not auto open
    Script Description: Per Recommendations - http://www.acrobatusers.com/forums/aucbb/viewtopic.php?id=17210

    Sets Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF
    Then Sets the Three Registry Keys for versions 9.0, 8.0 and 7.0 for the
    bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0

    IF True
    THEN
    Set Registry Value
    Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
    Parameter 2 : 00 00 00 00
    Parameter 3 : REG_BINARY
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    ELSE

    ---------------------------------

    Legacy Forum Name: Adobe Security Flaw - javascript,
    Legacy Posted By Username: christo
  • Nice one, Chris! I happened to see a notice about this on a public forum.

    I'll mention it in any product demos I have tomorrow Smile

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • Thank you to all for inspiration and legwork. I updated the script only to be anal about it creating registry keys for versions that may not be there, it is unlikely it would ever cause any harm, but thought I would share.

    2 Scripts - 1st one checks for Adobe 9, 2nd one checks 8, then does 7. I also write entries in script log. You can generate report by filtering description on "Adobe - Security Flaw fixed"

    === Begin Script 1

    Script Name: Adobe - Security Flaw - Step 1
    Script Description: Per Recommendations - http://www.acrobatusers.com/forums/a...c.php?id=17210

    Script will check for Adobe 9.0, and if present will Sets Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
    Then Sets the Three Registry Keys for versions 9.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. Next will call Adobe - Security Flaw Step 2 so that keys for 8 and 7 can be set.

    updated 2-24-2009 - VirtualAdministrator.com- Chris Amori

    IF Test Registry Key
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0
    Exists :
    THEN
    Set Registry Value - (Continue on Fail)
    Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
    Parameter 2 : 00 00 00 00
    Parameter 3 : REG_BINARY
    OS Type : 0
    Set Registry Value - (Continue on Fail)
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value - (Continue on Fail)
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value - (Continue on Fail)
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Adobe - Security Flaw fixed for Adobe 9.0 and IE
    OS Type : 0
    ELSE
    Execute Script
    Parameter 1 : Adobe - Security Flaw - Step 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 0

    === End Script 1

    === Begin Script 2

    Script Name: Adobe - Security Flaw - Step 2
    Script Description: Script called from Adobe - Security Flaw - Step 1.

    Per Recommendations - http://www.acrobatusers.com/forums/a...c.php?id=17210

    Script will check for Adobe 8.0, and if present will set Edit Flags for Adobe to 00 00 00 00 to disable auto-opening of IE for PDF.
    Then Sets the Three Registry Keys for versions 8.0 bConsoleOpen, bEnableJS, and bEnableMenuItems - Set them to 0. If 8.0 is not present, it will assume 7.0 and set same entries for that version.

    updated 2-24-2009 - VirtualAdministrator.com- Chris Amori

    IF Test Registry Key
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0
    Exists :
    THEN
    Set Registry Value
    Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
    Parameter 2 : 00 00 00 00
    Parameter 3 : REG_BINARY
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Adobe - Security Flaw fixed for Adobe 8.0 and IE
    OS Type : 0
    ELSE
    Set Registry Value
    Parameter 1 : HKEY_CLASSES_ROOT\AcroEXCH.Document.7\EditFlags
    Parameter 2 : 00 00 00 00
    Parameter 3 : REG_BINARY
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bConsoleOpen
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableMenuItems
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : Adobe - Security Flaw fixed for Adobe 7.0 and IE
    OS Type : 0

    === End Script 2

    Enjoy, and again thanks to all. I did some basic testing on both Vista and XP, but please test again before mass deployment.

    Chris Amori
    Virtual Administrator

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: chris@networkdepot.com
  • I wrote and deployed a similar script the other day.

    There are a few problems with the disable JS patch though:

    1. The attack can still occur without the use of Javascript, although all known attacks are currently using Javascript.

    2. Acrobat prompts users to re-enable Javascript when opening a document.

    3. HKCU keys are a pain in the ass through Kaseya. User has to be logged in. Doesn't work on terminal server. Etc. (you're better off using a login script...)

    I've got the script running once-daily in an attempt to remediate #2 and #3, but hopefully Adobe will get a patch out sooner than they announced.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: nevesis
  • Thanks Christo and Chris of this wonder script!

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kennyho
  • I just want to point out that from what I understand. This script only protects against the current known vulnerability in Adobe Acrobat Reader, not the full version of Adobe Acrobat.

    The registry keys to disable JavaScript are the same for Reader & Acrobat except the location those keys are in.

    HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\X.0\JSPrefs\

    Where X.0 is either 7.0, 8.0 or 9.0

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: JosephM
  • We created the scripts for reader and acrobat so that they only ran for the versions that were actually installed. The problem is that these reg keys are not the only changes made by the setting modifications recommended in the CVE, and as stated earlier, the user simply can re-enable the function if the reg keys are changed, but if the changes are made as per the CVE they are not automatically prompted. This is one of those situations where users need to be involved in security. They need to be informed of the behaviour they will experience, along with the appropriate response to that prompt. Then you simply need to monitor those keys for changes back to the insecure mode and handle each exception with diplomacy rather than technology. I really wish Adobe would get on board and provide real tools for remote management of their software. The update that came out for flash the very next week was yet another example where it was not possible to remotely push the update without using packaging. The version of software available for distribution still contained the flaw, and they simply would not support direct deployment of the product. Sad

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rdwilkerson