Wednesday, January 6, 2010

Disabling Adobe Javascript using GPO

Since the recent highlighted Adobe Acrobat PDF security issues, especially
- APSA09-07 in which Adobe advised to disable Javascript (until a patch would be released on the 12th of January 2010!)

A lot of domain administrators / security administrators are searching for a way to mass disable the Adobe Javascript.
This is one easy solution to mitigate most of the heap spray attacks using Adobe Javascript. But recently, a PDF exploit not using Javascript was successfull.

As far as I know, here are several answers to mitigate that problem, including:
- Using a third party PDF reader such as FoxIt Reader
- Using Adobe Customization Wizard to customize Adobe applications before deploying them
- Using GPO to set registry values disabling Adobe Javascript

I will present the third one:

Using GPO to disable Adobe Javascript

1/ Create an administrative template file.
On a DC, navigate to %windir%\inf

2/ create a new Text file "adobe.adm"

3/ Fill it with the following content: (don't forget to add a return line after the END CATEGORY item)


CLASS USER

CATEGORY "Adobe Acrobat/Reader 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY





4. Create a new GPO,
- Navigate to User Configuration > Policies > Administrative Template
- Then add the adobe.adm template file we previsouly created.
- and select "Disabled" for the Javascript Reader 9.x settings:


5. Close the GPM editor

6. As a user member of the security group / OU on which you choosed to apply the GPO:
- close Acrobat Reader 9.0
- gpupdate /force
- open Acrobat Reader 9.0, Edition > Preferences > Javascript

And as you can see, Javascript is now disabled!

Et voila!

2 comments:

  1. I am new to Java script languaga.So I do not have much experience.The code you provided is really helpful.Although understood what it does but it will really be a great help if you can give a brief explation.
    digital signatures

    ReplyDelete