- APSA09-07 in which Adobe advised to disable Javascript (until a patch would be released on the 12th of January 2010!)
A lot of domain administrators / security administrators are searching for a way to mass disable the Adobe Javascript.
This is one easy solution to mitigate most of the heap spray attacks using Adobe Javascript. But recently, a PDF exploit not using Javascript was successfull.
As far as I know, here are several answers to mitigate that problem, including:
- Using a third party PDF reader such as FoxIt Reader
- Using Adobe Customization Wizard to customize Adobe applications before deploying them
- Using GPO to set registry values disabling Adobe Javascript
I will present the third one:
Using GPO to disable Adobe Javascript
1/ Create an administrative template file.On a DC, navigate to %windir%\inf
2/ create a new Text file "adobe.adm"
3/ Fill it with the following content: (don't forget to add a return line after the END CATEGORY item)
CLASS USER
CATEGORY "Adobe Acrobat/Reader 9.x"
POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
4. Create a new GPO,
- Navigate to User Configuration > Policies > Administrative Template
- Then add the adobe.adm template file we previsouly created.
- and select "Disabled" for the Javascript Reader 9.x settings:
6. As a user member of the security group / OU on which you choosed to apply the GPO:
- close Acrobat Reader 9.0
- gpupdate /force
- open Acrobat Reader 9.0, Edition > Preferences > Javascript
And as you can see, Javascript is now disabled!
Et voila!
I am new to Java script languaga.So I do not have much experience.The code you provided is really helpful.Although understood what it does but it will really be a great help if you can give a brief explation.
ReplyDeletedigital signatures