You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ‘spear’ phishing.
In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader that allows attackers to execute arbitrary code. In real world exploits, the attackers use Acrobat javascript to fill memory with their code which when executed downloads and installs malicious files to the victim’s system. Sourcefire has revealed a suprisingly amount of detail about the vulnerability on their blog.
I say the amount of deal is surprising because very little information has come out about how to mitigate this attack. As a former IT security guy, this is extremely frustrating. Even in Adobe’s security advisory about the incident, they only information one is left with is to watch until March 11th for a patch. If you’re responsible for protecting users, there’s not much to do but hope your AntiVirus and other security products catch the attack.
While the attacks seen leverage Acrobat javascript, it’s important to note that in this particular case the actual vulnerability is not in javascript. However, because javascript is being used in real-world attacks and there have been other javascript vulnerabilities in Acrobat Reader, it makes sense to completely disable it. But what to do if you need to disable it across hundreds or thousands of machines?
PhishLabs spent some investigating which registry keys hold the javascript settings of Acrobat and found that the magic key is:
HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS
Set this to 0×0 or 0×1 to disable or enable it respectively.
We’ve put together a simple batch file which automates this for you. Click here to down it.
Note that it has only been tested on Adobe Acrobat Reader 9.0.0 Standard US on Windows XP SP3. Use at your own risk.
[...] batch-file for turning off JavaScript in Adobe Reader by altering Registry settings at http://www.phishlabs.com/blog/archives/122 (I haven’t tested it!). Assuming that it works as advertised, there’s no advantage [...]
[...] the security for several computers you may wish to disable JavaScript via the registry. The guys at PhishLabs have pointed out how to do this. according to their blog you can disable JavaScript in Adobe Reader [...]
Note that for acrobat reader v8, that key becomes
HKCU\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS
I would imagine that there may be other versions also, although localizations tend to use the same keys.
acrobat 6 pro:
HKCU\Software\Adobe\Adobe Acrobat\6.0\JSPrefs\bEnableJS
reader 7:
HKCU\Software\Adobe\Acrobat Reader\7.0\JSPrefs\bEnableJS
[...] 此外安全公司PhishLabs也发布了补丁去重置一个Windows注册表项,禁用Adobe Reader 9.0的JavaScript,从而切断黑客入侵之路。 Grenier的补丁下载。 [...]
how do you disable the pop-up warning about enabling the java ??
Yeah – how do you disable the pop-up warning about enabling the java (fricking annoying)?
[...] explorações através de arquivos PDF maliciosos estão acontecendo). Por enquanto, sobreviva de workarounds. Outra opção é instalar um patch não oficial que um consultor da SourceFire [...]
[...] Phishlabs has written a bat file that can automatically handle the registry edit. You can download the necessary files here: http://www.phishlabs.com/blog/archives/122 [...]
[...] you need to implement this change across a large number of machines, PhishLabs have posted some information which will make your life [...]
[...] phishlabs.com [...]
[...] Answers Anonymous I’m not much of a sysadmin, but I know that PhishLabs has something about where in the Registry to turn this off on 9.0. In the comments, other users have suggested keys for other versions. You can find the article here: http://www.phishlabs.com/blog/archives/122 [...]