Get The Latest Insights

By Stacy Shelley | February 21, 2009

You may have heard about a recently discovered 0-day vulnerability in Adobe Acrobat that has been used in targeted attacks. While this isn’t anything like a traditional phishing or malware attack, it could be considered a type of ‘spear’ phishing.

In case you haven’t heard the details yet, there’s a vulnerability in Adobe Acrobat Reader that allows attackers to execute arbitrary code. In real world exploits, the attackers use Acrobat javascript to fill memory with their code which when executed downloads and installs malicious files to the victim’s system. Sourcefire has revealed a suprisingly amount of detail about the vulnerability on their blog.

I say the amount of deal is surprising because very little information has come out about how to mitigate this attack. As a former IT security guy, this is extremely frustrating. Even in Adobe’s security advisory about the incident, they only information one is left with is to watch until March 11th for a patch. If you’re responsible for protecting users, there’s not much to do but hope your AntiVirus and other security products catch the attack.

While the attacks seen leverage Acrobat javascript, it’s important to note that in this particular case the actual vulnerability is not in javascript. However, because javascript is being used in real-world attacks and there have been other javascript vulnerabilities in Acrobat Reader, it makes sense to completely disable it. But what to do if you need to disable it across hundreds or thousands of machines?

PhishLabs spent some investigating which registry keys hold the javascript settings of Acrobat and found that the magic key is:

HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS

Set this to 0×0 or 0×1 to disable or enable it respectively.

We’ve put together a simple batch file which automates this for you. Click here to down it.

Note that it has only been tested on Adobe Acrobat Reader 9.0.0 Standard US on Windows XP SP3. Use at your own risk.