Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Don't launch that file Adobe Reader! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Don't launch that file Adobe Reader!

Maybe you read my PDF + DOC malicious document diary entry, or maybe even you tested your system with my PDF + DOC test file, and maybe you wondered if you could change Adobe Reader's behavior.

Well, no more "maybes": you can. Years ago, when PDF malware was the most widespread malicious document type, disabling JavaScript in Adobe Reader was a recommendation.

But you can also prevent Adobe Reader from opening embedded files and launching the associated application. Here is the setting in the Trust Manager to do this:

And if PDF attachments are important in your organization, this setting will not prevent attachments from being saved (extracted). Only from being launched from within Adobe Reader.

I also have a video showing the effects of this setting (plus the JavaScript setting).

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
My YouTube Channel

DidierStevens

341 Posts
ISC Handler
I have disabled that setting for years without any adverse effects in my environment.

The registry settings for that (and a couple of others I change) in v11 are:

HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\Originals\bAllowOpenFile = 0

HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\JSPrefs\bEnableGlobalSecurity = 1

HKCU\Software\Adobe\Adobe {Acrobat | Reader}\11.0\JSPrefs\bEnableJS = 0
K-Dee

63 Posts
I was wondering. After some extensive searching I have not been able to find ADM or ADMX files for Adobe DC reflecting the ability to make the change discussed above via group policy.

I've seen a bunch of posts from others on the internet saying they had to manually create these registry changes to affect previous versions of Adobe, ergo Reader XI.

Seeing as Adobe Reader DC is located in HKLM\Software\Wow6432Node\Adobe\Acrobat Reader (and not HKCU\Software\Adobe\Acrobat Reader\11.0) how would one go about making these changes for an enterprise organization?
K-Dee
1 Posts
I have always had to do it "manually" with my patch server..... which was a little tougher with the settings located in HKCU. (Had to use a VBS script to iterate thru all of the user profiles)

But if those settings are now located in HKLM with DC versions and newer, then that makes it MUCH easier to push out with a REG file.
K-Dee

63 Posts
There are tons of registry settings to harden Reader (disable javascript, 3D, external docs, cloud...).

Nice read from NSA
+ Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment
http://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Julien

10 Posts

Sign Up for Free or Log In to start participating in the conversation!