Zero Day in Adobe Acrobat and Reader Part 2

Adobe has posted a security advisory for the zero day in Adobe Acrobat and Reader that I blogged about yesterday.
They say they are

“planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow”

Last time the updates for version 7 followed along about 8-10 months later if memory serves. Their little incentive for people to upgrade. I’m surprised they haven’t sunset-ed version 7 already. I’ve looked for software support life-cycle information from Adobe and haven’t found it.
The recommended mitigation for this vulnerability is disabling javascript until a patch is available. I’ve never seen anyone mention what effect that might have.
Every article says to disable javascript in Adobe through Edit -> Preferences -> javascript. In an enterprise you would want to know Is there a way to disable javascript in Adobe programatically (by pushing a registry entry via a login script, SMS or Group Policy).
Using Process Monitor from Sysinternals, I see that when you disable javascript in the GUI it sets HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS to 0. Googling bEnableJS, I found that SANS ISC has a ADM file (used in Group Policy for the non-windows admin types) they posted during the last Adobe exploits back in November. It disables javascript for 6, 7 and 8 Acrobat and Reader.

One Comment

  1. I’ve been using Adobe Reader Speedup ( for some time with success, with javascript disabled. I’ve had no problems. The only thing that Speedup disables that can be annoying is the Web component, which allows you to click hyperlinks. Unless you’re doing something fancy with Acrobat (or malicous), you probably don’t need it.

Comments are closed.