Hi all

For a long time now I've been looking for an easy and reliable way of locking down adobe reader so that JS is disable and cannot be enabled by the user. Last time I checked, Adobe hadn't started recognizing true policies on Windows - so creating an Admin Template will only be a preference.

I thought now that they've introduced the JS Blacklist Framework, I'd finally be able to do this. But alas, it's waaaaaaay too complicated and half of it is going over my head [:-]

It seems that I can lock down JS, but only per API. But I have no idea what API's are included in Adobe Reader, and don't even know how to find out. I've done some googling, but nothing has come up so far. So, does anybody have any idea where I can get this info from ? Or failing that, the most common API's, so I can at least block JS for most scenarios

I have tried using wildcards (*) but this didn't have any effect.

Any help would be really really appreciated. Thanks in advance
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Hi All

Well, after some more googling and a bit of tweaking of my search, I managed to find this article:

http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-framework.html

Well, at least I'm not going mad ! It seems there isn't any definite list of what should be blacklisted etc. But thankfully the link above has some really useful info on what API's should be blocked as well as some sample PDF docs you can use to check if your blacklist is working or not.

I'm planning on testing it in the next few days, so once I've tried it out, I'll post back
Answered 02/04/2010 by: y2k
Senior Yellow Belt

Please log in to comment
0
Since version 8.0 we have disabled JS in Adobe Reader. Yes this does break some functionality but we find it to be better to be a little inconvenienced than cleanup compromised workstations. The user cannot go into settings and recheck the box to enable JS either. In fact we only deploy the following plugins: Search.api, Search5.api, and SendMail.api Of course probably a better solution would be to use an alternative PDF viewer that is a little less bloated.
Answered 02/04/2010 by: joedown
Second Degree Brown Belt

Please log in to comment
0
Hi Joe

Wow, how have you done that ? With a reg entry ? In the past, I've tried moving the entry from HKCU into a policies hive, and also into HKLM, but neither were effective in disablign JS. Would you mind letting me know how you done it ?

As for configuring the JS BlackList Framework, it was quiet simple really and seems to work fine. I understood from the documentation that the user should get a prompt to enable JS just for that document, but I don't get that. I think maybe I need to configure some locations in the WhiteList for that to work perhaps.

Also, the blog points out a potentially very big "gotcha" - the reg keys and entries are case sensitive. The documentation I had from adobe said to create a REG_SZ key entry called tBlacklist - but in actual fact, it has to be caled tBlackList
Answered 02/05/2010 by: y2k
Senior Yellow Belt

Please log in to comment
0
Simple really, do not include the escript.api in your deployment. Now there are a few other plugins you will have to remove as well or your will get plugin errors when launching Adobe reader. All done in a transform of course. We've been doing this since version 9.0 without a problem. Oh, and the size of Adobes Acrobat Reader 9.3 installer is now 30Mb once you trim some of the fat.

ORIGINAL: y2k

Hi Joe

Wow, how have you done that ? With a reg entry ? In the past, I've tried moving the entry from HKCU into a policies hive, and also into HKLM, but neither were effective in disablign JS. Would you mind letting me know how you done it ?
Answered 02/09/2010 by: joedown
Second Degree Brown Belt

Please log in to comment
0
it has to be caled tBlackList.If that's true, that would indicate that Adobe are bypassing the Windows registry APIs to access the registry. It wouldn't surprise me but...really?
Answered 02/10/2010 by: VBScab
Red Belt

Please log in to comment
0
I don't follow. Please explain.

ORIGINAL: VBScab

If that's true, that would indicate that Adobe are bypassing the Windows registry APIs to access the registry. It wouldn't surprise me but...really?

Answered 02/10/2010 by: joedown
Second Degree Brown Belt

Please log in to comment
0
The registry APIs don't care about case. HKLM\Software\Whoever\WhateverProduct\ThisRegistryKey will be treated exactly the same as HKLM\sOFTWARE\wHOEVER\wHATEVERpRODUCT\tHiSrEgIsTrYkEy.

It's entirely possible that Adobe's code cares about the case of the *data* retrieved from a value but while, as I say, it wouldn't surprise me if they were using their own registry access routines, they'd have to be monumentally stupid to do so.
Answered 02/10/2010 by: VBScab
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity