Homemade PDF Patch Beats Adobe By Two Weeks

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

Re:Feature Request

[klossner]

PDF is not PostScript. It shares some concepts (such as the imaging model and a good many keywords), but it is not a programming language. It has no control constructs, for example.

Re:Feature Request

[klossner]

Adobe did add this dialog -- but it only appears if you have disabled Javascript! (Which you can do with Edit / Preferences, no need for the registry hack.)

Here's the exact dialog:

? This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled.

[ ] Don't show this message again until this document is reopened

[[Yes]] [[No]]

Re:Offensive

[Anonymous Coward]

Q: How many male chauvinists does it take to change the lightbulb in the kitchen?
A: None, let the bitch wash the dishes in the dark.

Re:what's wrong with forms?

[Anonymous Coward]

InfoPath. Filling in forms and saving the results as a piece of XML is what it is designed to. Advantages of InfoPath include that fields can expand to hold what the user typed in and you can easily have repeating groups. The 'filled in' XML is easily redable (fairly simple to read, really.)

For extra credit, said XML can be automatically saved to a webservice, emailed, saved to sharepoint or whatever else.

(Disadvantage of InfoPath is that it doesn't look quite as slick as PDF when printed, and it does have its rough edges.)

Re:Registry hack

[initialE]

For myself I just used the REG.exe located inside the %system32% folder. in your logon script (assuming you have one), just add in the lines

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

YMMV. REG.exe is not included on Windows 2000. Because this applies to the current user registry there should be no permissions issue. And make sure your path does include the system32 directory as by default.

Re:Why doesn't anyone think javascript is useful?

[guruevi]

I like the way Apple approaches that problem in their Quartz Composer tool. Basically you have JavaScript for all types of funky validations, requests and calculations you would like to do but the 'vulnerable' classes that would allow reading/writing local files, networking or creating annoying popups have been removed.

Re:Offensive

[Anonymous Coward]

Q: How many feminists does it take to change a lightbulb? A: Two. One to change the bulb and one to SUCK MY COCK.