3

Does anyone know where Acrobat Reader stores the setting to disable JavaScript?

I'd like to centrally apply an update (through a policy, or a startup script, or a login script) on every machine on our network rather than sending everyone an email telling them to do it.

Ref: How To Geek has a way of doing this (and an explanation why) through the UI, but I want to do it centrally for 700 users.

Richard Gadsden
  • 3,696
  • 4
  • 28
  • 58
  • Generally, use RegMon/FileMon from SysInternals: it will show you what's modified when you hit the 'Apply' thing :) – kolypto Dec 17 '09 at 02:29
  • 1
    SysInternals' Regmon and Filemon have been superseded by a consolidated utility named "Process Monitor" http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx – jscott Dec 17 '09 at 13:09

3 Answers3

4

We're using Group Policy to push this preference. If you're running the Client-Side Prefs extension, you don't even need to craft an ADM, you can just push the values. Please note that you will have to edit the "9.0" to match your major version of Adobe Reader.

Credit for the keys/values from here: http://www.acrobatusers.com/forums/aucbb/viewtopic.php?id=17210

ADM:

CLASS USER
CATEGORY "Software Settings"
  CATEGORY "Adobe"
    CATEGORY "Reader"

      POLICY "bConsoleOpen"
        KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
        VALUENAME "bConsoleOpen"
          VALUEON    NUMERIC 1
          VALUEOFF  NUMERIC 0
      END POLICY

      POLICY "bEnableJS"
        KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
        VALUENAME "bEnableJS"
          VALUEON    NUMERIC 1
          VALUEOFF  NUMERIC 0
      END POLICY

      POLICY "bEnableMenuItems"
        KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
        VALUENAME "bEnableMenuItems"
          VALUEON    NUMERIC 1
          VALUEOFF  NUMERIC 0        
      END POLICY

    END CATEGORY
  END CATEGORY
END CATEGORY
jscott
  • 24,204
  • 8
  • 77
  • 99
  • Thanks. As a user setting, I'm going to do this through a login script with a .reg file, but I tried googling and failed; SF was fab today. – Richard Gadsden Dec 16 '09 at 16:05
  • Why does it seem like everyone so afraid of using group policy? This is exactly the type of thing it was built to take care of. Login scripts should be reserved for use when group policy really can't do what you need to do. – Ryan Bolger Dec 16 '09 at 16:48
  • @Ryan: If you haven't checked out Client Side Preferences yet, I'd highly recommend you do. We're looking to eliminate all our remaining logon scripts. http://support.microsoft.com/kb/943729 – jscott Dec 16 '09 at 16:55
  • @jscott: You misunderstood. I'm totally on board with GP Prefs. I was ranting at Richard's choice to use a login script and reg file instead of the perfectly valid GP based solution you gave. – Ryan Bolger Dec 16 '09 at 19:41
  • @Ryan, you're right, we don't use Client Side Preferences yet, and we should, but I have a login script in place already, and I don't have CSPs in place, so one happens faster than the other. CSPs are the better solution. – Richard Gadsden Dec 17 '09 at 17:31
3

To contribute back, here is my .reg file that I'm applying in the login script:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
"bEnableConsoleOpen"=dword:00000000
"benableMenuItems"=dword:00000000

and here is the email that I'm sending to all users to suggest they secure their home computers:

Adobe have announced that there is currently a serious security vulnerability in Adobe Acrobat Reader. IT have already applied their recommended settings here at work so you do not need to do anything here.

If you use Adobe Reader at home, then IT would recommend that you update to the latest Acrobat Reader (download it from http://get.adobe.com/uk/reader/) and then you disable javascript in the program - you can do this by following the instructions in http://www.howtogeek.com/howto/7684/how-to-disable-javascript-in-adobe-reader-and-patch-the-latest-massive-security-hole/

If you want to know more, read on.

If you would like more details of this, or to confirm this, then Adobe's own security advisory is online at http://www.adobe.com/support/security/advisories/apsa09-07.html

IT always recommend that you should confirm any security alert you receive yourself with the official website of the company that has the problem, or with trustworthy official sources such as the US Government's CERT (www.cert.org - CERT's warning about this vulnerability is at http://www.kb.cert.org/vuls/id/508357). There are lots of fake security alerts that are intended either to "cry wolf" so people ignore real ones like this, or to induce you to buy software you don't need, or to download and install software that is harmful to your computer, so you should always check the alert yourself.

Richard Gadsden
  • 3,696
  • 4
  • 28
  • 58
  • reg add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v "bEnableJS" /t REG_DWORD /d "0" /f – jscott Dec 16 '09 at 17:03
0

I'm not much of a sysadmin, but I know that PhishLabs has something about where in the Registry to turn this off on 9.0. In the comments, other users have suggested keys for other versions. You can find the article here: http://www.phishlabs.com/blog/archives/122

As to how you can push that registry change across the domain, I do not know. If you find out, add it on!