Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and

(imported topic written by hanspjacobsen)

Has anyone found out how to create a fixlet to find out if Acrobat javascript is enable?

http://www.adobe.com/support/security/advisories/apsa09-01.html

(imported comment written by hanspjacobsen)

I found out which registry setting the relevance has to check but canā€™t figure out how to write the relevance. The Registry key is HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\x.0\JSPrefs DWORD ā€œbEnableJSā€ to 0

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221 .

The problem is that x.0 represents the version of Acrobat Reader that is installed how can I pull that information out and place it in a relevance?

(imported comment written by SystemAdmin)

Hereā€™s what Iā€™d doā€¦ When writing your relevance you can use ā€œof keysā€ to enumerate through any of the versions that are installed. So letā€™s say you wanted to just determine if preferences werenā€™t set at all.

Something likeā€¦

not exists key ā€œJSPRefsā€ of keys of key ā€œSoftware\Adobe\Acrobat Readerā€ of (detection of HKCU here)

Unless you want to target specific versions, where make it something likeā€¦

not exists key ā€œJSPRefsā€ of keys whose (name of it as version <= ā€œ9.0ā€) of key ā€œSoftware\Adobe\Acrobat Readerā€ of (detection of HKCU here)

Of course you would also need to add in the detection if the JSPrefs was present, but bEnableJS was missing or not set to 0. Then also the same for Adobe Acrobat as well.

-Paul

1 Like

(imported comment written by hanspjacobsen)

Thanks for the reply Iā€™m really trying to understand this but how can I get the variable in the registry x which is the version of Acrobat Reader for 9 it would be 9.0 and 8 would be 8.0 etc.

(imported comment written by SystemAdmin)

Well for that you could use either the HKCU or HKLM key. Iā€™ll use HKLM hereā€¦

For just the name of the key, it would beā€¦

name of key of key ā€œHKLM\Software\Adobe\Acrobat Readerā€ of registry

Well if you wanted to extract the whole number to the left of the ā€œ.ā€, you could do it like thisā€¦

preceding text of substring ā€œ.ā€ of name of key of key ā€œHKLM\Software\Adobe\Acrobat Readerā€ of registry

Paul

(imported comment written by hanspjacobsen)

Thanks for the help.

(imported comment written by Richard_Betts)

Here are three Fixlets to identify and remediate the issue for;

  • Acrobat Reader 7.x,
  • Acrobat Reader 8.x
  • Acrobat Reader 9.x
  • Adobe Acrobat 7.x
  • Adobe Acrobat 8.x
  • Adobe Acrobat 9.x

These are provided ā€˜as isā€™ and should be tested in you own environment as you would with any custom content.

ā€œAdobe Warns of Critical Vulnerability In Acrobat, Readerā€

Rename the attachment to .bes and then import via the console.

  • Expect to push out all the different versions. One single computer might have registries for different Acrobat versions.
  • You should also make it a policy to reapply if it becomes relevant again (Take Action Dialog / Execution Tab / Reapply this action check box)

o The Acrobat setting is per user, so this will ensure that when different users logon, theirs settings will get applied.

o Note that the default action expires in 2 days, so do extend longer as you see fit.

o Also it is possible that an end-user might use the software and re-enable JavaScript. The policy will ensure that the JavaScript setting gets disabled again.

1 Like

(imported comment written by SystemAdmin)

Richard- Thank you for the offer, but I donā€™t see any fixlets to download.

(imported comment written by Richard_Betts)

Attachment is at bottom of post.

(imported comment written by SystemAdmin)

Wow okay, I feel like a moron, but seriously I cannot find your attachment. Iā€™ve looked in IE, Safari and Firefox, logged in and not, from multiple machines, but there is no attachment. I must be doing something wrongā€¦

Hereā€™s screenshotsā€¦ would someone please show me where I should be looking?

http://www.fif3.com/bigfix_forum2.jpg

http://www.fif3.com/bigfix_forum3.jpg

(imported comment written by Jim_Hansen91)

Hi Skip,

If you would like to send me an email directly, Iā€™ll send them to you. My email is jim_hansen@bigfix.com.

Regards,

Jim

(imported comment written by BenKus)

Hey Skip,

Check againā€¦ I moved your forum user group and hopefully you can see it nowā€¦

Ben

(imported comment written by SystemAdmin)

Ben Kus

Hey Skip,

Check againā€¦ I moved your forum user group and hopefully you can see it nowā€¦

Ben

Yes! I can see it nowā€¦ thanks for fixing my account!