Fixlet to block new Adobe Acrobat and Reader vulnerability

(imported topic written by jfschafer)

Just release Adobe Acrobat and Reader security flaw will allow code execution by tricking users with malicious PDF files. Not really patchable because it uses a default known feature in adobe and it’s expected to be a very popular exploit for malware writers and theives. (http://www.computerworld.com/s/article/9175159/Researcher_warns_of_impending_PDF_attack_wave)

Luckily there’s a work around but requires adding a registry key to the clients (same key value for every version of Acrobat or reader but the path to the value may be different depending on the version installed). I’m new to BigFix and was hoping one of you Bigfix gurus could post a custom fixlet here to help myself and I assume many others that don’t want to get hit with this adobe security flaw. Looking for a fixlet that will add this key and value if it doesn’t exist (or change the value to 0 if it does exist). If one is posted for Adobe 9 Reader, I and others could easily make ones for others versions.

Here’s what needs to be done to close the security hole while awaiting a patch:

Add the following DWORD value to:

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bAllowOpenFile

Type: REG_DWORD

Data: 0

Furthermore, an administrator can grey out the preference to keep end-users from turning this capability on, by adding the following DWORD value to: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals

Name: bSecureOpenFile

Type: REG_DWORD

Data: 1

(imported comment written by JackCoates91)

Hi jfschafer,

The Windows Registry Wizard will do that for you. Note that it’s a HKCU key so you’ll need to run as the logged in user; this has implications that are worth looking into. When you turn it into an action, you should limit the times that it runs.

(imported comment written by jfschafer)

Thanks Jack. I used the registry wizard and this is the following revelance string it created (I added the AND (exists “C:\Program Files\Adobe\Acrobat 8.0”) manually because it’s a different path for each version of Acrobat.

(name of operating system = “WinXP” OR name of operating system = “WinXP-2003”) AND (NOT exists value “bAllowOpenFile” of key “HKEY_USERS\S-1-5-18\Software\Adobe\Adobe Acrobat\8.0\Originals” of native registry)AND (exists “C:\Program Files\Adobe\Acrobat 8.0”)

My question is will this work since it’s not going to go in the HKEY CURRENT USERS but instead HKEY_USERS\S-1-5-18?

Our users don’t have admin rights so I left the box unchecked for “Run the generated task as the currently logged in user”

(imported comment written by JackCoates91)

Hi jfschafer, it won’t work at that key, that’s the localsystem account’s HKCU. Your users shouldn’t need admin rights to write into their own HKCU, did you test it and run into a problem?