Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

We have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.

The following is a custom ADM file

CLASS USER

CATEGORY "Adobe Reader"
     POLICY "Version 8.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\8.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
    POLICY "Version 9.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\9.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
END CATEGORY

Note: If you use the newer admx/adml for custom group policy, you can implement these settings as well. You can find the ADMX syntax guide here.

Save the custom ADM file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, if you are using XP/2003 you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for Adobe Reader. Note in the figure there are settings for both versions 8 and 9. I had to separate these since the registry locations differ based on versions, but you can edit the ADM file to just have the version you are using.

Adobe Settings in GPO

When configuring the GPO setting, you have four options in the form of checkboxes, which mirrors the JavaScript settings in the Adobe Reader preferences pane. Here, you would choose to have the global object security policy enabled and the other three settings disabled (note that JavaScript is the first setting).

Detailed settings

With the GPO settings configured, you can link it to an organization unit (OU), a site, or a domain to deploy it. Remember that it is a user side GPO, so your user objects where the GPO is linked in AD will apply these settings.

Related Posts:

• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Regular or Decaf? Tool launched to combat COFEE
• Six Bulletins in Last Patch Tuesday of 2009
• Remote SMB Exploit: Crashing Windows 7 and Server 2008

Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

That said, for many users PDF’s are simply a mechanism for providing documents to read. Given the spate of vulnerabilities identified in Acrobat and Reader in 2009, and the likely promise of more in 2010, we are releasing by request this general instruction for disabling Javascript in Adobe Acrobat. An advisable approach, depending on your usage of these products, may be to disable Javascript and only re-enable when performing an activity with a PDF that requires Javascript be enabled, such as with an eForm.

Adobe notes that disabling Javascript mitigates against exploits identified this year that use Javascript functions to cause a memory corruption, although in some cases it would be possible to create variants that do not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat: select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010