List of Adobe Reader API's
Hi all
For a long time now I've been looking for an easy and reliable way of locking down adobe reader so that JS is disable and cannot be enabled by the user. Last time I checked, Adobe hadn't started recognizing true policies on Windows - so creating an Admin Template will only be a preference.
I thought now that they've introduced the JS Blacklist Framework, I'd finally be able to do this. But alas, it's waaaaaaay too complicated and half of it is going over my head [:-]
It seems that I can lock down JS, but only per API. But I have no idea what API's are included in Adobe Reader, and don't even know how to find out. I've done some googling, but nothing has come up so far. So, does anybody have any idea where I can get this info from ? Or failing that, the most common API's, so I can at least block JS for most scenarios
I have tried using wildcards (*) but this didn't have any effect.
Any help would be really really appreciated. Thanks in advance
For a long time now I've been looking for an easy and reliable way of locking down adobe reader so that JS is disable and cannot be enabled by the user. Last time I checked, Adobe hadn't started recognizing true policies on Windows - so creating an Admin Template will only be a preference.
I thought now that they've introduced the JS Blacklist Framework, I'd finally be able to do this. But alas, it's waaaaaaay too complicated and half of it is going over my head [:-]
It seems that I can lock down JS, but only per API. But I have no idea what API's are included in Adobe Reader, and don't even know how to find out. I've done some googling, but nothing has come up so far. So, does anybody have any idea where I can get this info from ? Or failing that, the most common API's, so I can at least block JS for most scenarios
I have tried using wildcards (*) but this didn't have any effect.
Any help would be really really appreciated. Thanks in advance
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
y2k
14 years ago
Hi All
Well, after some more googling and a bit of tweaking of my search, I managed to find this article:
http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-framework.html
Well, at least I'm not going mad ! It seems there isn't any definite list of what should be blacklisted etc. But thankfully the link above has some really useful info on what API's should be blocked as well as some sample PDF docs you can use to check if your blacklist is working or not.
I'm planning on testing it in the next few days, so once I've tried it out, I'll post back
Well, after some more googling and a bit of tweaking of my search, I managed to find this article:
http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-framework.html
Well, at least I'm not going mad ! It seems there isn't any definite list of what should be blacklisted etc. But thankfully the link above has some really useful info on what API's should be blocked as well as some sample PDF docs you can use to check if your blacklist is working or not.
I'm planning on testing it in the next few days, so once I've tried it out, I'll post back
Posted by:
joedown
14 years ago
Since version 8.0 we have disabled JS in Adobe Reader. Yes this does break some functionality but we find it to be better to be a little inconvenienced than cleanup compromised workstations. The user cannot go into settings and recheck the box to enable JS either. In fact we only deploy the following plugins: Search.api, Search5.api, and SendMail.api Of course probably a better solution would be to use an alternative PDF viewer that is a little less bloated.
Posted by:
y2k
14 years ago
Hi Joe
Wow, how have you done that ? With a reg entry ? In the past, I've tried moving the entry from HKCU into a policies hive, and also into HKLM, but neither were effective in disablign JS. Would you mind letting me know how you done it ?
As for configuring the JS BlackList Framework, it was quiet simple really and seems to work fine. I understood from the documentation that the user should get a prompt to enable JS just for that document, but I don't get that. I think maybe I need to configure some locations in the WhiteList for that to work perhaps.
Also, the blog points out a potentially very big "gotcha" - the reg keys and entries are case sensitive. The documentation I had from adobe said to create a REG_SZ key entry called tBlacklist - but in actual fact, it has to be caled tBlackList
Wow, how have you done that ? With a reg entry ? In the past, I've tried moving the entry from HKCU into a policies hive, and also into HKLM, but neither were effective in disablign JS. Would you mind letting me know how you done it ?
As for configuring the JS BlackList Framework, it was quiet simple really and seems to work fine. I understood from the documentation that the user should get a prompt to enable JS just for that document, but I don't get that. I think maybe I need to configure some locations in the WhiteList for that to work perhaps.
Also, the blog points out a potentially very big "gotcha" - the reg keys and entries are case sensitive. The documentation I had from adobe said to create a REG_SZ key entry called tBlacklist - but in actual fact, it has to be caled tBlackList
Posted by:
joedown
14 years ago
Simple really, do not include the escript.api in your deployment. Now there are a few other plugins you will have to remove as well or your will get plugin errors when launching Adobe reader. All done in a transform of course. We've been doing this since version 9.0 without a problem. Oh, and the size of Adobes Acrobat Reader 9.3 installer is now 30Mb once you trim some of the fat.
ORIGINAL: y2k
Hi Joe
Wow, how have you done that ? With a reg entry ? In the past, I've tried moving the entry from HKCU into a policies hive, and also into HKLM, but neither were effective in disablign JS. Would you mind letting me know how you done it ?
Posted by:
anonymous_9363
14 years ago
Posted by:
joedown
14 years ago
Posted by:
anonymous_9363
14 years ago
The registry APIs don't care about case. HKLM\Software\Whoever\WhateverProduct\ThisRegistryKey will be treated exactly the same as HKLM\sOFTWARE\wHOEVER\wHATEVERpRODUCT\tHiSrEgIsTrYkEy.
It's entirely possible that Adobe's code cares about the case of the *data* retrieved from a value but while, as I say, it wouldn't surprise me if they were using their own registry access routines, they'd have to be monumentally stupid to do so.
It's entirely possible that Adobe's code cares about the case of the *data* retrieved from a value but while, as I say, it wouldn't surprise me if they were using their own registry access routines, they'd have to be monumentally stupid to do so.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.