Create the Logon Scripts

The registry keys that affect these security settings are under HKEY_CURRENT_USER, which means the simplest way to change them is when the user logs on. This also has the advantage of resetting the values at each logon.

The JavaScript script is based on this post in the independent Acrobat Users forum; see this Adobe document for more information. You do lose the ability to fill in PDF forms if JavaScript is disabled, but Reader prompts you to re-enable for a form (not always desirable in my opinion). The /Launch script is based on this Adobe blog post. Please read the scripts and make sure they do what you want to do; use them at your own risk.

These scripts are designed to create or change the registry keys for both Adobe Reader and Adobe Acrobat, versions 6.0 through 9.0. Yes they create more registry keys than you need, but that doesn’t hurt anything. Don’t use spaces the the file names or the Group Policy Object shown below won’t work. You can copy and paste the files below, or download them as a zip file:  Adobe_Security_Scripts.zip (646.00 bytes). (If you download, make sure you can open them without prompting, as they will be flagged as coming from the Internet.)

Disable_Adobe_Javascript.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

Disable_Adobe_Launch.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

Create the Group Policy Object

1. Copy the files above to your domain controller’s \\SysVol\domainname.local\scripts folder.
2. Create a new Group Policy Object called Adobe Security and link it to the root of the domain, or to an OU that affects all computers (assuming Adobe Reader runs on servers and clients).
3. Edit the GPO. Under User Configuration > Windows Settings > Scripts, create two Logon “scripts”. Note the use of the /s (“silent”) parameter, which makes the change without asking the user to confirm it.

   Script Name:  regedit.exe
   Script Parameters:  /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Javascript.reg

   Script Name:  regedit.exe
   Script Parameters:  /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Launch.reg

   

4. Test the GPO by logging on to a client machine. Open regedit and check the HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader and HKEY_CURRENT_USER\Software\Adobe\Acrobat Acrobat keys. Open Adobe Reader, go to Edit > Preferences, and check the JavaScript and TrustManager options.

The Easy Part:  Patching to 9.1.1

I applied for a license to redistribute Adobe Reader, and (woo-hoo!) my application was accepted. I feel so special! The good thing about this is that you get links and instructions about how to create a Reader installer that excludes Adobe AIR and Acrobat.com using the Adobe Customization Wizard.

Following the example in this article, I was able to include the patch to 9.1.1 by simply adding this line to the setup.ini:

PATCH=AdbeRdrUpd911_all_incr.msp

Once that was done, I had a setup package that I could run on any computer to upgrade it to Adobe Reader 9.1.1. Earlier versions were uninstalled automatically as necessary.

The Hard Part:  Getting to 9.1.3

That blissful state of affairs only lasted a couple months. Now that yet another critical vulnerability is being exploited, Adobe got back on my radar last week with the release of 9.1.3. (I had missed 9.1.2, which I later learned was a quarterly patch as opposed to a security patch.)

So, time to update 9.1.1 to 9.1.3. How hard could it be?

Plenty hard.

The main problem is that, as explained in this TechNote, Adobe does not allow you to apply a quarterly patch to Reader if the most recent patch was a security patch. That’s right:  if you keep your software up to date with security patches, you have to do a reinstall to get to the next quarterly patch, which is in turn the prerequisite for the next security patch.

The secondary problem is that quarterly patches apparently cannot be applied with the PATCH= line; they must be applied using MS installer  patching techniques. That at least seems to be the gist of this thread. I’m indebted to TTEConline, who in post #37 of that thread sent me in the right direction for the MSI install.

These rather astonishing limitations led me to what feels like a very cobbled-together approach to patching Reader. But here is what worked this time:

1. Download standard Reader 9.1 (without AIR) for Windows XP SP3 and Vista from the secret link Adobe sends you.
2. Extract with this command:
   AdbeRdr910_en_US.exe -nos_ne -nos_o"CustomAcroRead911"
3. Downloaded Reader 9.1.2 quarterly update (includes 9.1.1 security patch) and the new 9.1.3 security patch.
4. Run the following command to patch your Administrative Install Point (AIP) to 9.1.2:
   msiexec /a AcroRead.msi /p AdbeRdrUpd912_all_incr.msp
   When prompted, direct the output to the “PatchedTo912″ subdirectory, which it will create for you. Note that this modifies AcroRead.msi to be version 9.1.2.  Supposedly data1.cab is no longer needed, but I got install errors without it.  However, it’s okay to delete the AdbeRdrUpd912_all_incr.msp file now.
5. Customize AcroRead.msi using Adobe Customization Wizard. I chose to remove the desktop icon, remove all Acrobot.com access, create a silent install (prompt user if reboot necessary), and some other stuff. Save the project, which creates the transform file AcroRead.mst and updates setup.ini to call the transform.
6. Add the following line to the setup.ini [Product] section:
   PATCH=AdbeRdrUpd913_all_incr.msp

Two-Step Deployment

Congratulations, you now have a 210MB package that will install Adobe Reader 9.1.3. But wait! That only works if the previous version was not a security patch. So it works if no Adobe Reader is present, or if 9.0.0 is present, but not if 9.1.1 is present.

Here’s what I had to do to update my 9.1.1 installations:

1. In the [Product] section of setup.ini, based on the aforementioned TechNote, change the CmdLine to read
   CmdLine=TRANSFORMS="AcroRead.mst" REINSTALL=ALL REINSTALLMODE=vomus /q
2. Apply the patch to all 9.1.1 machines. With the forced REINSTALL, it is now able to go to 9.1.2. However, the 9.1.3 patch is not applied.
3. Go back and directly apply the 9.1.3 patch as a stand-alone patch to all machines. I discovered that a Zenith job can deploy the .msp file directly using a shell execute (don't forget the /quiet parameter), but if you need to test or run from a command line, here it is:
   msiexec /p AdbeRdrUpd913_all_incr.msp /quiet

Note that if, after the update to 9.1.2, you try re-running the main install without the REINSTALL parameters, it will either fail or trigger a Repair installation, but it will not apply 9.1.3. Hence the need to patch directly.

Adobe:  We Need One Installer

It's possible that I missed something here and that there is a much easier way to do this. But judging from the Adobe forum posts, lots of people are struggling with Adobe administrative installations. It shouldn't be this hard!

By the way, Adobe Updater is not an option in a security-conscious environment where users do not have administrative privileges.

It's okay if one patch requires the previous patch to be installed, but it's not okay if one patch (9.1.2) requires that the previous patch (9.1.1) not be installed to work normally. I mean, if a security patch is there, why not just automatically do whatever you need to do to apply the next patch, whether quarterly or security?

And please, allow applying multiple quarterly and security patches in one step.

In short:  give us one installer that will always bring Adobe Reader to the latest version, no matter what is or isn't installed on a machine. And don't make it an all-day task to create the installer.

C'mon Adobe, add some intelligence to your patch mechanisms!