Tip:
Highlight text to annotate it
X
Hey, did you hear that there is a new vulnerability in Acrobat Reader?
Really? I'm shocked. No, wait, I'm being sarcastic. There is a new vulnerability in Acrobat Reader
every day. I'm starting to really want to hurt the people who wrote that software.
I guess I'll just have to set the killbit for the Acrobat Plugin.
That only works for Internet Explorer. Killbits only work for ActiveX.
Damn it! I'll think of something. Hmm, it looks like there is a Registry key
that we can deploy via GPO that will keep Acrobat Reader from launching in a web page.
At least that way a malicious web page can't use this vulnerability to take over a computer
without running a PDF file on purpose. That only works in Internet Explorer.
What? Why?! Chrome and Firefox use the NPAPI plug-in.
For those browsers the PDF will still launch, it will just launch outside the browser.
Son of a ***! Well, on the bright side, we have been upgrading
to Windows 7 64-bit, so we have ASLR enabled. This vulnerability bypasses ASLR because Adobe
disabled it in their DLL. I'm starting to feel the need to go smash
something. Let me think. Okay, so Chrome has support for enterprise
management GPOs. We can block the Reader plug-in on our network and just tell people to use
the Google Docs extension. What about Firefox?
I'm sure there must be a way to manage Firefox. Of course there is. Just write a script that
edits the userprefs.js file. It sounds a little kludgy, but I can do that.
But Firefox recommends against it. Son of a motherless goat! It's time for the
nuclear option. I'm going to set a Deny All ACL on the plug-in's DLL file.
If you do that, then the next time you try to apply a patch for Acrobat, it will probably
fail, and you'll waste time troubleshooting it.
That's fine with me. By the time that becomes a problem I will have turned in my resignation.