Earlier this month, the computers I’m responsible for were being hit hard by the XP Internet Security 2010 FakeAV that I posted about previously. A few computers each day would get infected. A lot of it was caused by the users veering off to visit non-work-related sites. I was already deploying the latest Java and Adobe Flash through Group Policy to all of my computers but I had only deployed Adobe Reader to recently provisioned machines. After the ad-delivered malware was wreaking havoc on my network and all the infected machines I dealt with were found to be running an out-of-date Adobe Reader, I deployed Adobe Reader 9.3.1 (made using this method) to all of my computers. Interestingly enough, the infections dropped down from several each day to zero. Of course, I had not deployed Adobe Reader to all of the computers for a reason and it didn’t exactly go off without a hitch, but I’d rather deal with those problems than the malware cleanups.
C|NET wrote a story about malware being delivered via website ads on Monday. This is a topic I’ve been closely following since late January when the problem was rumored to be going around, but I wasn’t able to corroborate it with my own limited research. Avast had a blog article up in February that explained how Javascript code embedded in malicious ads tried to launch attacks using exploits in Adobe Reader/Adobe Acrobat. The results seems more than coincidental. It also seems to allay the possibility that the malware campaign might have subsided or people only visited work-related websites and more like the updated Adobe Reader foiled the infection attempts from my experience.
I used the Adobe Customization Wizard to configure the install to make Adobe Acrobat the default viewer if it was installed. One of the problems I ran into after deploying Adobe Reader 9.3.1 was that those computers with older versions wouldn’t quite uninstall cleanly. In those situations, the computer wouldn’t know what application it was supposed to use in order to open a PDF. Thus my users would try to open a PDF in their browser and would receive this error:
“The Adobe Acrobat/Reader that is running cannot be used to view PDF files in a web browser. Adobe Acrobat/Reader version 8 or 9 is required. Please exit and try again.”
Users with (deployed) Adobe Acrobat had no problems opening PDFs and those that didn’t have a previous version on their computer also didn’t have a problem. I found the solution to this problem to be Solution 2 in Adobe’s Knowledge Base article on the error. Even with that information, I didn’t have a great way to install the fix across hundreds of computers. I made this batch script to add the necessary registry key:
IF NOT EXIST "C:program filesadobeAcrobat 9.0AcrobatAcrobat.exe" REG ADD HKCRSoftwareAdobeAcrobatExe /ve /t REG_SZ /d ""C:Program FilesAdobeReader 9.0ReaderAcroRd32.exe"" /f
I then used Windows Installer Wrapper Wizard to wrap the batch script into this .msi file and deployed it along with the Adobe Reader group policy. After any computer receiving this error message restarted, they were able to open PDFs just fine. To use: Download the batch script and the .msi file and put them in the same directory. Then deploy the .msi file like normal through a group policy.
A couple of weeks have gone by and there has not been a single infection across our hundreds of computers. I guess the moral of the story is, keep your Adobe Reader/Acrobat, Flash, and Java up to date to avoid infections. I believe the saying goes, “An ounce of prevention is worth a pound of cure.”