Set Protected View in Adobe Reader to Mitigate Zero Day Vulnerability

We’ve all heard about the Adobe Zero Day vulnerability in Acrobat and Reader. Adobe has released this document describing which changes are needed to force protected view in Adobe Reader. While we wait for Adobe to release the patch we decided to follow their instructions on mitigating this vulnerability.

Force protected view

We’ve incorporated these steps into a single PDQ Deploy package. This package is available in our Package Library.  In PDQ Deploy, select Package Library from the left pane. In the search field type “protected” and you’ll see the entry. (If you don’t see the entry, be certain that you are running PDQ Deploy 2.1 or greater and then hit F5 in your library to refresh.)

Download the free mode version of PDQ Deploy here

The Ugly Details

If you look at section 2.2.3 of the Adobe document (mentioned above) you will find what we are looking for. One registry value to rule them all. You can enable this via a GPO but I will discuss using PDQ Deploy to push this change out to your affected computers immediately. Also, for purposes of this article I am only addressing Adobe Reader 11. The vulnerability affects Adobe Acrobat 10 and Reader 9, 10 and 11. I chose Reader 11 because it is the most recent release and also due to time contraints.

After you install PDQ Deploy, go to your Package Library node. Select the package called “Force Protected View for Adobe Reader 11“. Now most of the packages you see do require a subscription. I took it upon myself to make this one available without a subscription (at least for the time being).

This package is very simple. It only calls a small batch file. When you deploy this package to target computers it will run this batch file which will, quite simply, check to see if Adobe Reader 11 has been installed and then add/modify the necessary registry value as described in the Adobe file mentioned above. 

Select the downloaded package (it’s under the Package folder in PDQ Deploy) and hit the Deploy… button. Select your target computers. You can manually enter the names of the computers or you can import the targets from PDQ Inventory, Active Directory, Spiceworks, etc.

If a target computer does NOT have Adobe Reader 11 then the package will fail with Error Code 2. 

Deploy Status

If you want a quick refresher on how you can deploy via PDQ Deploy, check out our youtube videos.