Update: I have since reposted this article with new registry keys that makes configured Adobe updater a lot easer. Check it out at http://www.grouppolicy.biz/2010/06/updated-how-to-make-adobe-reader-more-secure-using-group-policy/
Recently there have been a number of critical security issues that have been associated with Adobe Reader (see below).
To see a complete list of current updates for Adobe Reader (all current versions) on Windows go to http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
This has has left IT administrators with a bit of a nightmare as to how to keep Reader secure as Adobe don’t have the wonderful tools such as Group Policy and Windows Update, WSUS and SCCM to manage their patch rollout deployment.
To do disable this option edit a Group Policy Object (GPO) that is targeted to the users accounts. Once you have opened the GPO in the Group Policy Management Editor go to User Configuration > Preferences > Windows Settings > Registry then go to Action > All Tasks > Add and configured a New Registry setting (as per image below).
The key to update is:
Key: HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs
Value: bEnableJS (REG_DWORD)
Data: 0 (zero)
Note: If you don’t want this option to be turned off once a users has re-enabled it then tick the “Apply once and do not reapply” option in the “Common” tab (see image 3) as this will only change this registry key once making it more a default setting rather then an enforced one.
Image 3. Apply one and do not reapply
Configuring Automatic Update for Adobe Reader
Adobe has also added a “Automatically install updates” feature (see image 4) with the release of Adobe Reader 9.2.0. however as of the time of writing this document the new version of Adobe Reader 9.3.0 is out and for some reason it is not automatically updating. So maybe there is a little more work to go here for Adobe.
Image 4. Adobe Reader Updater Preferences
If you do want to experiment with configuring this option via group policy then you need to run the following command on the computer in the context of the system account.
“C:\Program Files\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe” /ArmPrefs /MODE:3
Note: You need to use “Program Files (x86)” if you are running 64bit version of Windows.
You can do this my using the “New Immediate Task” option under Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks in the Group Policy Management Editor.
So good luck with trying securing Adobe Reader in your organisation as its certainly a front that IT administrator need to focus more upon as McAfee labs have said “Adobe product exploitation will likely surpass that of Microsoft Office applications in 2010.”.