Sophos wants Javascript disabled in Adobe products

SOFTWARE PATCH VENDOR Adobe has been issued an ultimatum by insecurity software company Sophos. Conjuring the spirit of Dirty Harry, Sophos principal virus researcher Vanja Svajcer asks Adobe to disable Javascript and make his day.

Svajcer blogs that most malicious payloads that cause security vulnerabilities in "booby-trapped" PDFs are created using Javascript code.

"The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled," said Svajcer.

"This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader."

Svajcer goes one further and reckons it's time for Adobe to run an entire security reboot.

"It may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products."

That Javascript has become pubic enemy number one is no fault of Adobe. It has been targeted by the hackerati because most Web 2.0 browsers support it. While everyone uses it, Adode is taking the flack because most people can't operate online without using an Adobe product sometimes that uses Javascript. It's the economics of popularity.

However, Adobe has Javascript turned on by default in its PDF software products but has also asked punters to disable Javascript to prevent zero-day PDF attacks, so it has shot itself in the foot.

We reported last week that Adobe published out of cycle patches to plug more critical vulnerabilities in its Reader and Acrobat products. µ