The Inquirer-Home

Sophos wants Javascript disabled in Adobe products

Go ahead Adobe, make my day
Thu Jul 01 2010, 13:00
vanja-svajcer-170

SOFTWARE PATCH VENDOR Adobe has been issued an ultimatum by insecurity software company Sophos. Conjuring the spirit of Dirty Harry, Sophos principal virus researcher Vanja Svajcer asks Adobe to disable Javascript and make his day.

Svajcer blogs that most malicious payloads that cause security vulnerabilities in "booby-trapped" PDFs are created using Javascript code.

"The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled," said Svajcer.

"This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader."

Svajcer goes one further and reckons it's time for Adobe to run an entire security reboot.

"It may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products."

That Javascript has become pubic enemy number one is no fault of Adobe. It has been targeted by the hackerati because most Web 2.0 browsers support it. While everyone uses it, Adode is taking the flack because most people can't operate online without using an Adobe product sometimes that uses Javascript. It's the economics of popularity.

However, Adobe has Javascript turned on by default in its PDF software products but has also asked punters to disable Javascript to prevent zero-day PDF attacks, so it has shot itself in the foot.

We reported last week that Adobe published out of cycle patches to plug more critical vulnerabilities in its Reader and Acrobat products. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?