It is good to rub and polish our brain against that of others - De Montaigne
|
|
|
Sophos wants Javascript disabled in Adobe products
SOFTWARE PATCH VENDOR Adobe has been issued an ultimatum by insecurity software company Sophos. Conjuring the spirit of Dirty Harry, Sophos principal virus researcher Vanja Svajcer asks Adobe to disable Javascript and make his day.
Svajcer blogs that most malicious payloads that cause security vulnerabilities in "booby-trapped" PDFs are created using Javascript code.
"The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled," said Svajcer.
"This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader."
Svajcer goes one further and reckons it's time for Adobe to run an entire security reboot.
"It may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products."
That Javascript has become pubic enemy number one is no fault of Adobe. It has been targeted by the hackerati because most Web 2.0 browsers support it. While everyone uses it, Adode is taking the flack because most people can't operate online without using an Adobe product sometimes that uses Javascript. It's the economics of popularity.
However, Adobe has Javascript turned on by default in its PDF software products but has also asked punters to disable Javascript to prevent zero-day PDF attacks, so it has shot itself in the foot.
We reported last week that Adobe published out of cycle patches to plug more critical vulnerabilities in its Reader and Acrobat products. µ
Tags: Friction
Share this:
Share
Removing javascript everywhere would be the "death nail" in a lot of sites, from large commercial sites to small one man blogs. The one man blogs that chug away on Google Adsense revenue wouldnt work (adsense works on Javascript) and larger sites (such as the Inquirer) rely on Adserving which use Javascript tags. Clients are being ever more demanding of what they want from their advertising, and whereas even 5 years ago you could get away with a static ad, clients want video, funky rich media stuff and if you as a site say no, another site will say yes.
Unless alternative "non javascript" technologies become the norm, publishers will have no option but to carry on, potentially blocking users who choose to have javascript disabled (which some sites do already).
Get rid of it entirely, I say. For now, stop it with Noscript whenever possible. I know that those who derive income from annoying me with javascript "features" will be apoplectic, but client-side processing has always been a stupid idea for a start, *can't* be made *trustworthy*, enables malware attacks and facilitates tracking. Javascript is *never* necessary. Just show me static ads, and concoct your web pages to have buttons that pass info for processing at *your* end.