Comments on: Adobe: Wake Up & Smell the Javascript http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Ahmed Ghanem http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1742 Sat, 02 May 2009 12:07:02 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1742 Yes, I actually see your point, I guess Adobe and Microsoft are all alike, I wonder if it’d take Adobe that much time to patch this vulnerability as it took Microsoft to begin considering to patch Autorun, really annoying though when you know you’re safer using another product and so…..

I really like the Eset Threat Center blog, it keeps me always updated with most wide-spread threats, keep up the good work here guys :D

]]>
By: David Harley http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1741 Sat, 02 May 2009 08:39:07 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1741 Hi, Ahmed. What I meant by “have no use for” was that I create PDFs for a number of different purposes, and PDF/A wouldn’t suit them all, while the export process involves taking several steps that I’d rather not be bothered with. I can certainly see that for some people, changing the defaults for “Create PDF” would make sense. In which case, if you then received a PDF that triggered a prompt, that might actually be a useful indicator of danger, if the message wasn’t so misleading (i.e. didn’t tell you that there are scripts present when there aren’t). Deoending on how many other people made the same choice.

I suppose my real gripe is that the quick and simple format isn’t… This is actually starting to annoy me so much that I’m considering reading the manual. ;-)

]]>
By: Ahmed Ghanem http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1740 Sat, 02 May 2009 06:48:52 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1740 David : well I don’t see any use exporting my documents as PDFs using 1.6 or 1.7 specifications, if I don’t need javascript or encryption, and the message doesn’t show mainly because javascript is prohibited in PDF/A files so I’d recommend anyone to convert his documents to the PDF/A for a while till this vulnerability gets patched, and I’m not excluding switching to another product as well.

]]>
By: David Harley http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1739 Thu, 30 Apr 2009 18:37:15 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1739 @Sean: yes, I’ve seen similar approaches suggested elsewhere. I should try it, in my copious free time. Thanks.

@Ahmed: thanks. I’d forgotten PDF/A, as I have no use for it, generally.

@Kim: thanks. You’re absolutely right: that’s the primary use for it. I’d still suggest turning it off when you’re not generating forms, if you can stand the nag messages. Incidentally, I read today on a mailing list that if you keep it disabled on such a form, you’ll get the message every time you access a field, not just when you open the document. I haven’t tried it.

]]>
By: Kirn Gill http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1738 Wed, 29 Apr 2009 20:49:40 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1738 The point of JavaScript in PDF files was to generate “smart forms”, that could include sanity checks against the data entered into the form. This would be useful for tax forms, while still maintaining the 1:1 electronic analogue with paper documents.

]]>
By: Ahmed ghanem http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1737 Wed, 29 Apr 2009 12:15:52 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1737 Well it was a year ago when I began considering alternatives to Adobe, and I’m already using some other product [won't mention the name as it'd be considered publication] and it’s not foxit reader as its text rendering is awful.

Anyway regarding your note about the vulnerability and the message that shows up, it doesn’t occur with all PDFs, well at least not with the ones that are created according to the PDF/A specification.

]]>
By: Sean http://www.welivesecurity.com/2009/04/28/adobe-wake-up-smell-the-javascript/#comment-1736 Tue, 28 Apr 2009 15:18:39 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-1736 To avoid this stupid warning, I used a GPO and Policy Maker to disable javascript in PDF companywide. I’ve got Adobe Reader currently on the THREE STRIKES. Last issue was strike one, two more and it’s gone.

Remember when the advantage to PDF was that it just displayed a page like you intended for it to look in print?

If I wanted javascript, I would release my documents as web pages.

]]>