Adobe, Make My Day Too….

Marketing hate it when I refer to competitor blogs, but Sophos' Vanja Svajcer, while discussing Adobe's accelerated security update (good move, guys!), makes a point that's worth three hearty cheers and a quote.

If nothing else, JavaScript should be disabled by default in Adobe Reader.

Go on Adobe, make my day.

Yesssssss!!!!

Though I'd settle for a slightly shorter step towards sanity.

Adobe, when I disable JavaScript, STOP SILENTLY RE-ENABLING IT WHEN YOU UPDATE(yes, I realize that this is because it's restoring defaults, so it's practically the same point: the point is that a sane update takes customizations into account).

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Leo Davidson

    Adobe Reader's Javascript setting remained off for me after I installed the latest update and rebooted. I don't know why it would be different for me.
    (I used its update checker, rather than downloading the installer, but that can't be the difference as Adobe still have the old 9.3.0 installer — missing multiple security updates and full of vulnerabilities — on their website. As usual, you can only get a fully-patched Adobe Reader by installing it and then *manually* updating it (and then rebooting an extra time). Adobe's attitude to security is shameful. They can't even be bothered updating a file on a website, and it's not like Adobe Reader verifies that it's up-to-date when you install it. Adobe are pathetic.)
    Going back to Javascript in Adobe Reader: It shouldn't be off by default; it shouldn't even exist.
    Same with Flash-in-PDF and video-in-PDF. (What are Adobe doing, looking for all the things famous for security flaws — PDF, Javascript, Flash, video — and combining them, unnaturally, into a single product nobody actually wants?)
    PDF is a great format for storing pieces of paper but it perplexes me why anyone would put anything interactive into a PDF and I've yet to encounter anyone doing so (which supports the case that these security-risky features are esoteric and should not be enabled by default, if included at all). If you expect people to view a document on a computer screen, PDF is a stupid format to use. (Documents aimed at computer screens suffer from page breaks, headers, footers, stupid sized fonts, excessive margins, poor scrolling, zoom and selection mechanics… the list goes on.)
    Oh well… At least Adobe are releasing security updates more frequently now. Much better than when their idea of a fast response was waiting three months. And at least they took the fix I made for their 64-bit preview handler and integrated it into their installer (albeit in a half-wrong way, and still not fixing the thumbnail support like I also did for them). They've definitely got some serious problems in their management and/or development teams, though.

  • Leo Davidson

    Adobe Reader's Javascript setting remained off for me after I installed the latest update and rebooted. I don't know why it would be different for me.
     
    (I used its update checker, rather than downloading the installer, but that can't be the difference as Adobe still have the old 9.3.0 installer — missing multiple security updates and full of vulnerabilities — on their website. As usual, you can only get a fully-patched Adobe Reader by installing it and then *manually* updating it (and then rebooting an extra time). Adobe's attitude to security is shameful. They can't even be bothered updating a file on a website, and it's not like Adobe Reader verifies that it's up-to-date when you install it. Adobe are pathetic.)
     
    Going back to Javascript in Adobe Reader: It shouldn't be off by default; it shouldn't even exist.
     
    Same with Flash-in-PDF and video-in-PDF. (What are Adobe doing, looking for all the things famous for security flaws — PDF, Javascript, Flash, video — and combining them, unnaturally, into a single product nobody actually wants?)
     
    PDF is a great format for storing pieces of paper but it perplexes me why anyone would put anything interactive into a PDF and I've yet to encounter anyone doing so (which supports the case that these security-risky features are esoteric and should not be enabled by default, if included at all). If you expect people to view a document on a computer screen, PDF is a stupid format to use. (Documents aimed at computer screens suffer from page breaks, headers, footers, stupid sized fonts, excessive margins, poor scrolling, zoom and selection mechanics… the list goes on.)
     
    Oh well… At least Adobe are releasing security updates more frequently now. Much better than when their idea of a fast response was waiting three months. And at least they took the fix I made for their 64-bit preview handler and integrated it into their installer (albeit in a half-wrong way, and still not fixing the thumbnail support like I also did for them). They've definitely got some serious problems in their management and/or development teams, though.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.