Adobe: Lessons Not Learned

One of my all time favorite quotes is by “"Those who cannot remember the past are condemned to repeat it." George Santayana said this in The Life of Reason or The Phases of Human Progress: Reason in Common Sense 284 (2nd ed., Charles Scribner’s Sons, New York, New York 1924 (originally published 1905 Charles Scribner’s Sons)(appears in chapter XII, "Flux and Constancy in Human Nature") if is to be believed :)

Winston Churchill is credited with a derivative of it that says “Those that fail to learn from history, are doomed to repeat it.” Either way, Adobe seems to not be able to remember the past or learn from it.

The addition of JavaScript to Acrobat vastly increased the attack surface of Acrobat documents. Microsoft learned about the power of macros many years ago and effectively disabled macros in Word, unless a user deliberately turns them on. Adobe, on the other hand, enables JavaScript, arguably as powerful as macros, and does not notify the user of the vastly increased vulnerability they have just been exposed to.

When a user disables JavaScript and opens a PDF with JavaScript in it they are prompted to allow it to run and there is a check box to always allow it to run. The option should conspicuously indicate that this is the option of least security.

Microsoft recently announced that they will disable autorun on USB devices for Windows 7, Vista, and XP. Autorun is yet another autoinfect mechanism, much like Javascript in PDF. As Microsoft improves security, Adobe plods along failing to learn the lessons of the macro virus.

At one time Acrobat was the secure alternative to Word. Today it is not the case at all.

Randy Abrams
Director of Technical Education

Author , ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.