Security commentators claim that Adobe should disable JavaScript in Adobe Reader

News by Dan Raywood

Adobe has been praised for its more frequent patching, but requests have been made for it to disable JavaScript by default in Adobe Reader.

Adobe has been praised for its more frequent patching but requests have been made for it to disable JavaScript by default in Adobe Reader.

Sophos principal virus researcher Vanja Svajcer praised Adobe, claiming that it was ‘obvious' that Adobe was doing more to address vulnerabilities found in its product, especially since it rolled out patches two weeks ahead of schedule earlier this week.

However he claimed that Adobe should disable JavaScript by default in its Reader software, as the main vulnerability that was patched affected Adobe Flash and the main vehicle for delivering malicious payloads were PDF files.

He said: “A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality.

“This exploit is more complex than the usual exploits we have become used to in the last few years and it may mark a new trend in the direction of writing exploits and shellcode.”

He also commented that the high number of patched vulnerabilities indicates that it may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products.

“Microsoft already went through a similar exercise and the result shows as the vulnerabilities are getting more difficult to discover and exploit. If nothing else, JavaScript should be disabled by default in Adobe Reader,” he said.

The request was echoed by David Harley, director of malware intelligence at ESET, who claimed that Svajcer made a point ‘that's worth three hearty cheers and a quote'.

He said: “Adobe, when I disable JavaScript, stop silently re-enabling it when you update (yes, I realise that this is because it's restoring defaults, so it's practically the same point: the point is that a sane update takes customisations into account).”

One person commenting on Harley's post said that JavaScript should not be off by default in Adobe Reader; it shouldn't even exist.

They said: “PDF is a great format for storing pieces of paper but it perplexes me why anyone would put anything interactive into a PDF and I am yet to encounter anyone doing so (which supports the case that these security-risky features are esoteric and should not be enabled by default, if included at all).

“If you expect people to view a document on a computer screen, PDF is a stupid format to use. (Documents aimed at computer screens suffer from page breaks, headers, footers, stupid sized fonts, excessive margins, poor scrolling, zoom and selection mechanics… the list goes on.)”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews