Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Security Chief Defends JavaScript Support

Posted by timothy on from the oh-it's-gotta-have-javascript dept.

Trailrunner7 writes "Despite the fact that the majority of [PDF-related] malware exploits use JavaScript to trigger an attack in Adobe's PDF Reader product, the company says it's impossible to completely remove JavaScript support without causing major compatibility problems. In a Q&A on Threatpost, Adobe security chief Brad Arkin says the removal of JavaScript support is a non-starter because it's an integral part of how users do form submissions. '"Anytime you're working with a PDF where you're entering information, JavaScript is used to do things like verify that the date you entered is the right format. If you're entering a phone number for a certain country it'll verify that you've got the right number of digits. When you click 'submit' on the form it'll go to the right place. All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.'"

15 of 216 comments (clear)

  1. Easy but far too simple solution by richdun · · Score: 5, Insightful

    Why not let PDFs only display documents, and rely on web forms for submitting information? No? Too simple?

    I personally have hated PDF forms for some - as a Mac user, having an OS with great PDF support built-in, but still having to use Adobe's products to use their non-standard (or newly made standard) forms implementation is a headache.

    1. Re:Easy but far too simple solution by fuzzyfuzzyfungus · · Score: 5, Insightful

      Your "solution" is only a solution if your business isn't peddling PDF software(not to mention the really expensive backendware that you have to buy from Adobe if you want to "enable your enterprise PDF form workflow" or whatever).

      There are well behaved, and standardized, subsets of PDF that are just fine. They know their place, they are a perfectly competent and pretty well supported way of slinging around documents that have to look a certain way. Outside of that, though, is the nightmare realm where Adobe just keeps cramming use cases into PDF, because PDF is what they own. Javascript, embedded Flash video, it's just a matter of time before they announce an alliance with VMware, to "Enable users to deploy entire Rich Enterprise Solution Stacks" just by emailing PDFs full of x86 virtual machines, complete with embedded video documentation, to one another...

    2. Re:Easy but far too simple solution by nametaken · · Score: 2, Insightful

      Correct. This whole problem stems from this awful idea that PDF should be more than what made it popular. Its purpose is to make sure a document looks the same for everyone, regardless of a person's installed fonts or default margins, etc.

      In a struggle to monetize the PDF format and maintain relevance Adobe keeps adding all kinds of bullshit feature bloat that doesn't catch on, BECAUSE WE DON'T WANT IT. Take form submission. How many PDF forms have you seen in the wild? I haven't seen more than two in the last ten years. Adobe isn't about to give this up though. They've committed to these BS features, they're not going away now regardless of how irrelevant or dangerous they are.

      Look into a good alternative reader. Adobe is not a customer-centric company. It never has been.

    3. Re:Easy but far too simple solution by Anonymous Coward · · Score: 1, Insightful

      Javascript, embedded Flash video, it's just a matter of time before they announce an alliance with VMware, to "Enable users to deploy entire Rich Enterprise Solution Stacks" just by emailing PDFs full of x86 virtual machines, complete with embedded video documentation, to one another...

      where is the mod for +1 "Run Screaming Into The Night"?

    4. Re:Easy but far too simple solution by nitroscen · · Score: 2, Insightful

      You should really read the posts you are replying to before bashing them. The guy was just saying it won't solve the problem. He didn't say it 'has had no impact'. He was simply stating that the solution to this problem requires some action on Adobe's part... just like how the solution to most security problems you bring up require some action on Microsoft's part.

  2. Tea and pramwiches by daeley · · Score: 5, Insightful

    "Anytime you're working with a baby pram where you're, say, also carrying diapers, our chainsaw is used to do things like verify that the Pampers fit on that little shelf underneath. If you're carrying some groceries as well, the chainsaw verifies that you don't try to fit too much on there. When you push the pram, the chainsaw makes sure you push it to the right place. All of this stuff has the chainsaw behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  3. Simple answer by just_another_sean · · Score: 3, Insightful

    White listed docs/publishers are the only ones allowed to run JavaScript. White listing
    should be as easy as pushing a "Trust this document" or "Trust this publisher" button.

    Will it/can it be abused? Sure, but it's better then running script by default without
    user consent.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  4. No, not a good idea at all by Nomen+Publicus · · Score: 2, Insightful

    Why does a product called "Reader" have to process user input?

  5. Re:Simple solution by fuzzyfuzzyfungus · · Score: 2, Insightful

    You can turn off javascript in Acrobat Reader.

    Every time you load a document with Javascript, you'll be warned that it may not display properly, and asked if you'd like to turn javascript back on.

    If you agree, the "on" setting sticks for subsequent documents, until you go into the menu and turn it off again.

    Can't you just taste adobe's eagerness to have you turn off javascript?

  6. Re:Why not html forms? by jbolden · · Score: 2, Insightful

    PDF is a ubiquitous format for which allows for paper like documents which requires only free software. What other format comes close.

    HTML = not remotely paper like
    forms -> typeset: not ubiquitous

    etc...

  7. PDF Javascript vs WWW Javascript by gehrehmee · · Score: 2, Insightful

    We have Javascript in web browsers, and it's rare to see vulnerabilities this rare.

    What's the difference? Is Adobe just not sandboxing Javascript code properly? I've never really used Adobe's products for this... but what's to stop them from just using an established javascript implementation like that used in Firefox or Webkit?

    --
    "You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
  8. Re:Security Not the *Only* Consideration by plover · · Score: 2, Insightful

    It's obvious from this discussion that his *only* consideration is shareholder value.

    His job is to make sure that PDFs remain relevant. Adding plugins, or anything that makes people depend on PDFs, is their primary goal. Turning off features (such as disabling JavaScript) would reduce that primary goal.

    Security is valued only as long as it keeps people from complaining. He'll talk about security for hours, but in the end he has to justify whatever decisions the board told him to justify. He'd be much more effective as a security chief if he were truly autonomous, as a CxO is supposed to be.

    --
    John
  9. Re:Why not html forms? by Volante3192 · · Score: 3, Insightful

    Except HTML is dependent on margin size, available fonts, interpretation by the browser, too many tiny variables that could cause problems. Most code monkeys can't even check if their stuff works in the browser they use. Binary files like doc can be interpreted wrong if opened in a different program or even version of the same program.

    The one thing PDF does well, extremely well, is keep the document the same across platforms. (Better than other options at least.) Use the right tool for the right job: if you need a form to look the same regardless of where it ends up, your best bet is a PDF.

  10. Re:Maybe it's just me by mandark1967 · · Score: 2, Insightful

    I think you read a little too much into my post. The application is called Adobe Acrobat Reader, but the quotes from the Adobe rep talk about all sorts of crap that 90% of the users at home do not need, or likely even want. As has been suggested in another post above, they need to make Acrobat Reader do one thing. Read PDFs.

    I, personally, do not need the capability of filling out forms nor do I need to submit and route forms. I just need to read a motherboard manual to see some jumper pin-outs and the like. In order to accomplish these types of tasks, I use Sumatra PDF reader.

    Removing that java scripting functionality from Reader and putting it into something else, like Adobe's Forms Manager makes sense from a security standpoint as well as a marketing standpoint. If they want to charge a premium for the capability of filling out forms and the like, let them. There are companies/people willing to pay extra for that set of features. It also allows them to make Reader more secure by removing the major attack vector from Reader that is exploited today, seemingly by any script kiddie.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  11. Yeah, right by Locke2005 · · Score: 2, Insightful

    All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained. Translation: "We designed the products with a flawed security model to begin with and fixing that now would cause applications built on them that depend on defects in the security model in order to operate to no longer work."

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.