Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Security Chief Defends JavaScript Support

Posted by timothy on from the oh-it's-gotta-have-javascript dept.

Trailrunner7 writes "Despite the fact that the majority of [PDF-related] malware exploits use JavaScript to trigger an attack in Adobe's PDF Reader product, the company says it's impossible to completely remove JavaScript support without causing major compatibility problems. In a Q&A on Threatpost, Adobe security chief Brad Arkin says the removal of JavaScript support is a non-starter because it's an integral part of how users do form submissions. '"Anytime you're working with a PDF where you're entering information, JavaScript is used to do things like verify that the date you entered is the right format. If you're entering a phone number for a certain country it'll verify that you've got the right number of digits. When you click 'submit' on the form it'll go to the right place. All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.'"

4 of 216 comments (clear)

  1. Simple solution by loganljb · · Score: 3, Interesting

    Well, gee -- how about creating the equivalent of noscript for Adobe, then? That way, the user can decide for themselves if they want to run scripts in what they THOUGHT was just a formatted text document.

  2. Re:PDF forms? DIE! by Qzukk · · Score: 3, Interesting

    The only thing I learned when we used PDF forms a few years ago was ... don't do it. Just no. Really, don't.

    PDF forms with javascript for web submission? I agree.

    In reality though, a lot of crap (especially government crap) still has to be done on paper, and until HTML+CSS gets to the point where I can reliably reproduce a form on paper, PDF is the best option, ahead of Word documents with 50,000 underscores that wordwrap when someone tries to write in them.

    That, or find someone with a typewriter.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Re:Easy but far too simple solution by pmontra · · Score: 3, Interesting

    Simply switching one user to another safer reader won't solve this security problem because most people use the Adobe's one. Disabling JavaScript by default in Adobe Reader would. People that for some reason have to use PDF forms will enable it or will be told how to by their IT department. By the way, I'm using evince on Linux to read PDF. I discovered now that it supports forms but apparently it doesn't have javascript. I'm probably safe.

  4. Re:Maybe it's just me by Jeng · · Score: 3, Interesting

    To summarize. Perfection is the enemy of the good.

    --
    Don't know something? Look it up. Still don't know? Then ask.