Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Security Chief Defends JavaScript Support

Posted by timothy on from the oh-it's-gotta-have-javascript dept.

Trailrunner7 writes "Despite the fact that the majority of [PDF-related] malware exploits use JavaScript to trigger an attack in Adobe's PDF Reader product, the company says it's impossible to completely remove JavaScript support without causing major compatibility problems. In a Q&A on Threatpost, Adobe security chief Brad Arkin says the removal of JavaScript support is a non-starter because it's an integral part of how users do form submissions. '"Anytime you're working with a PDF where you're entering information, JavaScript is used to do things like verify that the date you entered is the right format. If you're entering a phone number for a certain country it'll verify that you've got the right number of digits. When you click 'submit' on the form it'll go to the right place. All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.'"

14 of 216 comments (clear)

  1. Easy but far too simple solution by richdun · · Score: 5, Insightful

    Why not let PDFs only display documents, and rely on web forms for submitting information? No? Too simple?

    I personally have hated PDF forms for some - as a Mac user, having an OS with great PDF support built-in, but still having to use Adobe's products to use their non-standard (or newly made standard) forms implementation is a headache.

    1. Re:Easy but far too simple solution by fuzzyfuzzyfungus · · Score: 5, Insightful

      Your "solution" is only a solution if your business isn't peddling PDF software(not to mention the really expensive backendware that you have to buy from Adobe if you want to "enable your enterprise PDF form workflow" or whatever).

      There are well behaved, and standardized, subsets of PDF that are just fine. They know their place, they are a perfectly competent and pretty well supported way of slinging around documents that have to look a certain way. Outside of that, though, is the nightmare realm where Adobe just keeps cramming use cases into PDF, because PDF is what they own. Javascript, embedded Flash video, it's just a matter of time before they announce an alliance with VMware, to "Enable users to deploy entire Rich Enterprise Solution Stacks" just by emailing PDFs full of x86 virtual machines, complete with embedded video documentation, to one another...

    2. Re:Easy but far too simple solution by pmontra · · Score: 3, Interesting

      Simply switching one user to another safer reader won't solve this security problem because most people use the Adobe's one. Disabling JavaScript by default in Adobe Reader would. People that for some reason have to use PDF forms will enable it or will be told how to by their IT department. By the way, I'm using evince on Linux to read PDF. I discovered now that it supports forms but apparently it doesn't have javascript. I'm probably safe.

    3. Re:Easy but far too simple solution by clone53421 · · Score: 3, Funny

      Dreamweaver?

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    4. Re:Easy but far too simple solution by toleraen · · Score: 4, Informative

      L O L

      All NIST tracked vulnerabilities for Foxit in the last two years have been of the "open a bad PDF and get infected" variety. How is Foxit any better, other than executing infected PDFs faster?

    5. Re:Easy but far too simple solution by mad.frog · · Score: 3, Funny

      ...and that's how Emacs stayed its original, trim self.

  2. Simple solution by loganljb · · Score: 3, Interesting

    Well, gee -- how about creating the equivalent of noscript for Adobe, then? That way, the user can decide for themselves if they want to run scripts in what they THOUGHT was just a formatted text document.

  3. Tea and pramwiches by daeley · · Score: 5, Insightful

    "Anytime you're working with a baby pram where you're, say, also carrying diapers, our chainsaw is used to do things like verify that the Pampers fit on that little shelf underneath. If you're carrying some groceries as well, the chainsaw verifies that you don't try to fit too much on there. When you push the pram, the chainsaw makes sure you push it to the right place. All of this stuff has the chainsaw behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  4. Simple answer by just_another_sean · · Score: 3, Insightful

    White listed docs/publishers are the only ones allowed to run JavaScript. White listing
    should be as easy as pushing a "Trust this document" or "Trust this publisher" button.

    Will it/can it be abused? Sure, but it's better then running script by default without
    user consent.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  5. CS4 Scripting too by 0100010001010011 · · Score: 5, Informative

    I didn't know this until recently, but you script most of Adobe's CS products (Photoshop, etc) with JavaScript.

    It's cross platform. The same scripts work on my Mac as they do on a Windows machine.

    I already know it, syntax isn't something foreign and there is a ton websites out there for JavaScript support.

    It makes stuff like making panoramas and HDR panoramas awesome.

  6. Re:PDF forms? DIE! by Qzukk · · Score: 3, Interesting

    The only thing I learned when we used PDF forms a few years ago was ... don't do it. Just no. Really, don't.

    PDF forms with javascript for web submission? I agree.

    In reality though, a lot of crap (especially government crap) still has to be done on paper, and until HTML+CSS gets to the point where I can reliably reproduce a form on paper, PDF is the best option, ahead of Word documents with 50,000 underscores that wordwrap when someone tries to write in them.

    That, or find someone with a typewriter.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. Re:Why not html forms? by Volante3192 · · Score: 3, Insightful

    Except HTML is dependent on margin size, available fonts, interpretation by the browser, too many tiny variables that could cause problems. Most code monkeys can't even check if their stuff works in the browser they use. Binary files like doc can be interpreted wrong if opened in a different program or even version of the same program.

    The one thing PDF does well, extremely well, is keep the document the same across platforms. (Better than other options at least.) Use the right tool for the right job: if you need a form to look the same regardless of where it ends up, your best bet is a PDF.

  8. Re:Maybe it's just me by Jeng · · Score: 3, Interesting

    To summarize. Perfection is the enemy of the good.

    --
    Don't know something? Look it up. Still don't know? Then ask.
  9. Re:How difficult is it to remove Adobe Reader? by Skuld-Chan · · Score: 3, Informative

    (speaking as someone who has worked quite a great deal with implementing Acrobat forms...)

    End users don't need this stuff (it would be cool if IRS Tax forms were intelligent, but that would cut into the profits of a lot of tax prep companies). A lot of enterprises however use this stuff. I would agree its not the best solution in every case, but one thing it was used for frequently was a front end for some other system where they previously printed out, faxed in a paper form and then transcribed it by hand into some mainframe CRM app - well with Acrobat forms you can cut out a lot of that steps - keep the familiar forms, and keep training costs down to boot.

    Livecycle forms is just a development environment like anything else (SAP/Datatel etc) - and if you are used to it - great, if not - use something else.

    I do know - for end users being able to type into a form they previous wrote on was helpful because they knew where everything was and how the form worked. That certainly cut down training time, and calls to help desks.

    And no - no other pdf viewer (even foxit) is compliant enough to actually work within this workflow - its either Reader 8/9 or nothing.