Skip to main content

Adobe urged to disable Javascript

IT insecurity outfit Sophos, has urged Adobe to begin disabling JavaScript in its products by default. The suggestion comes following the most recent security update for Adobe Acrobat and Reader which fixed a serious vulnerability that relies on JavaScript code.

The vulnerability – named CVE-2010-1297 – involved a 'booby-trapped' PDF file which would contain a Flash animation and relied on JavaScript for the exploit to work. The latest hole is more complex than those previously found, potentially marking a new trend in the development of Adobe exploits.

“The common thread in most, if not all, Adobe exploits is the requirement for JavaScript – as exploits will work correctly only if JavaScript is enabled,” said Vanja Svajcer principal virus researcher at Sophos on his bog. “This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.”

“The company’s regular security updates show that Adobe is now doing more to address vulnerabilities, but the high number of patched vulnerabilities indicate that it may be a good time for Adobe to overhaul its approach to building security into its products,” continued Svajcer. “If nothing else, JavaScript should be disabled by default in Adobe Reader.”

Sophos recommends that all users disable JavaScript in Adobe Acrobat and Reader and demonstrates how to do this here.