Educause Security Discussion mailing list archives
Re: Disable Adobe Reader javascript?
From: Theodore Pham <telamon () CMU EDU>
Date: Wed, 29 Apr 2009 13:35:29 -0400
I'm not saying that disabling Javascript in Adobe Reader/Acrobat is a bad idea, but the client experience with it turned off can be extremely annoying for your end users. When we looked into this during the last Adobe zero-day, we found that a number of our departments had fill-in PDF forms that used Javascript for validation. With Javascript disabled, of course the validation didn't work, but the really annoying thing was that Adobe Reader prompted the user to re-enable Javascript for EVERY field in the PDF file. So if there were 15 fields, it would ask 15 times upon opening the file. So even if you push the HKCU registry entries to disable Javascript, chances are a user who deals with these types of fill-in PDF forms will just re-enable it... Ted Pham Information Security Office Carnegie Mellon University Eric C. Lukens wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have never run into a PDF file that needed javascript either. Be careful, if users do encounter a PDF file using JS, they'll likely be prompted to turn JS back on. If desired, I have a HKCU registry file that can be imported (via whatever login scripting technique you use) to disable JS and a Group Policy template (adm) to do the same. Just email me and I'll send them to you. - -Eric - -------- Original Message -------- Subject: [SECURITY] Disable Adobe Reader javascript? From: Gary Flynn <flynngn () JMU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 4/29/09 11:11 AMAnyone ever heard of problems after disabling javacript in Adobe Reader or know of it commonly being used? We're considering pushing it as policy to managed workstations due to the frequency of security defects discovered and exploited in Adobe Reader. Two zero days since the beginning of the year. I've had it disabled for over a year and I've never had a known problem. Or maybe I just missed out seeing the dancing bears without knowing it. http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn4gUYACgkQN+w4PqsMNp1LwgCfX/WP3ltunbFEkyN4YpdXA+E0 5zgAn2qHH1kuepYR0/nKHps755w19ZGC =tWlU -----END PGP SIGNATURE-----
Current thread:
- Disable Adobe Reader javascript? Gary Flynn (Apr 29)
- <Possible follow-ups>
- Re: Disable Adobe Reader javascript? Vincent Stoffer (Apr 29)
- Re: Disable Adobe Reader javascript? Eric C. Lukens (Apr 29)
- Re: Disable Adobe Reader javascript? Irish, Adrian L (Apr 29)
- Re: Disable Adobe Reader javascript? Theodore Pham (Apr 29)
- Re: Disable Adobe Reader javascript? Roger Safian (Apr 30)
- Re: Disable Adobe Reader javascript? Kevin Wilcox (Apr 30)
- Re: Disable Adobe Reader javascript? Plesco, Todd (Apr 30)