Educause Security Discussion mailing list archives

Re: Disable Adobe Reader javascript?

From: Theodore Pham <telamon () CMU EDU>
Date: Wed, 29 Apr 2009 13:35:29 -0400

I'm not saying that disabling Javascript in Adobe Reader/Acrobat is a
bad idea, but the client experience with it turned off can be extremely
annoying for your end users.

When we looked into this during the last Adobe zero-day, we found that a
number of our departments had fill-in PDF forms that used Javascript for
validation.  With Javascript disabled, of course the validation didn't
work, but the really annoying thing was that Adobe Reader prompted the
user to re-enable Javascript for EVERY field in the PDF file.  So if
there were 15 fields, it would ask 15 times upon opening the file.

So even if you push the HKCU registry entries to disable Javascript,
chances are a user who deals with these types of fill-in PDF forms will
just re-enable it...

Ted Pham
Information Security Office
Carnegie Mellon University

Eric C. Lukens wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have never run into a PDF file that needed javascript either.  Be
careful, if users do encounter a PDF file using JS, they'll likely be
prompted to turn JS back on.  If desired, I have a HKCU registry file
that can be imported (via whatever login scripting technique you use)
to disable JS and a Group Policy template (adm) to do the same.  Just
email me and I'll send them to you.

- -Eric

- -------- Original Message  --------
Subject: [SECURITY] Disable Adobe Reader javascript?
From: Gary Flynn <flynngn () JMU EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 4/29/09 11:11 AM

Anyone ever heard of problems after disabling javacript
in Adobe Reader or know of it commonly being used?
We're considering pushing it as policy to managed
workstations due to the frequency of security defects
discovered and exploited in Adobe Reader. Two zero
days since the beginning of the year.

I've had it disabled for over a year and I've never
had a known problem. Or maybe I just missed out seeing
the dancing bears without knowing it.

http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html


- --
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkn4gUYACgkQN+w4PqsMNp1LwgCfX/WP3ltunbFEkyN4YpdXA+E0
5zgAn2qHH1kuepYR0/nKHps755w19ZGC
=tWlU
-----END PGP SIGNATURE-----

Current thread:

Disable Adobe Reader javascript? Gary Flynn (Apr 29)
- <Possible follow-ups>
- Re: Disable Adobe Reader javascript? Vincent Stoffer (Apr 29)
- Re: Disable Adobe Reader javascript? Eric C. Lukens (Apr 29)
- Re: Disable Adobe Reader javascript? Irish, Adrian L (Apr 29)
- Re: Disable Adobe Reader javascript? Theodore Pham (Apr 29)
- Re: Disable Adobe Reader javascript? Roger Safian (Apr 30)
- Re: Disable Adobe Reader javascript? Kevin Wilcox (Apr 30)
- Re: Disable Adobe Reader javascript? Plesco, Todd (Apr 30)