X
Business
Home Business Developer

Businesses struggling with Adobe PDF security advice

Adobe has set a May 12 date for the delivery of patches to cover a critical zero-day vulnerability in its Adobe Reader 9.1 and Acrobat 9.
Written by Ryan Naraine, Contributor

adobepdflogo.png
Adobe has set a May 12 date for the delivery of patches to cover a critical zero-day vulnerability in its Adobe Reader 9.1 and Acrobat 9.1 software products.

An official security advisory from Adobe confirms the severity of the vulnerability and reiterates the advice for users to turn off JavaScript as a temporary measure to avoid code execution attacks.  However, customers have started to grumble that Adobe's mitigation is difficult to implement and, even worse, useless in corporate environments.

[ SEE: Exploit posted for brand-new Adobe PDF zero-day ]

Erik Cabetas, security officer at a New York City-based e-commerce company, does not mince words:

This does not work, it does NOT disable JavaScript. It merely prompts the user with a vague dialog box stating that there is something they can't see because JavaScript is disabled. Guess what? Most users click to allow JavaScript!

Here's the image the end user sees:

adobealert.png

[ SEE: Adobe: Turn off JavaScript in PDF Reader ]

In an e-mail Cabetas said he wrote a script to "disable" JavaScript across his entire company only to have an employee ask "If I should click yes when opening this PDF from a friend".

The rest of the users of course didn't even mention it to me, they all just click yes because they're conditioned to at security prompts.

These concerns were echoed by several enterprise IT administrators who are becoming increasingly frustrated by an increase in zero-day vulnerabilities -- and patches -- in Adobe's products.

ESET's Randy Abrams brings up another issue regarding Adobe and vulnerabilities:

The addition of JavaScript to Acrobat vastly increased the attack surface of Acrobat documents. Microsoft learned about the power of macros many years ago and effectively disabled macros in Word, unless a user deliberately turns them on. Adobe, on the other hand, enables JavaScript, arguably as powerful as macros, and does not notify the user of the vastly increased vulnerability they have just been exposed to.

When a user disables JavaScript and opens a PDF with JavaScript in it they are prompted to allow it to run and there is a check box to always allow it to run. The option should conspicuously indicate that this is the option of least security.

As always, if you think Adobe exposes your computer system(s) to increased risk, consider using an alternative product.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

GOTRAX 4 electric scooter

The Jackery Explorer 1000 is one of the best portable power stations you can buy, and it's on sale

AI coding concept

Can Meta AI code? I tested it against Llama, Gemini, and ChatGPT - it wasn't even close