Comments on: Adobe: Wake Up & Smell the Javascript http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript Fri, 25 May 2012 00:29:30 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Ahmed Ghanem http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45488 Ahmed Ghanem Sat, 02 May 2009 12:07:02 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45488 Yes, I actually see your point, I guess Adobe and Microsoft are all alike, I wonder if it'd take Adobe that much time to patch this vulnerability as it took Microsoft to begin considering to patch Autorun, really annoying though when you know you're safer using another product and so..... I really like the Eset Threat Center blog, it keeps me always updated with most wide-spread threats, keep up the good work here guys :D Yes, I actually see your point, I guess Adobe and Microsoft are all alike, I wonder if it’d take Adobe that much time to patch this vulnerability as it took Microsoft to begin considering to patch Autorun, really annoying though when you know you’re safer using another product and so…..

I really like the Eset Threat Center blog, it keeps me always updated with most wide-spread threats, keep up the good work here guys :D

]]> By: David Harley http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45458 David Harley Sat, 02 May 2009 08:39:07 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45458 Hi, Ahmed. What I meant by "have no use for" was that I create PDFs for a number of different purposes, and PDF/A wouldn't suit them all, while the export process involves taking several steps that I'd rather not be bothered with. I can certainly see that for some people, changing the defaults for "Create PDF" would make sense. In which case, if you then received a PDF that triggered a prompt, that might actually be a useful indicator of danger, if the message wasn't so misleading (i.e. didn't tell you that there are scripts present when there aren't). Deoending on how many other people made the same choice. I suppose my real gripe is that the quick and simple format isn't... This is actually starting to annoy me so much that I'm considering reading the manual. ;-) Hi, Ahmed. What I meant by “have no use for” was that I create PDFs for a number of different purposes, and PDF/A wouldn’t suit them all, while the export process involves taking several steps that I’d rather not be bothered with. I can certainly see that for some people, changing the defaults for “Create PDF” would make sense. In which case, if you then received a PDF that triggered a prompt, that might actually be a useful indicator of danger, if the message wasn’t so misleading (i.e. didn’t tell you that there are scripts present when there aren’t). Deoending on how many other people made the same choice.

I suppose my real gripe is that the quick and simple format isn’t… This is actually starting to annoy me so much that I’m considering reading the manual. ;-)

]]> By: Ahmed Ghanem http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45405 Ahmed Ghanem Sat, 02 May 2009 06:48:52 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45405 David : well I don't see any use exporting my documents as PDFs using 1.6 or 1.7 specifications, if I don't need javascript or encryption, and the message doesn't show mainly because javascript is prohibited in PDF/A files so I'd recommend anyone to convert his documents to the PDF/A for a while till this vulnerability gets patched, and I'm not excluding switching to another product as well. David : well I don’t see any use exporting my documents as PDFs using 1.6 or 1.7 specifications, if I don’t need javascript or encryption, and the message doesn’t show mainly because javascript is prohibited in PDF/A files so I’d recommend anyone to convert his documents to the PDF/A for a while till this vulnerability gets patched, and I’m not excluding switching to another product as well.

]]> By: David Harley http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45219 David Harley Thu, 30 Apr 2009 18:37:15 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45219 @Sean: yes, I've seen similar approaches suggested elsewhere. I should try it, in my copious free time. Thanks. @Ahmed: thanks. I'd forgotten PDF/A, as I have no use for it, generally. @Kim: thanks. You're absolutely right: that's the primary use for it. I'd still suggest turning it off when you're not generating forms, if you can stand the nag messages. Incidentally, I read today on a mailing list that if you keep it disabled on such a form, you'll get the message every time you access a field, not just when you open the document. I haven't tried it. @Sean: yes, I’ve seen similar approaches suggested elsewhere. I should try it, in my copious free time. Thanks.

@Ahmed: thanks. I’d forgotten PDF/A, as I have no use for it, generally.

@Kim: thanks. You’re absolutely right: that’s the primary use for it. I’d still suggest turning it off when you’re not generating forms, if you can stand the nag messages. Incidentally, I read today on a mailing list that if you keep it disabled on such a form, you’ll get the message every time you access a field, not just when you open the document. I haven’t tried it.

]]> By: Kirn Gill http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45127 Kirn Gill Wed, 29 Apr 2009 20:49:40 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45127 The point of JavaScript in PDF files was to generate "smart forms", that could include sanity checks against the data entered into the form. This would be useful for tax forms, while still maintaining the 1:1 electronic analogue with paper documents. The point of JavaScript in PDF files was to generate “smart forms”, that could include sanity checks against the data entered into the form. This would be useful for tax forms, while still maintaining the 1:1 electronic analogue with paper documents.

]]> By: Ahmed ghanem http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-45081 Ahmed ghanem Wed, 29 Apr 2009 12:15:52 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-45081 Well it was a year ago when I began considering alternatives to Adobe, and I'm already using some other product and it's not foxit reader as its text rendering is awful. Anyway regarding your note about the vulnerability and the message that shows up, it doesn't occur with all PDFs, well at least not with the ones that are created according to the PDF/A specification. Well it was a year ago when I began considering alternatives to Adobe, and I’m already using some other product and it’s not foxit reader as its text rendering is awful.

Anyway regarding your note about the vulnerability and the message that shows up, it doesn’t occur with all PDFs, well at least not with the ones that are created according to the PDF/A specification.

]]> By: Sean http://blog.eset.com/2009/04/28/adobe-wake-up-smell-the-javascript/comment-page-1#comment-44983 Sean Tue, 28 Apr 2009 15:18:39 +0000 http://www.eset.com/threat-center/blog/?p=1016#comment-44983 To avoid this stupid warning, I used a GPO and Policy Maker to disable javascript in PDF companywide. I've got Adobe Reader currently on the THREE STRIKES. Last issue was strike one, two more and it's gone. Remember when the advantage to PDF was that it just displayed a page like you intended for it to look in print? If I wanted javascript, I would release my documents as web pages. To avoid this stupid warning, I used a GPO and Policy Maker to disable javascript in PDF companywide. I’ve got Adobe Reader currently on the THREE STRIKES. Last issue was strike one, two more and it’s gone.

Remember when the advantage to PDF was that it just displayed a page like you intended for it to look in print?

If I wanted javascript, I would release my documents as web pages.

]]>