Adobe has once again confirmed that a JavaScript error can lead to malicious code execution on a system using its Acrobat or Reader platform. According to a blog posting from the company, all versions of Acrobat and Acrobat Reader, no matter the version or platform (Linux, Windows, or Mac), are vulnerable to exploitation.
YAPE: Yet another PDF exploit discovered in the wild. (IMG:Adobe)
“All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue,” Adobe said. Its advice, while waiting for a patch to be delivered, is to disable JavaScript as a stopgap measure.
Commenting on the issue, Graham Cluley of Sophos said: “Why most people would ever need JavaScript support inside their PDF readers is another matter entirely... Seems to me like a timebomb that was always waiting to explode. In my view it would be safer if a wider variety of PDF readers were in use, rather than the vast majority of computer users all relying on Adobe.”
While switching to an alternative reader is beneficial, it's not always the best solution. It has been proven in the past, by research companies such as Secunia, that alternate readers are just as vulnerable to attack as Adobe’s line of products. The only difference is they are mostly low-key and often not targeted widely by criminals. Obscurity is never a good measure for security. The better solution is to remove JavaScript, some experts say, as in most cases it simply isn’t needed in the PDF format.
“Over the last several months going back to last year, we've started reading about Adobe's ill-fated attempt to insert JavaScript into Acrobat tools - and it begs the question – why?” wrote Rafal Los, an independent security consultant working out of Chicago.
“JavaScript interpreters have notoriously been... buggy... to say the least and there is a lot of damage that Adobe could be doing here without really considering the consequences. It's irresponsible to randomly add functionality to a file format and rendering engine without first considering the serious consequences… Did Adobe think about the millions of users who use Acrobat to read/write PDF files every day? Of course you and I would hope so... but we can't assume.”
Los ends his post with a question: “Was JavaScript added because developers and designers demanded it? Or was it simply another example of a vendor throwing in cool functionality to lure developers to use their product?”
Interesting point, and one Adobe should address unless it wants to risk losing the home user customer base (businesses will likely continue to use Adobe, it's the heart of Adobe’s business model).
However, because JavaScript issues can affect Adobe’s business customers as well, perhaps it should just start shipping Acrobat or Reader with JavaScript disabled by default, if not removed completely.
Patches for the newest Adobe vulnerability are due in the near future, the company says, but it has not released a timeline of when they will be released.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story