These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

JavaScript and Security Issues

Forum Index > Forms: LiveCycle Designer > JavaScript and Security Issues
2009-12-16 04:14:45
R_Boyd
Registered: Nov 1 2007
Posts: 151

[url=http://www.scmagazineuk.com/zero-day-vulnerability-in-adobe-reader-and-acrobat-already-seeing-exploits/article/159618/]Zero-day vulnerability in Adobe Reader and Acrobat already seeing exploits[/url]

[url=http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214]Full details from Shadow Server blog[/url]

[url=http://www.adobe.com/support/security/advisories/apsa09-07.php]Security Advisory for Adobe Reader and Acrobat[/url]

This has serious implications for the success of Adobe forms in my workplace. The issue is that the IT service providers are seriously looking at disabling the ability to use JavaScript in Reader. This would render all the dynamic forms, that we have been developing, static and without validation. It would remove all of the selling points for using Adobe forms.

Obviously when confronted with a choice between compromised forms and exposure to malware it's not difficult to guess which is seen as the priority.

What are your feelings on the matter? Is this a cause for concern or do you think the impact has been exaggerated? What steps can we take as developers to deal with this issue? Whilst a lot of the calculations used in LCD forms can be replicated using FormCalc it cannot match the flexibility of JavaScript when it comes to producing dynamic effects.

Top
2009-12-16 08:44:00
#1
jonom
Registered: Jan 31 2008
Posts: 133
I'm sure Adobe will get it patched soon.

If you are using your own PDFs or PDFs from a reliable source I don't see a real concern, but I'm not a security expert.

The thing is, for this to work you have to get a malformed PDF from someone/somewhere. If you are using a lot of forms I'd say it would be better to block PDFs from an external source (if the source is not trusted) until they have been vetted than lose all the interactivity and efficiency savings in your forms.

There are still a lot of scripting vulnerabilities in browsers...will your IT department disable Javascript in PDF but still allow it in browsers?

I would also look around the net and see how other folks are handling it - a lot of governments are starting to rely on PDF forms heavily. Again, it comes down to where those PDFs come from.
Top
2009-12-16 08:50:38
#2
jonom
Registered: Jan 31 2008
Posts: 133
I'll also note that in the security bulletin from Adobe there is a way for enterprise users to blacklist certain javascript code.

And if you are running a version of Windows with DEP that it would seem you are safe.
Top