Security firm Sophos has urged Adobe to disable Javascript by default in its PDF products, Adobe Reader and Adobe Acrobat.

Sophos believes that Adobe needs to 'overhaul its approach to building security in its products' and could start by ensuring that users decide if Javascript is enabled.

"The common thread in most, if not all, Adobe exploits is the requirement for JavaScript – as exploits will work correctly only if JavaScript is enabled," said Vanja Svajcer principal virus researcher at Sophos.

"This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader."

Doing more

"The company's regular security updates show that Adobe is now doing more to address vulnerabilities, but the high number of patched vulnerabilities indicate that it may be a good time for Adobe to overhaul its approach to building security into its products," continued Svajcer.

"If nothing else, JavaScript should be disabled by default in Adobe Reader."

It certainly isn't the first time that Adobe has been criticised, but the company has at least fixed the latest flaw, something which Sophos acknowledges.

"The vulnerability – named CVE-2010-1297 – involved a booby-trapped PDF file which would contain a Flash animation and relied on Javascript for the exploit to work," explained the security experts.

"The exploit is more complex than previous Adobe exploits, potentially marking a new trend in the development of Adobe exploits."