Sophos urges Adobe to disable JavaScript

Adobe - security flaws still cropping up
Adobe - security flaws still cropping up

Security firm Sophos has urged Adobe to disable Javascript by default in its PDF products, Adobe Reader and Adobe Acrobat.

Sophos believes that Adobe needs to 'overhaul its approach to building security in its products' and could start by ensuring that users decide if Javascript is enabled.

"The common thread in most, if not all, Adobe exploits is the requirement for JavaScript – as exploits will work correctly only if JavaScript is enabled," said Vanja Svajcer principal virus researcher at Sophos.

"This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader."

Doing more

"The company's regular security updates show that Adobe is now doing more to address vulnerabilities, but the high number of patched vulnerabilities indicate that it may be a good time for Adobe to overhaul its approach to building security into its products," continued Svajcer.

"If nothing else, JavaScript should be disabled by default in Adobe Reader."

It certainly isn't the first time that Adobe has been criticised, but the company has at least fixed the latest flaw, something which Sophos acknowledges.

"The vulnerability – named CVE-2010-1297 – involved a booby-trapped PDF file which would contain a Flash animation and relied on Javascript for the exploit to work," explained the security experts.

"The exploit is more complex than previous Adobe exploits, potentially marking a new trend in the development of Adobe exploits."

Patrick Goss

Patrick Goss is the ex-Editor in Chief of TechRadar. Patrick was a passionate and experienced journalist, and he has been lucky enough to work on some of the finest online properties on the planet, building audiences everywhere and establishing himself at the forefront of digital content.  After a long stint as the boss at TechRadar, Patrick has now moved on to a role with Apple, where he is the Managing Editor for the App Store in the UK.