Bad JavaScript, no CVE for you!
I'm flabbergasted to see Adobe release an advisory for a critical issue, using everything (BID & a "Vulnerability identifier") but a CVE identifier. I'm not surprised either that JavaScript support in Acrobat was involved in making its exploitation possible. Once again security folks tell people to "turn off JavaScript". It once seemed plausible to do in browsers, but these days even Purdue University makes it mandatory to enable JavaScript, as the tools we rely on for teaching (e.g., Blackboard) and other official Purdue pages don't work properly without JavaScript. Even the help system (!) doesn't work because the help link that could be just an HTML tag is actually implemented in JavaScript (and they also use the referrer tag to mitigate CSRF attacks, so no disabling that either). How long will it be before PDF documents can't be read without enabling JavaScript?
Leave a comment
Commenting is not available in this section entry.
Current News
- CERIAS Annual Information Security Symposium - April 3rd - 4th 2013
- CERIAS Distinguished Lecture April 10th, 2013
- More News »
CERIAS Weblogs
- Some thoughts on “cybersecurity” professionalization and education
- On Student Projects, Phoenix, and Improving Your IT Operations
- More Posts »
Upcoming Events
Footer
RSS Feeds
Combined XML Feed
News XML Feed Events XML Feed Weblogs XML Feed Security Seminar Podcast
Twitter: @cerias, @ceriasarchive, #cerias
CERIAS, Purdue University / Recitation Building / 656 Oval Drive / West Lafayette IN 47907-2086
phone (765)494-7841 / fax (765)496-3181
Copyright © 2013, Purdue University, all rights reserved. Purdue University is an equal access/equal opportunity university.
If you have trouble accessing this page because of a disability, please contact the CERIAS webmaster at webmaster@cerias.purdue.edu. Some content on this site may require the use of a special plug-in or application. Please visit our plug-ins page for links to download these applications.
Privacy Policy
Comments
I’m always amused by the “turn off javascript” guidance when almost all of the exploits don’t need it. Sure there a few nasty privacy violation things that can only be done with it on, but telling people to turn off JS is like telling them to only run “Trusted” software… whatever that means.
Note that Adobe has been using CVE identifiers in their advisories since 2005.
In this case, Adobe asked for a CVE identifier aproximately 24 hours before they published. Since a zero-day exploit prompted the advisory, they likely thought it was better to publish than to wait for a response from me.
CVE is not set up well for rapid response, although we are working on it, and I try to handle reservation requests quickly.
Thank you Steve for pointing out the circumstances and Adobe’s track record. It would make sense to cut a few corners to issue an urgently needed advisory.
Thanks for all the work that you do.
Enabling Javascripts can cause vital privacy Violations. But as you said without it many things aren’t possible too!
Andy,
Most of the *browser* exploits need JavaScript. Turning off JavaScript does make browsing the web much safer. As time goes on, it becomes more difficult to do so as more functionality is lost. However, a lot of that functionality is also not for your benefit. JavaScript is a huge headache because it makes the browser lack transparency, purity, obedience and loyalty (c.f. “Software Properties and Behaviors”, http://homes.cerias.purdue.edu/~pmeunier/aboutme/poster52D-07F(Meunier).pdf)