CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Bad JavaScript, no CVE for you!

I'm flabbergasted to see Adobe release an advisory for a critical issue, using everything (BID & a "Vulnerability identifier") but a CVE identifier. I'm not surprised either that JavaScript support in Acrobat was involved in making its exploitation possible. Once again security folks tell people to "turn off JavaScript". It once seemed plausible to do in browsers, but these days even Purdue University makes it mandatory to enable JavaScript, as the tools we rely on for teaching (e.g., Blackboard) and other official Purdue pages don't work properly without JavaScript. Even the help system (!) doesn't work because the help link that could be just an HTML tag is actually implemented in JavaScript (and they also use the referrer tag to mitigate CSRF attacks, so no disabling that either). How long will it be before PDF documents can't be read without enabling JavaScript?


Posted by Andy Steingruebl
on Friday, February 20, 2009 at 02:35 PM

I’m always amused by the “turn off javascript” guidance when almost all of the exploits don’t need it.  Sure there a few nasty privacy violation things that can only be done with it on, but telling people to turn off JS is like telling them to only run “Trusted” software… whatever that means.

Posted by Steve Christey, CVE Editor
on Sunday, February 22, 2009 at 12:03 PM

Note that Adobe has been using CVE identifiers in their advisories since 2005.

In this case, Adobe asked for a CVE identifier aproximately 24 hours before they published.  Since a zero-day exploit prompted the advisory, they likely thought it was better to publish than to wait for a response from me.

CVE is not set up well for rapid response, although we are working on it, and I try to handle reservation requests quickly.

Posted by Pascal Meunier
on Sunday, February 22, 2009 at 06:42 PM

Thank you Steve for pointing out the circumstances and Adobe’s track record.  It would make sense to cut a few corners to issue an urgently needed advisory. 
Thanks for all the work that you do.

Posted by Shane
on Wednesday, July 8, 2009 at 11:16 AM

Enabling Javascripts can cause vital privacy Violations. But as you said without it many things aren’t possible too!

Posted by Pascal Meunier
on Friday, July 10, 2009 at 09:06 AM

Most of the *browser* exploits need JavaScript.  Turning off JavaScript does make browsing the web much safer.  As time goes on, it becomes more difficult to do so as more functionality is lost.  However, a lot of that functionality is also not for your benefit.  JavaScript is a huge headache because it makes the browser lack transparency, purity, obedience and loyalty (c.f. “Software Properties and Behaviors”, http://homes.cerias.purdue.edu/~pmeunier/aboutme/poster52D-07F(Meunier).pdf)

Leave a comment

Commenting is not available in this section entry.