View Poll Results: Do we really need JS functionality in PDFs?

Voters
4. You may not vote on this poll
  • Yes

    0 0%
  • No

    1 25.00%
  • At least disable them by default

    3 75.00%
  • Who cares?

    0 0%
Results 1 to 7 of 7

Thread: Disable JS in PDFs with a GPO

  1. #1
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187

    Disable JS in PDFs with a GPO

    Hey folks, I am sure you are all aware of the rising problems with malicious PDFs. Most of them make use of JS within the PDF. I came across an article that walks you through disabling javascript in PDFs using group policy.

    http://praetorianprefect.com/archive...he-enterprise/
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  2. #2
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    The Wolfman is very excited to bring this article to his work tomorrow. I was not aware GPO could disable Java in Acrobat. Very cool indeed.

    This PDF exploit has been bothering us for a while now....

    Thanks Westin
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    420
    The real question here is why does Adobe require it be turned on for all documents if you view a document with js. Why can't I enable it only for the current document?
    If you spend more on coffee than on IT security, you will be hacked. What\'s more, you deserve to be hacked.
    -- former White House cybersecurity adviser Richard Clarke

  4. #4
    Junior Member xqus's Avatar
    Join Date
    Apr 2006
    Posts
    15
    They should do like Microsoft does with macros in office documents. Ask the user if he want to enable JS for the document he is opening.
    -xqus
    -"I don't need no stinking spel checkre!"

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Despite Danger, Adobe Says JavaScript Support Important
    ~~
    In a Q&A (listen to podcast) with Threatpost editors Dennis Fisher and Ryan Naraine, Adobe security chief Brad Arkin says the removal of JavaScript support is a non-starter because it's an integral part of how users do form submissions.
    "Anytime you’re working with a PDF where you’re entering information, JavaScript is used to do things like verify that the date you entered is the right format. If you’re entering a phone number for a certain country it’ll verify that you’ve got the right number of digits. When you click “submit” on the form it’ll go to the right place. All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.

    http://threatpost.com/en_us/blogs/de...s+Most+Popular

    I am not sure that the pros outweigh the cons...
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    I don't know about you guys and your work, but it turns out a lot of companies here in Canada do require javascript scripting in Adobe Reader.

    The Wolfman was in meetings all day regarding this PDF issue, and the developers were quite clear that javascript is required for the majority of their custom forms.

    Who would have thought....

    And why are we still concerned about this PDF issue and not Aurora?
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  7. #7
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by wolfman1984 View Post
    I don't know about you guys and your work, but it turns out a lot of companies here in Canada do require javascript scripting in Adobe Reader.

    The Wolfman was in meetings all day regarding this PDF issue, and the developers were quite clear that javascript is required for the majority of their custom forms.

    Who would have thought....

    And why are we still concerned about this PDF issue and not Aurora?
    Heh. I work at a school. Haven't had any complaints yet. As far as Aurora, MS is supposedly going to come out with an emergency patch this Friday. ??
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Similar Threads

  1. Securing 2000 Pro
    By akachuckie in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 24th, 2005, 01:47 AM
  2. Network Security made easy?
    By Tiger Shark in forum Microsoft Security Discussions
    Replies: 5
    Last Post: January 14th, 2005, 08:47 PM
  3. Playing with Windows
    By gizmofreak in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: December 7th, 2003, 06:43 PM
  4. Secure Windows (All Versions)
    By spools.exe in forum Microsoft Security Discussions
    Replies: 3
    Last Post: October 4th, 2003, 11:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •