Ditching JavaScript will fix Adobe security flaws

While Adobe has pushed out much needed security updates, Sophos is warning that it’s ignored the main threat to security: it needs to disable JavaScript by default.

The latest security update fixed a major vulnerability in Acrobat and Reader which relied on JavaScript code to execute. It was found in a “booby-trapped” PDF file which contained a Flash animation and relied on the JavaScript for the exploit to work – and it was way more complex than previous Adobe exploits, perhaps marking the beginning of a trend if nothing’s done about it.

In a guest blog, principle virus researcher at Sophos Vanja Svajcer says that the most common thread with Adobe exploits is the requirement for JavaScript. They tend to only work if it’s enabled, so it is urging users in the interim to disable it in Adobe Acrobat and Reader.

Although Adobe is doing much more than previously to keep on top of vulnerabilities and exploits, the fact that so many have been patched suggests, says Sophos, that Adobe needs to take a sideways look at its products. Disabling JavaScript by default would be just the ticket.