IT security and data protection firm, Sophos, has urged software provider Adobe to begin disabling JavaScript in its products by default. This comes following the most recent security update for Adobe Acrobat and Reader which fixed a serious vulnerability that relies on JavaScript code.

The vulnerability – named CVE-2010-1297 – involved a booby-trapped PDF file which would contain a Flash animation and relied on JavaScript for the exploit to work. The exploit is more complex than previous Adobe exploits, potentially marking a new trend in the development of Adobe exploits.

“The common thread in most, if not all, Adobe exploits is the requirement for JavaScript , as exploits will work correctly only if JavaScript is enabled,” said Vanja Svajcer Principal Virus Researcher at Sophos. “This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.”

“The company’s regular security updates show that Adobe is now doing more to address vulnerabilities, but the high number of patched vulnerabilities indicate that it may be a good time for Adobe to overhaul its approach to building security into its products,” continued Svajcer. “If nothing else, JavaScript should be disabled by default in Adobe Reader.”

Sophos recommends that all users disable JavaScript in Adobe Acrobat and Reader by default, more details of how to do this can be found on the SophosLabs Blog here:

Tags: , ,