Adobe Security Chief Defends JavaScript Support 216
Trailrunner7 writes "Despite the fact that the majority of [PDF-related] malware exploits use JavaScript to trigger an attack in Adobe's PDF Reader product, the company says it's impossible to completely remove JavaScript support without causing major compatibility problems. In a Q&A on Threatpost, Adobe security chief Brad Arkin says the removal of JavaScript support is a non-starter because it's an integral part of how users do form submissions. '"Anytime you're working with a PDF where you're entering information, JavaScript is used to do things like verify that the date you entered is the right format. If you're entering a phone number for a certain country it'll verify that you've got the right number of digits. When you click 'submit' on the form it'll go to the right place. All of this stuff has JavaScript behind the scenes making it work and it's difficult to remove without causing problems," Arkin explained.'"
Simple solution (Score:3, Interesting)
Re:PDF forms? DIE! (Score:4, Interesting)
The only thing I learned when we used PDF forms a few years ago was ... don't do it. Just no. Really, don't.
PDF forms with javascript for web submission? I agree.
In reality though, a lot of crap (especially government crap) still has to be done on paper, and until HTML+CSS gets to the point where I can reliably reproduce a form on paper, PDF is the best option, ahead of Word documents with 50,000 underscores that wordwrap when someone tries to write in them.
That, or find someone with a typewriter.
Re:Easy but far too simple solution (Score:4, Interesting)
Re:Maybe it's just me (Score:4, Interesting)
To summarize. Perfection is the enemy of the good.
Re:How difficult is it to remove Adobe Reader? (Score:3, Interesting)
What are you talking about? PDF is an excellent format for printed media; I look up data sheets online all the time, which are in PDF format.
The problem is Adobe's crappy reader software. Don't use it; there's far better ones out there like Okular and Evince.
Re:Easy but far too simple solution (Score:3, Interesting)
PDF forms are used when the form needs to be printed in a very specific format, or at least needs to exactly emulate their paper counterparts. e.g., tax forms, standardized contracts, employee waivers, etc. Even with stylesheets set up properly, printing out HTML is always an adventure.
So if an employee needs to, say, update their tax information, they can fill out the form online and submit it (securely) back to the employer. Then the employer can print it out themselves, file it, or whatever. Beats mailing around paper or having someone come into the main office.
Re:Keep your JS but... (Score:3, Interesting)
Not to mention, when I shut it off under Preferences - KEEP IT OFF. If its off in preferences, it helpfully reminds the user than its off and offers to re-enable it via the prompt. What the hell is Adobe thinking?
While I'm at it how about updates to the reader that arent 40-150 megabytes big or an updater that actually works. Right now, sane people should be considering Reader are very serious security vulnerability and migrating off the platform. Adobe has shown nothing but contempt for even basic security.
I'll tell you what Adobe is thinking: if they trimmed down their PDF reader to only do what it needs to, and stopped trying to bloat it up with all kinds of crap that almost no one wants, then they would have a product that no one would want to pay for, because there's plenty of free/cheap alternatives that are better for doing the things that most people do with PDFs. Adobe is a big, public corporation with shareholders to please, and that means that they need higher and higher quarterly profits. Part of achieving that is adding everything including the kitchen sink into Acrobat/PDF to get other dumb corporations to buy their overpriced tools and use them.
Remember, you, some guy on the internet that only uses Adobe's reader and not their content-production tools, are NOT their customer. They don't care if you don't like that their reader is 150MB, because you're not their target market. Their target is some dumb company, or better yet the government, that wants to use their expensive tools to make fancy PDFs, which then require you to download their 150MB reader to use these PDFs in order to file your taxes or work with the DMV.
This is a case study in how Free software many times works much better than corporate-produced for-profit software: for many applications, there comes a time when it's pretty much "done", and no one really wants any more features added. For Free/OSS software, this isn't a problem: the application is mature, and just goes into maintenance mode, and the authors move on to something else unless a bug comes up, or maybe they want to update the UI a little, or whatever. For corporations, this is unbearable: a mature application means no steady stream of new customers, so they need to keep adding crap ("bloat") into it to get people to "upgrade" to the latest version, which they can charge more for. They need to do this so they can have continuously increasing revenues.
Re:Easy but far too simple solution (Score:2, Interesting)
Of course they have profit expectation. But Acrobat is more of a sideline business for Adobe and it always has been. Acrobat will likely continue being a standard bearer, to be sure, but I have personally witnessed at least 5 different enterprises in the past few years cut their number of Acrobat licenses. IT management has realized that Acrobat simply isn't necessary for every employee that must generate PDFs and that there are plenty of alternative tools with either a zero cost or very cheap licensing -- there's at least one shareware tool I can think of in use at Ford Motor Co. and Xerox has a tool included with their DocuCenter workgroup/enterprise-class multifunction devices (printer/fax/scan/email) for generating PDFs as well. Tools like this are deemed "good enough" for most purposes.
Why don't you try working in an actual corporate IT environment before you go spouting off.
Re:How difficult is it to remove Adobe Reader? (Score:3, Interesting)
Why PDF vs HTML forms? You don't have to be connected to the internet. Forms can be saved partially completed and be finished later (with Reader Extensions which allow saving, among other things, with Reader).
Do you need a signature with that form? HTML fails. With PDF you can print the form out, sign it and send it in - with 2d barcode technology that form can be scanned in on the receiving end and all data retrieved electronically.
Why Javascript or any other scripting ability (there's also FormCalc in PDF)? Besides error checking, math and other obvious things - interactivity. I can have the form adapt as it is filled in. Clicked a checkbox that says you're not married and don't have kids? You won't see those kinds of questions later on in the form.
This only scratches the surface - with the full suite of LiveCycle server technology you can do some pretty amazing stuff.