All your javascript are belong to us

Hurrah!

Reg key for GPO

HKEY_CURRENT_USER>Software>Adobe>Acrobat Reader>Yourversionnumberhere>JSPrefs

Change the bEnableJS DWORD value to 0

or even better, the following link has an ADM file:

http://isc.sans.org/diary.html?date=2008-11-11

Java

Damn, that reminds me - I keep forgetting to disable Java in Acrobat because I keep forgetting the idiots at Adobe did something as moronic as embedding a programming language in a document viewer program.

I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious.

Did Acrobat reader ever work?

Apart from the security issues, how does Acrobat Reader manage to go through major revisions without removing bugs which have been around for years?

I've lost count of the number of times Acrobat dies when trying to view pdfs using integrated browser (Firefox) support. There ought to be a script for killing all acroread32 processes and then reloading a page - it's something I have to do on an almost daily basis.

March 11th?

And later for older versions?

Gee, thanks Adobe, it's not like we weren't pissed off enough that we can't run Acrobat 9 already:

http://www.adobe.com/go/kb404597

Yup, a major bug that *completely* stops Acrobat 9 from being usable on *any* computer in our network, and Adobe have been sitting on it for FOUR MONTHS.

That'll be PDF's blocked at the firewall then.

Re: Try Foxit

I'll second the "try Foxit" motion. I stumbled into it, like many handy things, via Stumbleupon when it was keeping me awake one night with the "just one more click" syndrome. It's hard to argue against it when Adobe's Reader takes up over 200mb space (why?!), takes aeons to open a PDF document and requires updates once or twice a month. I'd also be curious to know why they allow scripts in a document viewer....

@Java

"I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious."

Indeed. PDF means Postscript. Postscript already _is_ a general programming language.

Now, why have Javascript/Ecmascript (not Java!) in addition? Probably because if you want to attract someone who can do "scripts" it's more likely that he will be attracted to Ecmascripting than Postscripting. Can anyone write Postscript anyway?

Isn't it time...

that Adobe Reader went back to the basics of rendering PDFs? Or at least have a click box that enables such a mode and nothing else?

It is now such a nasty piece of bloatware, performing like a snail with a fricking wheel clamp, that I only use it if Foxit doesn't work properly.

There are even tools to make Reader faster (by disabling all the very-rarely used plugins). If somebody has written a tool it is because a lot of people want it. Adobe should take note.

Postscript

I once saw a Julia Set (often mis-identified as Mandlebrot) program written in PostScript. Send it to the printer, and wait for hours for it to spit out the page!

Why is javascript on by default ?

Does adobe think its microsoft?

I have never, ever, asked for javascript to be turned on in acrobat reader, and there is absolutely NO reason why most people should need scripts in any PDF document.

Therefore it could, and SHOULD, have been turned off by default at installation time.

@Jave AC

I assume Adobe thought JavaScript was needed in PDFs the same way Microshaft thought it was necessary in help files. Of course now once I secure my machines none of the MS help works anymore because they relied on really lax security settings to make their stupid chm help system work. Dumkopfs.

@Thomas K.

I have Acrobat 9 and it does have an option to disable javascript it is the seventh or eighth item on the index after you open preferences just did it my self before posting this.

XPS is an alternative

I now standardized on XPS format. I think many will do the same after Windows7 will take over. It does not have any active code by design, signing it digitally is easy, and as it is part of Windows starting from Vista (can be installed on XP also from MS site), security updates will arrive via standard update channel. Goodbye, PDF.

11th March

Hellfire ! All the hard work has been done to identify the vulnerability and its machanism. Coding up the fix is the EASY part once you know where the problem lies. So why won't it be ready until March 11th ? Tech savvy users can disable Javascript manually but most home users will be unaware of this and still be vulnerable until the patch appears.

Adobe Bloatware

Are Adobe trying to emulate M$ with their bloatware? At least we can do something about it.

As mentioned above Foxit is the way to go.