Should JavaScript be Disabled in Adobe Acrobat by Default?

Last week Thursday, February 19 Adobe released an advisory notifying its users of a critical vulnerability in Adobe Reader and Adobe Acrobat version 9 and earlier. The vulnerability can be used by an attacker to take control of the affected system.  Targeted exploits have been reported by a number of security companies (Symantec, McAfee) and the US-CERT has covered the vulnerability in Security Alert TA09-051A. In our QualysGuard product we detect the flaw as a zero day vulnerability – Id: 116234 Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01).
 
Adobe expects to release a patch by March, 11th. In the interim, one can disable JavaScript within Adobe Reader as a work-around.
 
This is not the first time that the JavaScript component of Adobe Acrobat has been the subject of a vulnerability advisory. In fact there were multiple occurrences in 2008,  in November  Acrobat 8 had a JavaScript vulnerability, as well as in June and in May of 2008.
 
I have been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. Should this be the default behavior for Acrobat? In my opinion this is now becoming a best practice security setting, that should only be relaxed based on end-user needs.

To help IT administrators in verifying this configuration setting,  we are providing a check within our Policy Compliance product – "Adobe Reader JavaScript shall be disabled"

References:

• February 2009 Adobe Advisory
• US CERT Security Alert
• Phishlabs Analysis