Should JavaScript be Disabled in Adobe Acrobat by Default?

Wolfgang Kandek

Last updated on: September 7, 2020

Last week Thursday, February 19 Adobe released an advisory notifying its users of a critical vulnerability in Adobe Reader and Adobe Acrobat version 9 and earlier. The vulnerability can be used by an attacker to take control of the affected system.  Targeted exploits have been reported by a number of security companies (Symantec, McAfee) and the US-CERT has covered the vulnerability in Security Alert TA09-051A. In our QualysGuard product we detect the flaw as a zero day vulnerability – Id: 116234 Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01).
Adobe expects to release a patch by March, 11th. In the interim, one can disable JavaScript within Adobe Reader as a work-around.
This is not the first time that the JavaScript component of Adobe Acrobat has been the subject of a vulnerability advisory. In fact there were multiple occurrences in 2008,  in November  Acrobat 8 had a JavaScript vulnerability, as well as in June and in May of 2008.
I have been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. Should this be the default behavior for Acrobat? In my opinion this is now becoming a best practice security setting, that should only be relaxed based on end-user needs.

To help IT administrators in verifying this configuration setting,  we are providing a check within our Policy Compliance product – "Adobe Reader JavaScript shall be disabled"


Share your Comments


Your email address will not be published. Required fields are marked *