Sunday, April 24, 2005

Adobe just couldn't help themselves

Adobe Acrobat Reader now processes covert JavaScript bugs in PDF files. Lovely. I always thought PDFs were nice, safe, "passive" data; now I learn they're "active", a potential vector for bugs and viruses. What possessed Adobe to embed JavaScript in PDFs, and to allow that JavaScript to be automatically processed on opening a PDF, and to give that JavaScript access to the network by default? It's like the Greatest Hits of Microsoft Office Design Mistakes, the tribute album by Adobe.

(Note: the link above points to a third party software vendor's implementation of PDF bugs, but Adobe created the JavaScript embedding feature that enables this surveillance. And, as this article points out, Adobe sells Policy Server, which essentially implements PDF surveillance on steroids, for a higher price.)

For the time being, you can disable JavaScript in the preferences, but it's enabled by default, which means, of course, that the vast majority of users will remain vulnerable.

I hereby propose the First Law of Proprietary Software: As the version number approaches infinity, the probability that the vendor's interests diverge from those of the user converges to one. Or, in other words: eventually, all proprietary software screws the user, somehow.

1 comment: