digg

Facebook Connect Join Digg About

Once Again JavaScript is the Problem

blog.washingtonpost.com The latest example of this trend is a flaw revealed late last month in most versions of Adobe Reader -- the ubiquitous program useful for viewing PDF documents. The trouble, once again, is with Javascript.

Who dugg this? Made popular Jan 5, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

46 Comments

show profanity settings
expand all
  • falcon707, on 10/12/2007, -1/+56Actually, the trouble is with Adobe Reader.
  • saysaknow, on 10/12/2007, -7/+44http://www.foxitsoftware.com/products/
  • TomFrost, on 10/12/2007, -1/+37I love it when people blame their programming flaws on the method used to exploit them. There's nothing wrong with Javascript security.. there's everything wrong with not limiting its access in your program.
  • dragonmantank, on 10/12/2007, -4/+23Yeah, but the headline "Once Again Javascript is the Problem" sounds much more edgy.
  • BladeMelbourne, on 10/12/2007, -8/+23Avoid Adobe bloatware - use Foxit for PDFs.
    http://www.foxitsoftware.com/pdf/rd_intro.php
  • cwcentral, on 10/12/2007, -1/+9As usual, javascript used as a scapegoat.

    The problem is the paradigm of the plugin--since mst plugins like Acrobat require OS access (to drivers, etc...). Just evolve Firefox/IE & merge the plugins and be done with this problem.
  • jon1012, on 10/12/2007, -1/+9Seriously, have you ever used (I mean coded with) javascript ? Javascript is a very good language and is not to blame for coding errors in some plugins...

    Java != Javascript ! Java is a compiled language used with the java virtual machine (that can be used as a plugin in your browser), where javascript is an interpreted language that sits directly in your browser, not in a plugin...
  • Wootery, on 10/12/2007, -0/+6"it's ok"

    Have you ever _used_ Acrobat Reader?
    It has the remarkable ability (feature?) to crash not only Firefox, but your whole system.
    There is little software further from "ok" than Acrobat Reader.
  • rideagain, on 10/12/2007, -0/+5actually the real problem is the adobe reader plugin telling Firefox to interpret the javascript. There may be other plugins with the same problem.
  • inactive, on 10/12/2007, -0/+3I feel so computer savvy having switched to Foxit already.
  • Wootery, on 10/12/2007, -1/+4So not only do you copy BladeMelbourne's comment from 9 minutes earlier, you do so twice.

    You deserve to be buried.
  • Nanobe, on 10/12/2007, -0/+3JavaScript is just a language for accessing and manipulating the implementation's object model. If Adobe Reader has security flaws in its object model, that isn't JavaScript's fault. JavaScript really can't do anything interesting without the implementation giving it the ability to. Blame the implementation, not the language.
  • jdowdell, on 10/12/2007, -1/+3For what it's worth, the JavaScript in question is just passed through a plugin (in this case, Adobe Reader) to browsers which then execute it in the incorrect domain.

    Not all plugins accept viewing instructions in URLs, and not all can ask browsers to process JavaScript, but Adobe Reader is not the only one in either category. Many browsers are able to recognize where such JavaScript actually comes from.

    Keeping current on your internet software is the best way to guard against exploits as they arise.

    jd/adobe
  • Blandyman, on 10/12/2007, -1/+3royal:

    Adobe bought Macromedia, so I guess

    Adobe += Macromedia

    would be much more appropriate. Besides... Macromedia never had a PDF reading application, so your statement was complete nonsense.
  • nadcraker, on 10/12/2007, -0/+2I think alexpigment was refering to the SNL skit "Nick Burns your computer guy." He was talking about AOL in that skit to a co-worker. "It's ok, except it doesn't understand javascript! Pfftt." Classic skit if your a geek, it's very true to life, especially in 1999.
  • superpixel, on 10/12/2007, -1/+2I blame javascript for the mess my life has become. Curse you javascript!
    I thought crack was the problem?
  • Robotsu, on 10/12/2007, -1/+2Either this is just more sensationalistic *****, or we should really, really feel bad for the public who is served not at all by "journalists" with about as good a grip on the facts as the average digg member has on a boob!

    But seriously, let's take a look at his opening statement, which couldn't be more broad: "It seems like almost every week now we learn about a security threat that is linked to ill-conceived "features" built into widely used software applications."

    No *****! You're telling us that in software applications there are bugs. Okay, and furthermore, you posit that they were not intentionally created bugs. LIKE, YOU'RE BLOWING MY ***** MIND, MAN! You mean that they were not intentionally created bugs, but that they were byproducts of a rational attempt to bring a user more features??! Insanity! **NEWSFLASH FROM THE WASHINGTON POST: SOFTWARE THAT MEANS WELL MIGHT STILL HAVE BUGS!**
  • evildeadman, on 10/12/2007, -0/+1The doc format doesn't have to be dominated by Adobe, even though they created the format. There are great alternatives to Adobe reader, as mentioned in the posts above. Besides, I'd rather receive one PDF of a 400 page document than 400 TIFF images. It's just a more logical way to view documents without being able to directly edit their content.
  • Atomic1fire, on 10/12/2007, -0/+1sorry but that name is true
    digitallysick enough to not know anything about formats
  • Wootery, on 10/12/2007, -2/+3BladeMelbourne posted that 33 minutes before you.

    digggers, go for the red button.
  • floppydisk, on 10/11/2007, -0/+0Surely HTML etc. are more logical ways to display documents without being directly able to edit their content than an application that gobbles all the resources on your machine and occasionally hangs the browser indefinitely (I admit I'm impatient when the whole computer hangs).
    IMO HTML etc. are more portable as most o/s's have a browser and the latest version of adobe acrobat reader needs a monster download before you can read the "portable" documents.
    I guess I agree with villium's sentiment although I've never been exposed to some of the language before...
    Can I add flash to the list of non-portable "portable" applications?
    It's my hope that open source and open standards will eventually force these products to shrink in bloatedness and become dynamic enough to plan for things such as 64-bit computing (flash) or fade away.
  • alexpigment, on 10/12/2007, -2/+2it's ok, but it can't run javascript
  • damonlab, on 10/12/2007, -1/+1I tried the proof of concept on two systems. Adobe Acrobat 6 (not sure of the patch level) was indeed affected. Adobe Reader 7.0.7 sprang up a big warning and asked if I wanted to open the website.
  • WretchedXS, on 10/12/2007, -0/+0It's extremely unfortunate that the 2 languages (Java and JavaScript) have such similar names. While the syntax in both is similar, they really are completely different beasts (as jon1012) explains above. Please bury this incredibly moronic statment (posted by "digitallysick"). Oh, and I suggest you change your nickname to "digitallyinept".
  • ear1grey, on 10/12/2007, -2/+2Buried it as inaccurate, the problem is not JS.
  • moronpatrol, on 10/12/2007, -1/+0i dont know what this is about. Just wanted to say adobe reader sucks ass no matter what the platform.freezes, resource hog, locks up the comptuter untill you kill it. Removed it from my work xp, at home had it on my macbook for about 5 minutes before i realized it sucked on there too. Man what crap...its like that symantec junk...
  • washcapsfan37, on 10/12/2007, -2/+1Totally inaccurate. This is just some psuedo-techie wanna-be from the Washington Post spurting out FUD. He makes it sound like every browser is at risk if you visit a URL. This is a very targeted attack caused by a specific flaw in Adobe Reader which only allows JS to improperly display the address domain. When in doubt, never click on links from emails or trust strange pop-ups. Open a new window and type in the URL yourself.
  • offwhite, on 10/12/2007, -4/+2Is this really just Firefox interpreting the anchor portion of the tag after the PDF document is loaded? Would this be possible with another document format? I would love to blame Adobe. The Acrobat Reader is a piece of garbage and I use Foxit instead, but I think the real problem is how Firefox handles the Url. Afterall, it does not happen in IE6 or IE7. You cannot blame Adobe or Javascript.
  • tomarocco, on 10/12/2007, -3/+1xpdf...nuf sed.
  • inactive, on 10/12/2007, -2/+0I disabled javascript in adobe reader, and now it nags me ***** to turn it one when I exit the app.
  • GliTCH82, on 10/12/2007, -5/+3Ah, JavaScript. Use it wisely and it works wonders for your site or app, but if you start applying it liberally like it's no one's business it will come right back and bite you in the ass.
  • villium, on 10/12/2007, -4/+1Ill be blunt, ***** adobe acrobat and acrobat reader. How they swindled the world into accepting yet another ***** way to display text is beyond me. I wish everyone would just refuse to use PDF's and send Adobe an email telling them to shove it up their ass.
    Have a nice day.
  • tcpaulh, on 10/12/2007, -5/+0yup, crap submission. Yawn
  • inactive, on 10/12/2007, -7/+2Macromedia > Adobe
  • darkfate, on 10/12/2007, -12/+7Foxit FTW! Adobe Reader 8 looks nice, but it's just bloat.
  • inactive, on 10/12/2007, -9/+3Nah, more likely it's because it's 6 pm EST on a friday.
    people are heading home, to a bar, etc...but i'm stuck here still doing work and posting on digg :(

    Only us workaholics, you west coasters, and internationals are still around.
  • Pas3n7, on 10/12/2007, -10/+3OMGWTFROFLMAO:

    You forgot nerds with no lives, and I for one, am offended at the omission.
  • DelMonte, on 10/12/2007, -15/+8Ok then you were right, my comment was annoying, so digg me down! I'm aiming at having the most negative diggs ever!!!
  • Mutiny32, on 10/12/2007, -10/+2See you working suckers later!

    Oh wait. I'm at work.
  • wkndplaya, on 10/12/2007, -9/+0pfft down with abobe reader just use foxit :D
  • inactive, on 10/12/2007, -10/+1foxit is the way to go. Adobe tries to shove yahoo tool bar down your throat, and its "constant" updates, and add ons which arent needed. Javascript is evil, and i hate java, it just crashes everything most of the time
  • falcon707, on 10/12/2007, -18/+6Wow! Nobody cares.
  • DelMonte, on 10/12/2007, -14/+1I'm not complaining, I just never seen a digg count so low for a front page story.

    And since "nobody cares", your comment was useless falcon707, except maybe for your own ego...
  • rclay, on 10/12/2007, -19/+3For Windows, skip the Adobe bloatware and use Foxit reader at http://www.foxitsoftware.com/ .
  • rclay, on 10/12/2007, -20/+2For Windows, skip the Adobe bloatware and use Foxit reader at http://www.foxitsoftware.com/ .
  • DelMonte, on 10/12/2007, -29/+2Wow, 32 diggs... no comments, and it's on the front page!

    Edit: oops, now there's two comments :)

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.