Re: Adobe Security Vulnerability and G.G applications Lipkin, Stuart 25 Feb 2009 21:08 EST

Thanks Bob,

As always I appreciate your advice.   This is what I thought but different from what the Grants.gov helpdesk told me.  They say that turning off JavaScript will not cause any issues - which I didn't think was accurate.

I completely understand the issues involved in using 3rd party software.  My concern is that there is no guidance from Grants.gov on their website addressing this issue.  I have no problem with them using Adobe, but I do have issues with them not addressing these type of issues as they arise.  They have said that they are working closely with Adobe and if they are working as closely as they say, I would expect information on the impact of these type of issues to be posted promptly on the website.

There may be nothing we can do, but since Adobe is saying it is possible to mitigate the issue by turning off JavaScript, I think Grants.gov needs to address how doing that might impact the grants community.

Thanks again for the help.

Stu

________________________________________
From: Research Administration List [xxxxxx@hrinet.org] On Behalf Of Bob Beattie [xxxxxx@UMICH.EDU]
Sent: Wednesday, February 25, 2009 5:02 PM
To: xxxxxx@hrinet.org
Subject: Re: [RESADM-L] Adobe Security Vulnerability and G.G applications

This is a serious problem, and one that will occur when an agency is
dependent on a commercial system.  You must wait on them for a patch
if problems develop.   If you turn off Java Script, you cannot do
Adobe Forms.
Our IT people say to keep the Java Script and use caution when using
web sites.   Or turn off the Java Script and only use it when doing
G.g work.

See this
Computerworld article: "Hackers exploit unpatched Adobe Reader bug"
http://www.computerworld.com/action/article.do?
command=viewArticleBasic&articleId=9128278&intsrc=hm_list

and this
Adobe security bulletin: "Buffer overflow issue in versions 9.0 and
earlier of Adobe Reader and Acrobat"
http://www.adobe.com/support/security/advisories/apsa09-01.html

Bob
------------------------------
Robert Beattie
University of Michigan
xxxxxx@umich.edu   (734) 936-1283

On Feb 25, 2009, at 4:42 PM, Lipkin, Stuart wrote:

Hi All,

Maybe someone out there already knows the answer to this question -
so I thought I would post it here.  I didn't see any information on
the Grants.gov website - but I might have missed it.

Adobe has recently issues a security warning (http://www.adobe.com/
support/security/advisories/apsa09-01.html) for their product and
announced that they are planning a patch for it in mid-March.  One of
the suggested workarounds is to disable javascript in the product.
While Adobe says this will not mitigate the problem completely, but
is suggested as a temporary workaround.

I've received some questions about this from our users.  If people
decided to turn off JavaScript would this adversely impact their
ability to successfully complete G.G Adobe packages?

Thanks

Stu

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================