Re: Adobe Security Vulnerability and G.G applications Lipkin, Stuart 25 Feb 2009 21:08 EST
Thanks Bob, As always I appreciate your advice. This is what I thought but different from what the Grants.gov helpdesk told me. They say that turning off JavaScript will not cause any issues - which I didn't think was accurate. I completely understand the issues involved in using 3rd party software. My concern is that there is no guidance from Grants.gov on their website addressing this issue. I have no problem with them using Adobe, but I do have issues with them not addressing these type of issues as they arise. They have said that they are working closely with Adobe and if they are working as closely as they say, I would expect information on the impact of these type of issues to be posted promptly on the website. There may be nothing we can do, but since Adobe is saying it is possible to mitigate the issue by turning off JavaScript, I think Grants.gov needs to address how doing that might impact the grants community. Thanks again for the help. Stu ________________________________________ From: Research Administration List [xxxxxx@hrinet.org] On Behalf Of Bob Beattie [xxxxxx@UMICH.EDU] Sent: Wednesday, February 25, 2009 5:02 PM To: xxxxxx@hrinet.org Subject: Re: [RESADM-L] Adobe Security Vulnerability and G.G applications This is a serious problem, and one that will occur when an agency is dependent on a commercial system. You must wait on them for a patch if problems develop. If you turn off Java Script, you cannot do Adobe Forms. Our IT people say to keep the Java Script and use caution when using web sites. Or turn off the Java Script and only use it when doing G.g work. See this Computerworld article: "Hackers exploit unpatched Adobe Reader bug" http://www.computerworld.com/action/article.do? command=viewArticleBasic&articleId=9128278&intsrc=hm_list and this Adobe security bulletin: "Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat" http://www.adobe.com/support/security/advisories/apsa09-01.html Bob ------------------------------ Robert Beattie University of Michigan xxxxxx@umich.edu (734) 936-1283 On Feb 25, 2009, at 4:42 PM, Lipkin, Stuart wrote: Hi All, Maybe someone out there already knows the answer to this question - so I thought I would post it here. I didn't see any information on the Grants.gov website - but I might have missed it. Adobe has recently issues a security warning (http://www.adobe.com/ support/security/advisories/apsa09-01.html) for their product and announced that they are planning a patch for it in mid-March. One of the suggested workarounds is to disable javascript in the product. While Adobe says this will not mitigate the problem completely, but is suggested as a temporary workaround. I've received some questions about this from our users. If people decided to turn off JavaScript would this adversely impact their ability to successfully complete G.G Adobe packages? Thanks Stu This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ====================================================================== Instructions on how to use the RESADM-L Mailing List, including subscription information and a web-searchable archive, are available via our web site at http://www.hrinet.org (click on "Listserv Lists") ====================================================================== ====================================================================== Instructions on how to use the RESADM-L Mailing List, including subscription information and a web-searchable archive, are available via our web site at http://www.hrinet.org (click on "Listserv Lists") ====================================================================== ====================================================================== Instructions on how to use the RESADM-L Mailing List, including subscription information and a web-searchable archive, are available via our web site at http://www.hrinet.org (click on "Listserv Lists") ======================================================================