Email list hosting service & mailing list manager


Re: Adobe Security Vulnerability and G.G applications Tom Drinane 26 Feb 2009 11:32 EST

A few of us have notified G.g help desk.  I did so at about noon on
Tuesday, 2/24, and as yet no response other than the auto-response
receipt notice.

I also contacted our technical people, and have not heard anything
specific.  I am suggesting people turn off JavaScript.  If you try to
open a G.g package you will get a notice that the document uses
JavaScript, & if you click OK Java will be turned on.  User then has to
remember to turn Java back off when they are done.  I am recommending
this because people (including myself) open all kinds of PDFs, and you
have no way of knowing which one will cause trouble.

Bob - It's not just commercial products, but products with wide adoption
by the user community that are a problem.  Their size makes them a
likely target for ne'er-do-wells, as well as for having their flaws
documented & publicized.

Lipkin, Stuart wrote:
> Thanks Bob,
>
> As always I appreciate your advice.   This is what I thought but different from what the Grants.gov helpdesk told me.  They say that turning off JavaScript will not cause any issues - which I didn't think was accurate.
>
> I completely understand the issues involved in using 3rd party software.  My concern is that there is no guidance from Grants.gov on their website addressing this issue.  I have no problem with them using Adobe, but I do have issues with them not addressing these type of issues as they arise.  They have said that they are working closely with Adobe and if they are working as closely as they say, I would expect information on the impact of these type of issues to be posted promptly on the website.
>
> There may be nothing we can do, but since Adobe is saying it is possible to mitigate the issue by turning off JavaScript, I think Grants.gov needs to address how doing that might impact the grants community.
>
> Thanks again for the help.
>
> Stu
>
>
> ________________________________________
> From: Research Administration List [xxxxxx@hrinet.org] On Behalf Of Bob Beattie [xxxxxx@UMICH.EDU]
> Sent: Wednesday, February 25, 2009 5:02 PM
> To: xxxxxx@hrinet.org
> Subject: Re: [RESADM-L] Adobe Security Vulnerability and G.G applications
>
> This is a serious problem, and one that will occur when an agency is
> dependent on a commercial system.  You must wait on them for a patch
> if problems develop.   If you turn off Java Script, you cannot do
> Adobe Forms.
> Our IT people say to keep the Java Script and use caution when using
> web sites.   Or turn off the Java Script and only use it when doing
> G.g work.
>
> See this
> Computerworld article: "Hackers exploit unpatched Adobe Reader bug"
> http://www.computerworld.com/action/article.do?
> command=viewArticleBasic&articleId=9128278&intsrc=hm_list
>
> and this
> Adobe security bulletin: "Buffer overflow issue in versions 9.0 and
> earlier of Adobe Reader and Acrobat"
> http://www.adobe.com/support/security/advisories/apsa09-01.html
>
>
> Bob
> ------------------------------
> Robert Beattie
> University of Michigan
> xxxxxx@umich.edu   (734) 936-1283
>
> On Feb 25, 2009, at 4:42 PM, Lipkin, Stuart wrote:
>
> Hi All,
>
> Maybe someone out there already knows the answer to this question -
> so I thought I would post it here.  I didn't see any information on
> the Grants.gov website - but I might have missed it.
>
> Adobe has recently issues a security warning (http://www.adobe.com/
> support/security/advisories/apsa09-01.html) for their product and
> announced that they are planning a patch for it in mid-March.  One of
> the suggested workarounds is to disable javascript in the product.
> While Adobe says this will not mitigate the problem completely, but
> is suggested as a temporary workaround.
>
> I've received some questions about this from our users.  If people
> decided to turn off JavaScript would this adversely impact their
> ability to successfully complete G.G Adobe packages?
>
> Thanks
>
> Stu
>
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information.  If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
>
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
>
>
> ======================================================================
>   Instructions on how to use the RESADM-L Mailing List, including
>   subscription information and a web-searchable archive, are available
>   via our web site at http://www.hrinet.org (click on "Listserv Lists")
> ======================================================================
>
>
> ======================================================================
>  Instructions on how to use the RESADM-L Mailing List, including
>  subscription information and a web-searchable archive, are available
>  via our web site at http://www.hrinet.org (click on "Listserv Lists")
> ======================================================================
>
>
> ======================================================================
>  Instructions on how to use the RESADM-L Mailing List, including
>  subscription information and a web-searchable archive, are available
>  via our web site at http://www.hrinet.org (click on "Listserv Lists")
> ======================================================================
>
>
>

--
Tom Drinane
8 Douglas Ridge
Norwich, VT  05055

802-356-7843 (M)
802-649-5525 (H)
603-646-3008 (W)

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================