Re: Adobe Security Vulnerability and G.G applications

Re: Adobe Security Vulnerability and G.G applications Tom Drinane 26 Feb 2009 16:14 EST
I just think the relative merits of having a commercial vendor fix a
problem vs. having a government agency (or its contracted resources) or
an open source community fix a problem do not necessarily stack up in
the non-commercial favor.  It is far from certain that a Grants.gov web
application would be free of conflicts with other web applications.

Bob Beattie wrote:
> Tom, thanks again for the good comments.  What I meant by relying on a
> commercial product was as a contrast to a self-supported program,  I
> think of FastLane as an example.  No problem with needing the vendor
> to fix problems, at its leisure; or dealing with up dates when the
> local IT administrators do not
> want to install them, or they conflict with other software.  Our
> Medical School IT people would not install one of the Adobe versions
> along the way because it did not get along with the Patient Care
> software.
>
> Should Grants.gov be web based using its own software?  What are the
> advantages of using a commercial software vs the problems?
>
> Bob
> ------------------------------
> Robert Beattie
>
>
> On Feb 26, 2009, at 11:32 AM, Tom Drinane wrote:
>
> A few of us have notified G.g help desk.  I did so at about noon on
> Tuesday, 2/24, and as yet no response other than the auto-response
> receipt notice.
>
> I also contacted our technical people, and have not heard anything
> specific.  I am suggesting people turn off JavaScript.  If you try to
> open a G.g package you will get a notice that the document uses
> JavaScript, & if you click OK Java will be turned on.  User then has
> to remember to turn Java back off when they are done.  I am
> recommending this because people (including myself) open all kinds of
> PDFs, and you have no way of knowing which one will cause trouble.
>
> Bob - It's not just commercial products, but products with wide
> adoption by the user community that are a problem.  Their size makes
> them a likely target for ne'er-do-wells, as well as for having their
> flaws documented & publicized.
>
> Lipkin, Stuart wrote:
>> Thanks Bob,
>>
>> As always I appreciate your advice.   This is what I thought but
>> different from what the Grants.gov helpdesk told me.  They say that
>> turning off JavaScript will not cause any issues - which I didn't
>> think was accurate.
>>
>> I completely understand the issues involved in using 3rd party
>> software.  My concern is that there is no guidance from Grants.gov on
>> their website addressing this issue.  I have no problem with them
>> using Adobe, but I do have issues with them not addressing these type
>> of issues as they arise.  They have said that they are working
>> closely with Adobe and if they are working as closely as they say, I
>> would expect information on the impact of these type of issues to be
>> posted promptly on the website.
>> There may be nothing we can do, but since Adobe is saying it is
>> possible to mitigate the issue by turning off JavaScript, I think
>> Grants.gov needs to address how doing that might impact the grants
>> community.
>>
>> Thanks again for the help.
>>
>> Stu
>>
>>
>> ________________________________________
>> From: Research Administration List [xxxxxx@hrinet.org] On Behalf Of
>> Bob Beattie [xxxxxx@UMICH.EDU]
>> Sent: Wednesday, February 25, 2009 5:02 PM
>> To: xxxxxx@hrinet.org
>> Subject: Re: [RESADM-L] Adobe Security Vulnerability and G.G
>> applications
>>
>> This is a serious problem, and one that will occur when an agency is
>> dependent on a commercial system.  You must wait on them for a patch
>> if problems develop.   If you turn off Java Script, you cannot do
>> Adobe Forms.
>> Our IT people say to keep the Java Script and use caution when using
>> web sites.   Or turn off the Java Script and only use it when doing
>> G.g work.
>>
>> See this
>> Computerworld article: "Hackers exploit unpatched Adobe Reader bug"
>> http://www.computerworld.com/action/article.do?
>> command=viewArticleBasic&articleId=9128278&intsrc=hm_list
>>
>> and this
>> Adobe security bulletin: "Buffer overflow issue in versions 9.0 and
>> earlier of Adobe Reader and Acrobat"
>> http://www.adobe.com/support/security/advisories/apsa09-01.html
>>
>>
>> Bob
>> ------------------------------
>> Robert Beattie
>> University of Michigan
>> xxxxxx@umich.edu   (734) 936-1283
>>
>> On Feb 25, 2009, at 4:42 PM, Lipkin, Stuart wrote:
>>
>> Hi All,
>>
>> Maybe someone out there already knows the answer to this question -
>> so I thought I would post it here.  I didn't see any information on
>> the Grants.gov website - but I might have missed it.
>>
>> Adobe has recently issues a security warning (http://www.adobe.com/
>> support/security/advisories/apsa09-01.html) for their product and
>> announced that they are planning a patch for it in mid-March.  One of
>> the suggested workarounds is to disable javascript in the product.
>> While Adobe says this will not mitigate the problem completely, but
>> is suggested as a temporary workaround.
>>
>> I've received some questions about this from our users.  If people
>> decided to turn off JavaScript would this adversely impact their
>> ability to successfully complete G.G Adobe packages?
>>
>> Thanks
>>
>> Stu
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information.  If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>>
>>
>> ======================================================================
>>   Instructions on how to use the RESADM-L Mailing List, including
>>   subscription information and a web-searchable archive, are available
>>   via our web site at http://www.hrinet.org (click on "Listserv Lists")
>> ======================================================================
>>
>>
>> ======================================================================
>>  Instructions on how to use the RESADM-L Mailing List, including
>>  subscription information and a web-searchable archive, are available
>>  via our web site at http://www.hrinet.org (click on "Listserv Lists")
>> ======================================================================
>>
>>
>> ======================================================================
>>  Instructions on how to use the RESADM-L Mailing List, including
>>  subscription information and a web-searchable archive, are available
>>  via our web site at http://www.hrinet.org (click on "Listserv Lists")
>> ======================================================================
>>
>>
>>
>

--
Tom Drinane
8 Douglas Ridge
Norwich, VT  05055

802-356-7843 (M)
802-649-5525 (H)
603-646-3008 (W)

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================