Re: Adobe Security Vulnerability and G.G applications Tom Drinane 26 Feb 2009 16:14 EST
I just think the relative merits of having a commercial vendor fix a problem vs. having a government agency (or its contracted resources) or an open source community fix a problem do not necessarily stack up in the non-commercial favor. It is far from certain that a Grants.gov web application would be free of conflicts with other web applications. Bob Beattie wrote: > Tom, thanks again for the good comments. What I meant by relying on a > commercial product was as a contrast to a self-supported program, I > think of FastLane as an example. No problem with needing the vendor > to fix problems, at its leisure; or dealing with up dates when the > local IT administrators do not > want to install them, or they conflict with other software. Our > Medical School IT people would not install one of the Adobe versions > along the way because it did not get along with the Patient Care > software. > > Should Grants.gov be web based using its own software? What are the > advantages of using a commercial software vs the problems? > > Bob > ------------------------------ > Robert Beattie > > > On Feb 26, 2009, at 11:32 AM, Tom Drinane wrote: > > A few of us have notified G.g help desk. I did so at about noon on > Tuesday, 2/24, and as yet no response other than the auto-response > receipt notice. > > I also contacted our technical people, and have not heard anything > specific. I am suggesting people turn off JavaScript. If you try to > open a G.g package you will get a notice that the document uses > JavaScript, & if you click OK Java will be turned on. User then has > to remember to turn Java back off when they are done. I am > recommending this because people (including myself) open all kinds of > PDFs, and you have no way of knowing which one will cause trouble. > > Bob - It's not just commercial products, but products with wide > adoption by the user community that are a problem. Their size makes > them a likely target for ne'er-do-wells, as well as for having their > flaws documented & publicized. > > Lipkin, Stuart wrote: >> Thanks Bob, >> >> As always I appreciate your advice. This is what I thought but >> different from what the Grants.gov helpdesk told me. They say that >> turning off JavaScript will not cause any issues - which I didn't >> think was accurate. >> >> I completely understand the issues involved in using 3rd party >> software. My concern is that there is no guidance from Grants.gov on >> their website addressing this issue. I have no problem with them >> using Adobe, but I do have issues with them not addressing these type >> of issues as they arise. They have said that they are working >> closely with Adobe and if they are working as closely as they say, I >> would expect information on the impact of these type of issues to be >> posted promptly on the website. >> There may be nothing we can do, but since Adobe is saying it is >> possible to mitigate the issue by turning off JavaScript, I think >> Grants.gov needs to address how doing that might impact the grants >> community. >> >> Thanks again for the help. >> >> Stu >> >> >> ________________________________________ >> From: Research Administration List [xxxxxx@hrinet.org] On Behalf Of >> Bob Beattie [xxxxxx@UMICH.EDU] >> Sent: Wednesday, February 25, 2009 5:02 PM >> To: xxxxxx@hrinet.org >> Subject: Re: [RESADM-L] Adobe Security Vulnerability and G.G >> applications >> >> This is a serious problem, and one that will occur when an agency is >> dependent on a commercial system. You must wait on them for a patch >> if problems develop. If you turn off Java Script, you cannot do >> Adobe Forms. >> Our IT people say to keep the Java Script and use caution when using >> web sites. Or turn off the Java Script and only use it when doing >> G.g work. >> >> See this >> Computerworld article: "Hackers exploit unpatched Adobe Reader bug" >> http://www.computerworld.com/action/article.do? >> command=viewArticleBasic&articleId=9128278&intsrc=hm_list >> >> and this >> Adobe security bulletin: "Buffer overflow issue in versions 9.0 and >> earlier of Adobe Reader and Acrobat" >> http://www.adobe.com/support/security/advisories/apsa09-01.html >> >> >> Bob >> ------------------------------ >> Robert Beattie >> University of Michigan >> xxxxxx@umich.edu (734) 936-1283 >> >> On Feb 25, 2009, at 4:42 PM, Lipkin, Stuart wrote: >> >> Hi All, >> >> Maybe someone out there already knows the answer to this question - >> so I thought I would post it here. I didn't see any information on >> the Grants.gov website - but I might have missed it. >> >> Adobe has recently issues a security warning (http://www.adobe.com/ >> support/security/advisories/apsa09-01.html) for their product and >> announced that they are planning a patch for it in mid-March. One of >> the suggested workarounds is to disable javascript in the product. >> While Adobe says this will not mitigate the problem completely, but >> is suggested as a temporary workaround. >> >> I've received some questions about this from our users. If people >> decided to turn off JavaScript would this adversely impact their >> ability to successfully complete G.G Adobe packages? >> >> Thanks >> >> Stu >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). >> >> >> ====================================================================== >> Instructions on how to use the RESADM-L Mailing List, including >> subscription information and a web-searchable archive, are available >> via our web site at http://www.hrinet.org (click on "Listserv Lists") >> ====================================================================== >> >> >> ====================================================================== >> Instructions on how to use the RESADM-L Mailing List, including >> subscription information and a web-searchable archive, are available >> via our web site at http://www.hrinet.org (click on "Listserv Lists") >> ====================================================================== >> >> >> ====================================================================== >> Instructions on how to use the RESADM-L Mailing List, including >> subscription information and a web-searchable archive, are available >> via our web site at http://www.hrinet.org (click on "Listserv Lists") >> ====================================================================== >> >> >> > -- Tom Drinane 8 Douglas Ridge Norwich, VT 05055 802-356-7843 (M) 802-649-5525 (H) 603-646-3008 (W) ====================================================================== Instructions on how to use the RESADM-L Mailing List, including subscription information and a web-searchable archive, are available via our web site at http://www.hrinet.org (click on "Listserv Lists") ======================================================================