×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critical Vulnerability In Adobe Reader

timothy posted more than 5 years ago | from the see-attachment dept.

Security 160

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

160 comments

For the uninformed: (5, Informative)

Joe Snipe (224958) | more than 5 years ago | (#25650075)

Foxit [foxitsoftware.com] FTW

Re:For the uninformed: (2, Insightful)

BrennanM3 (1397275) | more than 5 years ago | (#25650141)

That might work on some or most files, but there still is no replacement for Acrobat.

Re:For the uninformed: (5, Informative)

Zonk (troll) (1026140) | more than 5 years ago | (#25650307)

That might work on some or most files, but there still is no replacement for Acrobat.

True, but we're getting closer. OpenOffice 3 now has a PDF Import [openoffice.org] extension, and of course for Windows there's PDFCreator [sourceforge.net] (Gnome/KDE and OS X natively support printing to PDF).

Re:For the uninformed: (1)

onitzuka (1303967) | more than 5 years ago | (#25650519)

OpenOffice has had the ability to export to PDF since OpenOffice 2.x.

Re:For the uninformed: (5, Funny)

Anonymous Coward | more than 5 years ago | (#25651029)

I know you're trying to look smart but export and import aren't the same thing.

Re:For the uninformed: (5, Insightful)

JustinOpinion (1246824) | more than 5 years ago | (#25650383)

Perhaps, but you can have multiple PDF readers installed. And in terms of security, it's usually best to use the simplest application that will work.

So basically you could use FoxIt or Sumatra PDF to open most PDFs. And then for the rare one that uses some advanced stuff, you can fire up Acrobat. The fact is that most of the stuff that Acrobat supports that other PDF readers don't involves some kind of scripting. And really you shouldn't be running any scripts (even those that are, in principle, sandboxed) unless you have reason to trust them.

So a sensible strategy would seem to be that you open 99% of PDFs with a simpler reader, and only use Acrobat on the few that really need it, and only if the source of the PDF is trustworthy in your estimation.

(Yeah, I know... it's a bit of a pain to have multiple programs that do the same thing. In principle you "shouldn't have to" in the sense that your PDF reader should be secure. But in reality it seems like a reasonable precaution.)

Re:For the uninformed: (3, Insightful)

spud603 (832173) | more than 5 years ago | (#25651067)

This is exactly what I do in Mac OS X. Virtually always, I just open the PDF with Preview.app (part of the basic OS distribution). On the rare occasion that it won't open or is a form or something, I'll right-click>open with>Acrobat.app. Not much of a pain.
I think it makes good sense to have a different app depending on what you need done. For instance, reading articles in PDF in Preview or Acrobat is a pain, and I'll use Skim.app [sourceforge.net] for those.

Re:For the uninformed: (3, Insightful)

SleepingWaterBear (1152169) | more than 5 years ago | (#25651379)

The real solution is to open 100% of PDFs in a simpler reader, and refuse to tolerate PDFs that require scripting.

Really, there's no good reason for a document viewer to have the bloat of Acrobat, and we shouldn't encourage Adobe by doing what they want.

Scripting is useful, but.... (2, Informative)

Anonymous Coward | more than 5 years ago | (#25653759)

Scripting is great, as it allows you to generate dynamic content, perform validation, etc. It enables better PDF presentations and forms and cute little tools. In short, javascript benefits PDF in the same ways it benefits (X)HTML.

However, like macro languages in word processors & like javascript in webbrowsers, scripting in PDF viewers needs to be hardened against unintended consequences.

"No javascript in PDF" is a very poor solution. Few people disable javascript in their browsers. Even the fairly paranoid will just run "noscript" & will then decide (for themselves and on a case-by-case basis) when scripting is desired and trustworthy.

Re:For the uninformed: (3, Informative)

bcrowell (177657) | more than 5 years ago | (#25650739)

That might work on some or most files, but there still is no replacement for Acrobat.

Huh? I create PDFs all the time, and don't own a copy of Acrobat. I use pdftex and inkscape, but there's scads of other software that can do it, e.g., Scribus if you want GUI desktop publishing. This is all on linux, but there's tons of PDF-creating software on Windows as well.

Re:For the uninformed: (1)

Ephemeriis (315124) | more than 5 years ago | (#25650905)

That might work on some or most files, but there still is no replacement for Acrobat.

Depends on what you need Acrobat for...

If all you want to do is view a PDF, you certainly don't need Adobe Reader (which is what the story talks about). There are plenty of perfectly good alternatives out there, and Foxit is one of them.

If you want to create a PDF, you frequently don't actually need Adobe. We've got tons of clients who basically just want to email a simple word/text/whatever document to someone with relative certainty that they'll be able to open it, view it, and print it - but not make changes. These clients are often under the impression that the only software that can possibly do what they want is Adobe. In fact, Foxit and PDFCreator often do what they need.

Sure, if you're looking to embed all sorts of flashy graphics and movies and stuff... Make an editable form... Embed keywords or something... Adobe is the way to go. But for basic stuff, why bother?

Re:For the uninformed: (1)

the_womble (580291) | more than 5 years ago | (#25650923)

That might work on some or most files, but there still is no replacement for Acrobat.

I have had one PDF file so far this year that failed to open in KPDF - and I have not tested if that opens in Acrobat either.

I have never used Foxit, but there are certainly perfectly good, reliable, PDF readers other than Acrobat.

This may not be true if you need a particular feature that is only implemented by Acrobat, for most people the alternatives are as good or better.

Re:For the uninformed: (4, Informative)

Ethanol-fueled (1125189) | more than 5 years ago | (#25650151)

Hey, that's my line. By the way,

While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug.

Foxit users: don't panic. Though Foxit Reader v2.3 build 2825 is vulnerable, 2.3 builds 2912 and later are patched. Build 3309 is the current version available for download.

...with the privileges of a user running the Adobe Reader application.

Which strongly implies that those affected will be Windows users with Administrator access.

Re:For the uninformed: (4, Insightful)

nine-times (778537) | more than 5 years ago | (#25650299)

...with the privileges of a user running the Adobe Reader application.

Which strongly implies that those affected will be Windows users with Administrator access.

It seems fair to worry even if you aren't running as admin. If a trojan PDF can run arbitrary code with privileges of the user running Adobe Reader, that's still enough to screw with that user's documents even if the user isn't an admin.

Re:For the uninformed: (1)

Spit (23158) | more than 5 years ago | (#25653799)

The unprivileged exploit has access to launch further exploits against other system vulnerabilities, which do give privilege.

Re:For the uninformed: (3, Informative)

initdeep (1073290) | more than 5 years ago | (#25651219)

if you rtfa, you would note that the current build of adobe reader isn't vulnerable either.

Re:For the uninformed: (0)

Anonymous Coward | more than 5 years ago | (#25654495)

So my options are to get pwnt by a cracker or get pwnt by Adobe? I'll take my chances with the cracker.

What about old non-bloated Acrobats? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#25651317)

I stayed on version 5.0.5 because all of the later versions were bloated. Does this vulnerability affect those? I didn't see a way to enable/disable Acrobat JavaScript like on newer versions. Does that mean that that version didn't support JavaScript?

Re:For the uninformed: (0)

Anonymous Coward | more than 5 years ago | (#25653367)

True. Of course, if they're using Vista, (and haven't turned off UAC - you leave that on right?) the privleges will not include Admin access.

The dodgy code will have to bring up a UAC prompt and convince the user to accept it. Other than that its only the users files affected - the same as any other OS....

- "Please open a terminal window and type 'su '" works just as well.... the only difference is the education of the user.

</STIRRING-SLASHDOT>

Re:For the uninformed: (5, Informative)

JustinOpinion (1246824) | more than 5 years ago | (#25650193)

Another option for PDF reading on Windows is Sumatra PDF [kowalczyk.info] (if you prefer open-source).

Re:For the uninformed: (3, Informative)

Anonymous Coward | more than 5 years ago | (#25650577)

I knew some guy would chime in recommending Foxit, but I'm surprised and glad to see a recommendation for Sumatra.

Foxit is suffering from its own feature-creep and bloat-up issues (on a much smaller scale than Adobe's software, but still), so Sumatra is really what I _think_ everyone who chimes in with "Foxit" really means to recommend. It accurately renders PDFs. THAT'S IT.

Re:For the uninformed: (1)

Joe Snipe (224958) | more than 5 years ago | (#25651023)

I wasn't familiar with sumatra untill you posted, and I have now installed and will give it a run. Thanks for the recommendation!

Re:For the uninformed: (0)

Anonymous Coward | more than 5 years ago | (#25650431)

Last time someone here suggested Foxit here I installed it and saw a nag, minibanner or some other promotion. Can't remember the specifics but Foxit lasted about 5 seconds.

Same deal with Acrobat reader. It nagged me with stupid promotions to download Acrobat Professional from pirate bay, which I eventually gave in to.

Re:For the uninformed: (2, Informative)

IngeniousCognomen (1318383) | more than 5 years ago | (#25650479)

Sure, Foxit is fine as far as it goes, but it runs slower than Adobe Reader on my PC. Plus Adobe lets me save as text, where Foxit expects me to pay for that functionality.

Re:For the uninformed: (5, Funny)

internerdj (1319281) | more than 5 years ago | (#25650589)

Slower than Adobe Reader? What does it do, steal all the cycles from neighboring computers as well?

Re:For the uninformed: (1)

Tubal-Cain (1289912) | more than 5 years ago | (#25651265)

Are the Adobe SpeedLauch apps running in the backgroud? That is the only way I can imagine the 200MB Adobe Reader 9 launching faster than Foxit.

Re:For the uninformed: (1, Redundant)

Thaelon (250687) | more than 5 years ago | (#25651603)

Foxit FTL.

Sumatra PDF Viewer [kowalczyk.info] FTW.

Foxit is about as bloated and irritating as Acrobat Reader was in version 5.0 (which was much better, but still terrible).

Sumatra is to Foxit as Foxit is to Adobe Acrobat Reader.

I realize being a .info site makes it very suspicious, but if you don't trust me or it, Google it yourself [google.com]

Re:For the uninformed: (1)

5865 (104259) | more than 5 years ago | (#25653475)

Sumatra PDF did a good job porting the freaking ass slow rendering experience from Linux to Windows. Have you even tried Foxit before you bash it?

Quick test: Load a hundred pages+ PDF and drag the scroll bar across the pages. You should expect Foxit to keep up with your maniacal scrolling followed by Adobe's sub second lag and Sumatra's "Please wait - Rendering...."

But if you mean Foxit under Linux, it's noticeably slow. Just like all the other PDF viewers for Linux.

Re:For the uninformed: (0)

Anonymous Coward | more than 5 years ago | (#25651975)

Ghostscript for the win. It reads PDF files, too, after all.

Structural Issues (2, Funny)

Anonymous Coward | more than 5 years ago | (#25650111)

Critical Vulnerability In Adobe

You see, if you mix too much water into the mixture before it hardens, it is brittle and your dwelling will collapse on you ...

Re:Structural Issues (0)

Anonymous Coward | more than 5 years ago | (#25650253)

I don't understand your building analogy. Please use a software architecture instead.

Re:Structural Issues (1)

azgard (461476) | more than 5 years ago | (#25650829)

In terms of software architecture, it's like mixing of too much Turing completeness into this particular DSL.

Re:Structural Issues (0)

Anonymous Coward | more than 5 years ago | (#25652953)

Nonono, we use car analogy here.

Symptoms you've been attacked (3, Insightful)

Anonymous Coward | more than 5 years ago | (#25650145)

Adobe Reader is very slow to load and freezes your browser. Yes, it's very difficult to tell.

Single-purpose tools are good (5, Insightful)

davidwr (791652) | more than 5 years ago | (#25650159)

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

If not, it should.

Re:Single-purpose tools are good (5, Insightful)

Roland Piquepaille (780675) | more than 5 years ago | (#25650385)

Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.

This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.

Re:Single-purpose tools are good (3, Informative)

liquidpele (663430) | more than 5 years ago | (#25651891)

We use javascript in the PDF for forms the clients can type entries into and then print. Basically, if they enter certain values in one part, it will not let them fill out other parts or set other parts to certain values to make the form actually make sense for us. Very handy.

Re:Single-purpose tools are good (4, Interesting)

Thundersnatch (671481) | more than 5 years ago | (#25652509)

Sure, JavaScript is pointless in a PDF viewer and should be disabled, but it is worth noting that PostScript itself is a programming language. It has conditionals, functions, loops, etc. I myslef once hand-coded a PostScript program to draw a high-res graph of a particular function for a class back in college. This 1K file basically owned the imagesetter in the print lab for about 45 minutes while it rendered at 1200 dpi.

If I recall correctly, there were even a couple of postscript exploits back in the 1990s that could "brick" Apple LaserWrtiers.

Re:Single-purpose tools are good (2, Informative)

erikdalen (99500) | more than 5 years ago | (#25652969)

Postscript is a stack based programming language. PDF was afaik originally designed to be a simpler format for just describing page layout. But then they've extended it to be able to include javascript for programming and embedding videos, flash and all sorts of stuff (sounds like HTML...).

http://en.wikipedia.org/wiki/PostScript [wikipedia.org]

Re:Single-purpose tools are good (1)

Rary (566291) | more than 5 years ago | (#25650459)

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

If not, it should.

Agreed. And the same goes for every other application primarily designed to read documents (images, media files, whatever).

On the one hand, I find some of the functionality that is being embedded in various document types useful, but on the other hand I find it ridiculous that data can attack us.

Re:Single-purpose tools are good (2, Interesting)

zalas (682627) | more than 5 years ago | (#25650461)

They've already developed a lite version of their PDF renderer for their Digital Editions product, so they really should just distribute the renderer in that as a standalone product or something.

Re:Single-purpose tools are good (1)

jmulvey (233344) | more than 5 years ago | (#25650715)

"they really should just distribute the renderer in that as a standalone product or something."

Yes. Because we should soon expect the renderer installer alone to consume an entire 4 GB DVD. Adobe Acrobat is the pinnacle of bloatware. No wonder vulnerabilities like these are discovered. It must be easy to poke holes in the 17 gajillion lines of code it takes Adobe to render text.

Re:Single-purpose tools are good (5, Informative)

bcrowell (177657) | more than 5 years ago | (#25650539)

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.

Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.

If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.

People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.

Re:Single-purpose tools are good (0, Troll)

HTH NE1 (675604) | more than 5 years ago | (#25650983)

To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

Under Edit : Preferences I just have General, Comments, Full Screen, and Weblink.

Help : About Acrobat Reader says it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.

Re:Single-purpose tools are good (1)

bcrowell (177657) | more than 5 years ago | (#25651759)

it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.
You're running an extremely old version. The current version is 9.

Re:Single-purpose tools are good (1)

HTH NE1 (675604) | more than 5 years ago | (#25653279)

it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.
You're running an extremely old version. The current version is 9.

You think that's old? You should look up xemacs 19.13. Also, the installed mozilla version:

% /usr/lib/mozilla-1.2.1/mozilla-bin --version
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225, build 2003022516

I can't even run Firefox 3 on my work system. I have to run it on the only Linux machine here that can, displaying to my screen, and even then it keeps spitting out Gdk- and Gtk-CRITICAL assertion errors.

Re:Single-purpose tools are good (0)

Anonymous Coward | more than 5 years ago | (#25653693)

maybe they should give sumatra pdf a go instead http://blog.kowalczyk.info/software/sumatrapdf/

Re:Single-purpose tools are good (1)

nine-times (778537) | more than 5 years ago | (#25650543)

And it should also be the default mode, IMO.

But I guess I never got the memo that explained why Acrobat Reader was doing anything more than reading plain/static PDFs in the first place. Didn't they do something in new versions to allow Flash and movies, or something?

The only reason I use PDFs is when I want to make a document with a very controlled layout, both in print and on a display, without any expectation of editing. Honestly I'm willing to pay money to Adobe to get Acrobat if it's going to help me do that in a way that's proven, robust, and configurable. I can also understand the desire for things like comments and digital signatures, but anything much more than that and I feel like it's just shoehorning extra bloat in the form of features that relatively few people will use, probably at the expense of security and possibly at the expense of sanity.

Which again... (4, Insightful)

slapout (93640) | more than 5 years ago | (#25650505)

...begs the question "Why Does Adobe Reader Need Javascript"??

Re:Which again... (4, Informative)

andrewd18 (989408) | more than 5 years ago | (#25650709)

I create PDF order forms for my company that our salesmen e-mail to customers; these javascript-enabled PDF order forms dynamically enable or disable options as the user customizes an order. For example, if the user picks option A, sub-options A1 -> A5 are automatically enabled, while B1 -> B5 are disabled. And that's why you might want javascript in a PDF.

Re:Which again... (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25651489)

You are part of the problem.

An alternative? (1)

ArchieBunker (132337) | more than 5 years ago | (#25651945)

Can you suggest an alternative for creating and using interactive forms?

Re:An alternative? (1)

slimjim8094 (941042) | more than 5 years ago | (#25652917)

How about not a display format? PDF is PostScript without the logic...

Just use a website if that's what you want your form to act like.

Re:Which again... (1)

TrekkieTechie (1265532) | more than 5 years ago | (#25650745)

Because there's really no more efficient way of introducing security exploits which necessitate expensive upgrades to the latest version.

I'm sorry, did I say 'expensive'? I meant 'profitable' -- Freud strikes again!

Re:Which again... (0)

Anonymous Coward | more than 5 years ago | (#25650777)

for the same reason why God needs a starship

Re:Which again... (2, Interesting)

TimeTraveler1884 (832874) | more than 5 years ago | (#25650835)

"Why Does Adobe Reader Need Javascript"??

I've written scripts for Adobe Acrobat Professional to interleave PDFs of scans from my single-duplex, automatic document feeder scanner. Can you believe that there are companies out there that charge $100 or so to do the same task with a plugin? Took me 15 min to write it in JavaScript myself.

As far as Reader though, I've seen some web-fill state tax forms that use Javascript for field validation.

Re:Which again... (1)

betterunixthanunix (980855) | more than 5 years ago | (#25651261)

ghostscript for the win. I can do this in even less time using ghostscript and reasonably advanced shell. The best part is not having to pay for Acrobat pro.

Re:Which again... (0)

Anonymous Coward | more than 5 years ago | (#25650973)

Hence the source of a simple solution ... I disable it, along with a bunch of other plugins that are useless to me.

One of the followup replies notes that Javascript is useful to embed logic in forms. That's great, and a justifiable use. It makes sense.

So, if I ever do encounter one of those forms rather than a plain document, I'll temporarily re-enable it. (Hasn't happened yet)

The real question is, why is Javascript turned on by default when most documents don't need it?

Re:Which again... (5, Informative)

Nimey (114278) | more than 5 years ago | (#25651595)

It raises the question, godsdamnit. Here's what "begging the question" actually means:

http://en.wikipedia.org/wiki/Begging_the_question [wikipedia.org]

Re:Which again... (1)

stemcel (1074448) | more than 5 years ago | (#25652375)

I twitch almost every time I see "begs the question" but I've given up on saying anything. I applaud your enthusiasm :D

Go team!

Re:Which again... (2, Interesting)

ZERO1ZERO (948669) | more than 5 years ago | (#25652955)

Yeah. I noticed that. I understand when not to use 'begging/begs the question' when meaning 'raises the question' . But I have read that wiki page before, and I just read it again, but it still makes no sense to me. Can someone please explain in plain english when one *would* use the phrase begging the question?

"That begs the question" is an appropriate reply when a circular argument is used within one syllogism. That is, when the deduction contains a proposition that assumes the very thing the argument aims to prove; in essence, the proposition is used to prove itself, a tactic which in its simplest form is not very persuasive.

I mean, what the fuck?

Re:Which again... (0)

Anonymous Coward | more than 5 years ago | (#25653511)

Assume Adobe would not suck. They would not deliver a buggy, intrusive and horribly bloated software as a document reader. Software without bloat and bugs is good. Therefore Adobe does not suck.

That begs the question.

Re:Which again... (1)

Nimey (114278) | more than 5 years ago | (#25653721)

Another way of putting it is "circular logic". You start off by making an assumption, then use logic to prove that assumption, which is vacuous because you didn't prove it, you instead used circular logic.

Re:Which again... (0)

Anonymous Coward | more than 5 years ago | (#25654117)

even when i couldn't see your reply, somehow i knew what it would say.

You can have it, hackers (4, Funny)

Sneftel (15416) | more than 5 years ago | (#25650511)

Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader.

The main privileges being the privilege of waiting thirty seconds to view text, followed closely by the privilege of a crashed web browser.

Re:You can have it, hackers (1)

QuantumG (50515) | more than 5 years ago | (#25650853)

hehe, people use to say that about the overflow in the default php install for apache. "oh, you can only get access to the 'anonymous' account on the web server". There's always a dozen different local exploits you can use to escalate from these accounts. And that's on a platform which actually takes security seriously.

Re:You can have it, hackers (1)

Sneftel (15416) | more than 5 years ago | (#25651063)

Er, yes, I got that. And there's no need for escalation, as the user most likely has pretty good system privileges, not to mention access to all his own documents.

'twas a joke, you see.

Re:You can have it, hackers (1)

QuantumG (50515) | more than 5 years ago | (#25651307)

A lot of people sandbox Acrobat Reader on Linux and IE7 does it too I think.

Oh, and I meant the 'nobody' account. Wow, it has been years.

Re:You can have it, hackers (1)

jonaskoelker (922170) | more than 5 years ago | (#25651941)

Or >90% usage of mem and swap. Happens to my office mate's box. She is not happy, but she managed to run top on it once to identify the culprit. I think she's switching to kpdf [she doesn't like the ubuntu orange].

Out of curiosity... (1)

vishbar (862440) | more than 5 years ago | (#25650557)

Why in the world does Adobe Acrobat include a Javascript engine in the first place? Why add a structured programming language to a document? HTML is different since it's being used as a new platform for applications...but a PDF file? Maybe I'm missing something. Have any of you ever used Javascript in a PDF document (other than when you're trying to access a remote machine)?

Re:Out of curiosity... (0)

Anonymous Coward | more than 5 years ago | (#25650611)

PDF supports forms among other things, and javascript can be used in the same way it is used in HTML.

Re:Out of curiosity... (1)

avandesande (143899) | more than 5 years ago | (#25650977)

But why? It would have been a great and ubiquitous tool if it had stuck with being a wrapper for postscript- anything else 'extra' that acrobat does is done better some other way.

Re:Out of curiosity... (2)

Randle_Revar (229304) | more than 5 years ago | (#25652333)

I guess after they took Turing-completeness out of PS to make PDF, they wished they hadn't, and somehow thought JS was better than PS.

Re:Out of curiosity... (1)

janwedekind (778872) | more than 5 years ago | (#25652583)

Don't know why they included it. However I've seen PDF documents with buttons and forms. There's even a style file for pdflatex called pdfanim [uni-bremen.de] which allows you to do animations with Javascript in your PDF document. However I noted that it behaves slightly different under GNU/Linux and Microsoft Windows.

Adobe 8.1.2 is old (0)

Anonymous Coward | more than 5 years ago | (#25650719)

This version is from February of this year and there have been numerous releases since, including version 9 - which are not vulnerable.

Yep. (1)

Shade of Pyrrhus (992978) | more than 5 years ago | (#25650865)

This was discussed previously [slashdot.org] , as well - the difference is that a specific vulnerability has been found at this point.

As usual, take precautions to ensure you're not automatically opening PDFs in your browser - Save by default instead, so you can scan it and actually make the decision to open it yourself.
For Firefox users:

Tools->Options->Applications. Change actions for PDFs to Save.

Just disable javascript (0)

Anonymous Coward | more than 5 years ago | (#25651259)

That's what I did from the start. The thing is, Acrobat doesn't seem to like that, because it prompts me to enable it, twice, every time I open a document. It's pathetic, really.

Noscript (1)

glop (181086) | more than 5 years ago | (#25651467)

Hey,

I can't believe nobody mentioned that noscript prompts you before showing a PDF file.

It can be tedious but it's useful apparently.

How soon we forget best practices (3, Informative)

richrumble (988398) | more than 5 years ago | (#25651687)

98% of virii/malware etc need ADMIN to succeed... and very few application on windows, save a very small percentage actually need admin. The User Group is good enough for the wife/kids and my sales staff, lowers TCO even for M$. We don't use installed AV clients, we scan remotely nightly, run proxy+av along with snort, no issues. Users can use runas http://xinn.org/RunasVBS.html [xinn.org] if need be, but they probably won't need to. Anti-Admin VS Anti-Virus, and AA wins! http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html [blogspot.com] -rich

Re:How soon we forget best practices (1)

Joe The Dragon (967727) | more than 5 years ago | (#25652007)

No live AV scanning there is stuff out there that does not need admin to take over the system.

Just wait for your kids to play games with DRM, auto updating, online play, mods and more that needs admin to work.

Re:How soon we forget best practices (1)

richrumble (988398) | more than 5 years ago | (#25652343)

Not much, BHO's like Vundo(virus) only work against IE, we don't use IE. There is very little. I've got 2000+ users who are never infected, again no IE. -rich

Is this hole cross platform compatible? (2, Insightful)

Biff Stu (654099) | more than 5 years ago | (#25651869)

Adobe is one of the best when it comes to cross-platform compatibility and the hole is based on Javascript...

And yes, I did RTFA.

So what? (0)

Anonymous Coward | more than 5 years ago | (#25652481)

Who runs this app as root anyway?

Adobe is taking the piss (0)

Anonymous Coward | more than 5 years ago | (#25653575)

I know this has either already been said, or will never be seen, both due to Slashdot's advanced "post in the first 30 seconds or no one will ever read your shit" moderation system but PDF exploits are starting to take the piss. It seems that every month there's a new PDF exploit in the wild and if my virus checker throws up a blocked object while I'm surfing 9 times out of 10 its a PDF.

I wonder how many people have been rootkited by a PFD exploit while surfing the net only to proclaim "OMGWTF windows / IE sucks balls" Adobe needs to pull its fucking finger out, and I need to install an OSS PDF reader.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...