×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Homemade PDF Patch Beats Adobe By Two Weeks

kdawson posted more than 5 years ago | from the p-d-q dept.

Security 238

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

238 comments

Patch (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26964329)

Yeah, but it's not for Linux :(

Offensive (2, Funny)

Feminist-Mom (816033) | more than 5 years ago | (#26964351)

From the article:

"This thing is so simple to use that you're grandmother could patch it."

As a 49 yo grandmother, c programmer and feminist, I find this offensive.

Re:Offensive (2, Funny)

Anonymous Coward | more than 5 years ago | (#26964391)

Thank you for letting the Slashdot community know what you find offensive... is this because you think it's interesting, or because you have no friends to talk with?

Re:Offensive (5, Funny)

Anonymous Coward | more than 5 years ago | (#26964521)

I'll go for the secret third option, "because she's a feminist". Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country. And by God, I wish they did.

Re:Offensive (5, Funny)

Anonymous Coward | more than 5 years ago | (#26964727)

Q: How many feminists does it take to change a lightbulb?
A: That is NOT funny.

Re:Offensive (0)

Anonymous Coward | more than 5 years ago | (#26964831)

Q: How many lightbulbs does it take to turn on a feminist?
A: That is truly funny!

Re:Offensive (1, Informative)

Anonymous Coward | more than 5 years ago | (#26964909)

Q: How many male chauvinists does it take to change the lightbulb in the kitchen?
A: None, let the bitch wash the dishes in the dark.

Re:Offensive (1, Funny)

Anonymous Coward | more than 5 years ago | (#26965021)

Q: How many feminists does it take to change a lightbulb?
A: Trick question, feminists can't change anything.

Re:Offensive (2, Funny)

electrosoccertux (874415) | more than 5 years ago | (#26965227)

Unrelated to the feminist jokes, but related to lightbulbs:

Q: How many psychiatrists does it take to change a lightbulb?
A: Only one, but the lightbulb has to want to change.

Re:Offensive (1)

hack slash (1064002) | more than 5 years ago | (#26965615)

Q: How many Vietnam vets does it take to change a lightbulb?
A: You don't know because you weren't there man!

Re:Offensive (5, Funny)

JorDan Clock (664877) | more than 5 years ago | (#26965077)

Q: How many feminists does it take to change a lightbulb?

A: Four. One to change the lightbulb, three to form a support group.

But really, it's a trick question because feminists can't change anything.

Re:Offensive (0, Insightful)

Anonymous Coward | more than 5 years ago | (#26964871)

Look, I've been a programmer for a lot of years and I'm sick and tired of this sexist crap. I could probably program most slashdot readers under the table, and yet at work I get treated like an idiot. IT articles treat women, especially older ones, like idiots. Enough already. People should be willing to step back and recognize the contributions that women in computer science have made.

F.M.

Re:Offensive (1, Funny)

Anonymous Coward | more than 5 years ago | (#26965413)

So to paraphrase....That is NOT funny!

Re:Offensive (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26965593)

Go bake us some cookies, you old hag.

Re:Offensive (1, Flamebait)

thebigbadme (194140) | more than 5 years ago | (#26965481)

Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country.

I'm a feminist, and am offended by this claim
(I am a feminist, but am going for funny with this...)

I think the feeling of entitlement that often leads to the bitching comes from something besides the ism/ist in question... at least I attribute it to a sense of entitlement. and by that I don't mean that anyone is not particularly entitled t... ah what's the use

Re:Offensive (2, Insightful)

TriezGamer (861238) | more than 5 years ago | (#26964559)

Your grandchildren are not likely to be browsing Slashdot. Furthermore, taking offense to something that is very clearly tongue-in-cheek is not befitting of someone of your age.

Re:Offensive (0)

Anonymous Coward | more than 5 years ago | (#26964633)

Grandma Nazi...

Re:Offensive (2, Funny)

bane2571 (1024309) | more than 5 years ago | (#26964673)

So, you're saying your grandmother couldn't install the patch? Or are you trying to imply that your 13 year old or younger grandchildren are nerdy enough to read slashdot?

Re:Offensive (5, Funny)

Anonymous Coward | more than 5 years ago | (#26964687)

Yeah, you're right. It's terrible when people use an apostrophe when they mean "your".

Re:Offensive (0, Troll)

zippthorne (748122) | more than 5 years ago | (#26965429)

That is .. awfully young to be both a grandmother and a feminist. Assuming you're telling the truth, though, don't you think it's a little self serving for a woman to be a feminist? I mean, I'm sure Louis XVI was a royalist, but is it really a virtue?

Registry hack (5, Interesting)

coulbc (149394) | more than 5 years ago | (#26964343)

We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

Re:Registry hack (1)

teridon (139550) | more than 5 years ago | (#26964747)

what do you mean "group policy file"? Did you deploy via script or ADM file or what?

Share :)

I tried making a quick ADM file based on some ADMs I found here:
http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-9-for-windows [stealthpuppy.com]

But apparently I didn't do it correctly, because JS was still on after I applied my setting.

Re:Registry hack (4, Informative)

initialE (758110) | more than 5 years ago | (#26965533)

For myself I just used the REG.exe located inside the %system32% folder. in your logon script (assuming you have one), just add in the lines

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

YMMV. REG.exe is not included on Windows 2000. Because this applies to the current user registry there should be no permissions issue. And make sure your path does include the system32 directory as by default.

Open source "more secure" than closed source? (2)

commodore64_love (1445365) | more than 5 years ago | (#26965363)

So is this "user supplied" PDF fix an example of how Open Source is More Secure than Closed Source?

OSS users supplied a fix in less than a day, whereas a closed source programmer in some cubicle somewhere will take weeks to do the same. Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

Hot Coffee (-1, Offtopic)

bluefoxlucid (723572) | more than 5 years ago | (#26964347)

We should add a small "hooks" patch into some cool PC game and then use those hooks to add a complete Hot Coffee mod like in GTA, except with all brand new content. Maybe a Sims 2 mod that shows them bangin' doggy style to make babies.

But does it run on linux? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26964365)

> applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

Oh. Apparently not.

Feature Request (5, Insightful)

ewhac (5844) | more than 5 years ago | (#26964393)

Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea, how about adding this feature:

When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.

Schwab

Re:Feature Request (5, Insightful)

tkdrg (1484293) | more than 5 years ago | (#26964479)

When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

Do you think that the average user will read anything before clicking "Yes"?

Re:Feature Request (3, Funny)

MMC Monster (602931) | more than 5 years ago | (#26964653)

How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

If they select No, the next dialog is: "Fine. I've just opened all the ports on the computer, deleted the last 10 documents you opened up, and loaded up a couple trojans. Are you sure you want to run the executable code in this PDF file now?" [Yes][No].

This way, the user won't be taught to always select the same confirmation box all the time.

Re:Feature Request (4, Insightful)

Mr. Roadkill (731328) | more than 5 years ago | (#26964721)

Do you think that the average user will read anything before clicking "Yes"?

...of course they won't, which is why you turn it around to "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to block execution of this code? [Yes][No, I like to live dangerously]".

Re:Feature Request (0)

barzok (26681) | more than 5 years ago | (#26965051)

And then you get thousands of calls from people screaming "but I clicked Yes, why doesn't it work? Yes means 'make it work'!"

Re:Feature Request (3, Interesting)

Aragorn DeLunar (311860) | more than 5 years ago | (#26965527)

And this is why we need to get away from labeling dialog box buttons "Yes", "No", "Cancel", etc. We can label them anything we want, so why not be descriptive? Try "Safe", "Unsafe", "Really Stupid", "Don't click this -- ever!"

The same applies to the save dialogs. I like how OO.org 3.0 handles the "Do you want to save?" dialog when closing the program: The buttons are labeled "Save", "Discard", and "Cancel". Of course, "Cancel" could be better described as "Return to Program."

Please define "Average User" (-1, Redundant)

bogaboga (793279) | more than 5 years ago | (#26964779)

Yes, define "Average User" because when we are talking about this user and Linux, [Linux] zealots mod us down as if this user is of no consequence when it comes to computer use.

What do we see now? What we see is you talking about the "Average User". Is it only windows that has the "Average User?"

Re:Feature Request (1)

BSAtHome (455370) | more than 5 years ago | (#26964489)

Agreed, why would one want another programming language embedded in a programming language? Postscript already can do all you would want. It is a bit hairy programming, but it can be done (see f.x. http://www.physics.uq.edu.au/people/foster/postscript.html [uq.edu.au]). The best way to mitigate security issues with embedded code is to eliminate the execution. That is, until some one writes a javascript interpreter in postscript.

Re:Feature Request (2, Informative)

klossner (733867) | more than 5 years ago | (#26964511)

PDF is not PostScript. It shares some concepts (such as the imaging model and a good many keywords), but it is not a programming language. It has no control constructs, for example.

Re:Feature Request (3, Interesting)

Anonymous Coward | more than 5 years ago | (#26964525)

I'm going to have to disagree...

Allowing some scripting in a document is great. For example, I'm writing a math textbook [wordpress.com]. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technically illiterate. For that matter, my working draft (not the one on the website) uses PDF attach to include the TeX source and the GFDL.

In conclusion, it's my opinion that that having a PDF scripting language as long as it can't, you know, do anything but modify that one file. The problem is that Adobe seems to be trying to include the kitchen sink...

paper is calm (0)

Anonymous Coward | more than 5 years ago | (#26964825)

Allowing some scripting in a document is great.

No, it isn't:

Paper is calm.

It looked for a while that paper could be augmented, calmly, with hypertext, which allowed cross-referencing, something paper wasn't very good at. But look at a typical corperate web-page now, it appears to be in a state of constant alarm, like a vietnam veteran running knife in hand, screaming, through the University Library.

[...] Saying that your wordprocessor is more like paper because it contains a white rectangle on which symbols appear is rediculous. Buttons appear from nowhere with bizzare brightly lit symbols on them, menus, status bars all kinds of things demanding to be pressed, pulled down, popped up, selected, and activated. This isn't calm paper, it's like walking up to a piece of paper and having to use it via the controls of a VCR-timer-from-hell.

[...] In any application there should be the minimum of interaction required to get a job done.

http://www.dcs.qmul.ac.uk/~andrew/paperiscalm.txt

Re:paper is calm (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26965001)

In terms of, as this essay calls it, calmness, I think the most important thing isn't whether there is interactive and moving qualities but whether they exist in such a way that someone who doesn't want to use them doesn't have to and isn't effected. For example, it isn't problematic if a diagram moves to illustrate a point when clicked on, just that it wasn't distracting (or illustrated as best it could with out moving) beforehand. Similarly, it wouldn't be a problem if a quiz in a textbook could check/show answer as long as it didn't do anything obnoxious that bothers a reader who doesn't want to use that feature.

IMHO, of course.

Re:Feature Request (4, Informative)

klossner (733867) | more than 5 years ago | (#26964537)

Adobe did add this dialog -- but it only appears if you have disabled Javascript! (Which you can do with Edit / Preferences, no need for the registry hack.)

Here's the exact dialog:

? This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled.

[ ] Don't show this message again until this document is reopened

[[Yes]] [[No]]

Re:Feature Request (1)

DiegoBravo (324012) | more than 5 years ago | (#26965475)

The language used by most software in those situations is a big culprit:

> The document may not behave correctly if they're disabled.

Should say:

"the document may not have the author's expected appearance, but your computer will be safe from viruses"

Re:Feature Request (0)

Anonymous Coward | more than 5 years ago | (#26965515)

Yes...I love running around to 50 desktops, opening AR 9, opening preferences, and disabling javascript.

What a waste of a day. Thanks for the registry fix.

Lurene Grenier to Adobe (1)

inthedump (1484859) | more than 5 years ago | (#26964411)

Lurene Grenier to Adobe: Pay up! We solved your issue.

Reply: Adobe to Lurene Grenier (4, Funny)

Lead Butthead (321013) | more than 5 years ago | (#26964455)

Lurene Grenier to Adobe: Pay up! We solved your issue.

Adobe to Lurene Grenier: You decompiled Acrobat in some way to create this fix, in violation of click-through license and DMCA (not to mention making us look incompetent.) We're suing you and we're going to make sure your government put you away in a pound-you-in-the-ass prison for a long long time.

Re:Reply: Adobe to Lurene Grenier (0)

Anonymous Coward | more than 5 years ago | (#26965209)

yeah, and Samir Ackbarnaminijabob says you're a very BAD person!

JavaScript?! (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26964415)

Seriously, JavaScript? In a PDF file? Why would you do that?

Re:JavaScript?! (1)

eihab (823648) | more than 5 years ago | (#26964699)

Seriously, JavaScript? In a PDF file? Why would you do that?

I believe Adobe Version Cue's PDF review system is one of the applications that uses it.

The idea is that any PDF file posted to Adobe Bridge (design files repository, think SVN-lite) can have a web review process.

An administrator logs to the web interface and starts a review process which sends links to the reviewers. Once a reviewer logs in, they can download a copy of the PDF and start commenting on it and marking it up. When they're finished Acrobat sends only the comments back to the server instead of re-uploading the entire PDF again.

That last piece (uploading comments back) appears to happen using JavaScript inside the PDF copy that the reviewer downloads.

Is it the best way to do this? Maybe not, but that's one thing I can think of that uses JavaScript inside PDFs.

Re:JavaScript?! (0)

Anonymous Coward | more than 5 years ago | (#26965155)

You've confused Bridge with Version Cue, and Version Cue with Acrobat reviews. Just sayin'

Re:JavaScript?! (1)

eihab (823648) | more than 5 years ago | (#26965319)

You've confused Bridge with Version Cue, and Version Cue with Acrobat reviews. Just sayin'

You are absolutely right, thanks for catching that!

Re:JavaScript?! (5, Insightful)

TheRealMindChild (743925) | more than 5 years ago | (#26964713)

PDF seems to be the poster child for "How to abuse a format in a way that is contrary to its nature". Clients send us PDF's FORMS now... that they want us TO EDIT! Not print out, hand write on, and perhaps fax back... but EDIT IT, like it is a Word Processor document. Explaining to these people why this is an abomination is like telling a hooker not to sleep with the guy with sores all over his body... it falls on deaf ears, and makes baby Jesus cry.

Re:JavaScript?! (4, Funny)

Penguinshit (591885) | more than 5 years ago | (#26964933)

I actually used JavaScript in PDF to create interactive forms for the corporate intranet. It was pretty because I could use Photoshop to create the underlying image.

Then I quit drinking and realized Excel with tweaked permissions was far better suited to the task. It wasn't as smooth looking but it was easier for my staff to update.

what's wrong with forms? (4, Insightful)

Main Gauche (881147) | more than 5 years ago | (#26965015)

Pardon my ignorance, but exactly what other format should one use if one wants to use forms?

In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.

For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?

Re:what's wrong with forms? (3, Insightful)

Korin43 (881732) | more than 5 years ago | (#26965127)

HTML? Just point them to a page on the corporate intranet, they put in their login, profit?

Re:what's wrong with forms? (1)

Lehk228 (705449) | more than 5 years ago | (#26965181)

if it's for electronic storage and retrieval, use plain text.

if it's getting printed out then hand filled, use PDF, if it's getting filled out on the computer then printed use wordpad

Re:what's wrong with forms? (1)

Dare nMc (468959) | more than 5 years ago | (#26965273)

, if it's getting filled out on the computer then printed use wordpad

If you haven't modified the text of a form HR sent out for you to print, sign, fax. IE removing the not from "I will not browse porn at work." Then you need to turn in your geek card. PDF file that lets you fill in name, address, etc digitally. Print, and sign without a easily modified format begging for touch-up.

Re:what's wrong with forms? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26965187)

InfoPath. Filling in forms and saving the results as a piece of XML is what it is designed to. Advantages of InfoPath include that fields can expand to hold what the user typed in and you can easily have repeating groups. The 'filled in' XML is easily redable (fairly simple to read, really.)

For extra credit, said XML can be automatically saved to a webservice, emailed, saved to sharepoint or whatever else.

(Disadvantage of InfoPath is that it doesn't look quite as slick as PDF when printed, and it does have its rough edges.)

JavaScript in PDF a Bad Idea (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26964485)

JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.

Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever, but perhaps that particular job isn't one that a PDF should be doing.

PDFs started out as a portable means to deliver any arbitrary document to someone else with fair assurance that it would look pretty much identical to both parties. Now Adobe seems to be trying to turn it in to some kind of interactive content delivery platform (substitute your own buzzwords) or something. That's not a path I'd like to trod.

Here's how you turn out a patch *real* fast. (5, Insightful)

fm6 (162816) | more than 5 years ago | (#26964497)

You skip all testing. Just the sort of thing I want to install in my system.

Re:Here's how you turn out a patch *real* fast. (5, Insightful)

AngryNick (891056) | more than 5 years ago | (#26964833)

Here's another way to do it... dump Adobe's bloated reader (if you can get it uninstalled) and pick up Foxit [foxitsoftware.com]. I find it much more useful and a lot faster to load.

Re:Here's how you turn out a patch *real* fast. (3, Insightful)

Kaboom13 (235759) | more than 5 years ago | (#26965105)

Just make sure you don't let it install that obnoxious ask.com browser bar (in IE and Firefox). I made the mistake of including it in a slipstreamed xp disk and the silent installer took all defaults (browser bar and all).

Where's the Acrobat 7 Re-Activation patch? (0)

Anonymous Coward | more than 5 years ago | (#26964499)

Where is the F'ing 3rd party Acrobat 7 Pro "you need to reactivate" patch?
I upgraded my hard drive last week and since then my legit copy of Acrobat 7 Pro has been in re-activate Hell.
The office Adobe 7 patch has been as useless as tits on a bull!

I am thinking of applying a 3rd party patch I found on someplace called PirateBay. Seems to include the whole CS4 Master Suite.
Well I am sure Adobe'll have these DRM issues worked out. Won't want to make pirating a better experience than buying their product.

Wow (5, Funny)

ClosedSource (238333) | more than 5 years ago | (#26964501)

You mean an individual who doesn't have a business to protect or any customers is able to come up with an un-QA'd version faster than the company that produced the product. Amazing!

Patch? (2, Interesting)

noidentity (188756) | more than 5 years ago | (#26964585)

So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!

Articles reading the future? (4, Funny)

Facegarden (967477) | more than 5 years ago | (#26964587)

What i find more interesting is how slashdot is now able to tell the future!
The article boldly claims that something released yesterday has arrived two weeks before the official patch. Now, i know it's possible that the two weeks was taken from Adobe's projected patch fix date, but projections and fact are still different, and journalistic integrity requires a writer in this situation to indicate directly that this two weeks is not actually fact, as we couldn't know that yet. The headline is an outright lie, as far as i can tell, as it relies on future events being a certain way.

Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?
-Taylor

Re:Articles reading the future? (1)

gardyloo (512791) | more than 5 years ago | (#26964669)

[...] journalistic integrity requires a writer in this situation [...]

Hahahahaha... *gasp* wait, wait, .... HAHAHAHAHAHHAHA!

Re:Articles reading the future? (0)

Anonymous Coward | more than 5 years ago | (#26964947)

Imma cockslap you so hard right now. What if Adobe provided an ETA to the patch? HUH? WHAT NOW?

An eye for an eye. Snark for snark.

If you click on the link in the summary to the old Slashdot article, you'll see this...
"Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11."

And then if you go that last article and click on the article link, you'll find "Adobe called the flaw "critical," it's most severe rating, and said it will release a patch for Reader 9 and Acrobat 9 by March 11."

No, I did not have to RTFA. Skimming is a valuable skill.

COCKSLAPPED!

Re:Articles reading the future? (0)

Anonymous Coward | more than 5 years ago | (#26965293)

Goddamnit, Slashdot! In the PREVIOUS Slashdot article, they already mentioned Adobe was going to release the patch on March 11th, or something like that.

It's kind of funny. You accuse the editors of sucking this time, but THEY JUST OWNED YOU.

Mod parent down.

There's a simple reason for that. (5, Insightful)

thePowerOfGrayskull (905905) | more than 5 years ago | (#26964603)

As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.

Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

Re:There's a simple reason for that. (1)

OFnow (1098151) | more than 5 years ago | (#26964709)

In large companies there is a tendency to ignore the departure of the real experts in a product and have no one left who knows it well enough to respond quickly & correctly to bugs. In this case it seems more like a different bad corporate decison though(letting a pdf embed another language). Wait. Maybe I really do want to embed my C code in a pdf? Adobe! Feature! Profit!

Re:There's a simple reason for that. (1)

Malc (1751) | more than 5 years ago | (#26964761)

And to prove the point, you have a mistake in your two line comment!

Re:There's a simple reason for that. (3, Insightful)

AngryNick (891056) | more than 5 years ago | (#26964991)

- the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

Re:There's a simple reason for that. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26965589)

I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

Oh? Well, when Adobe/Microsoft/whoever next put out a patch that breaks something critical to your companies usage of the product, causing hundrds/thousands of complaints to you, pissed off superiors, and potentially a loss of revenue, however, small, I'll be sure to point you to your former comment.

Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.

and the score... (0)

Anonymous Coward | more than 5 years ago | (#26964639)

open source: 1
proprietary software: 0

well that is if this patch is open source

why even use adobe reader? (1)

ncohafmuta (577957) | more than 5 years ago | (#26964649)

Any smart admin with the freedom and capabilities shouldn't even be deploying Adobe Reader. We can get into the details, but basically Adobe's reader is too bloated with unneeded features and memory usage problems to be useful, even on today's computers. People should be running something like Foxit's reader instead.

It's been Two Weeks since you made the patch ... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26964659)

Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability ... beating Adobe Systems Inc. to the punch by more than two weeks.

What the fuck Adobe? What did you do for those extra two weeks?

it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

Oh ... I guess you were trying to make it work on all systems, and checking to make sure that it didn't royally fuck up the user's computer, or introduce another, potentially more serious vulnerability.

Really? (4, Funny)

tool462 (677306) | more than 5 years ago | (#26964679)

"caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees."

My boss will be pleased. I can push all my releases up at LEAST two weeks earlier now by adding this caveat on to all of my code. Thanks, Geritol.

Why doesn't anyone think javascript is useful? (4, Interesting)

UtucXul (658400) | more than 5 years ago | (#26964745)

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

I've also seen lots of forms that do some math or validation. How do people think that happens?

Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

Re:Why doesn't anyone think javascript is useful? (3, Insightful)

Tikkun (992269) | more than 5 years ago | (#26964881)

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.

Please read the 10 immutable laws of security [microsoft.com]. The one you're looking for is the first one on the list:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Re:Why doesn't anyone think javascript is useful? (0)

Anonymous Coward | more than 5 years ago | (#26965049)

Depends on the definition of a âoeprogramâ. In the context used in the MS article, it means executable code run by the OS, not by a limited interpreter.

Re:Why doesn't anyone think javascript is useful? (4, Funny)

XnavxeMiyyep (782119) | more than 5 years ago | (#26965617)

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.
...
There are great ways to include animations directly in the pdf that use javascript.

Hmm.... I think I see a connection here.

Re:Why doesn't anyone think javascript is useful? (2, Informative)

guruevi (827432) | more than 5 years ago | (#26965637)

I like the way Apple approaches that problem in their Quartz Composer tool. Basically you have JavaScript for all types of funky validations, requests and calculations you would like to do but the 'vulnerable' classes that would allow reading/writing local files, networking or creating annoying popups have been removed.

3rd-Party security fixes (1)

kuwan (443684) | more than 5 years ago | (#26964803)

Yes, because we should all get our security patches from unknown 3rd-Party sources. Sounds like a plan for success to me.

BTW, I've got this great IE patch, it makes the Internet 10x faster!

A better patch... (3, Insightful)

Kazoo the Clown (644526) | more than 5 years ago | (#26964815)

My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.

Good riddance.

Enabling DEP for Acrobat Reader (1)

Branka96 (628759) | more than 5 years ago | (#26964827)

According to this [securityfocus.com] Symantec blog turning on DEP for Acrobat Reader prevents this type of attack.
If you run Windows, I would recommend you run with "DEP for all programs and services" with no exceptions.

Use 3rd party PDF readers. (1)

Neanderthal Ninny (1153369) | more than 5 years ago | (#26964841)

Why not use 3rd party viewers like CutePDF or Preview? Again these patches only fix part of the issue so you are still vulnerable to more dangerous part of the bug.

So, in that phrase using "de-fang": (1)

davidsyes (765062) | more than 5 years ago | (#26965233)

"to de-fang the hack by disabling JavaScript"

I began to wonder if it will become the new defangto or new-fangled way of disable features and bugs of software...

So does anyone... (1)

hairyfeet (841228) | more than 5 years ago | (#26965299)

Does anyone have a clue if the reg fix will work on Foxit? Or is Foxit vulnerable? Because myself and most of my customers have been avoiding the bloat that is Adobe PDF reader for awhile now and while Foxit is great usually anything that can infect Adobe works on Foxit too. So anybody know?

Happened efore - BEWARE (0)

Anonymous Coward | more than 5 years ago | (#26965559)

This has happened before. Not with Acrobat, and I don't remember the details *it was about 19 years ago). I think it was eEye Digital Security - though that may be wrong. The company went around providing third party patches for vulns that other researchers identified. Eventually, the company included a backdoor in their patch. Shortly thereafter, the company dissapeared.

Be careful when you apply third party patches: you're extending your chain of trust. Normally, you have to trust the original company to do things right, and not backdoor your environment. If you use a binary patch from a third party, you're assuming that the third party (a) gets it completely right, quite possibly without the source and (b) doesn't create another vuln. What do you know about this third party? Why should you trust them?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...