Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

timothy posted more than 5 years ago | from the kpdf-has-better-panning-anyhow dept.

Security 211

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

Sorry! There are no comments related to the filter you selected.

Ditch Acrobat... (4, Informative)

nweaver (113078) | more than 5 years ago | (#27763009)

Adobe is really slow about security patches on Acrobat. This is just the latest.

Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else [slashdot.org] .

Re:Ditch Acrobat... (2, Insightful)

TommydCat (791543) | more than 5 years ago | (#27763107)

Yeah... like if I'm offered the choices

1. Disable javascript and kill the web
2. Uninstall Adobe_who_evidently_can't_code_their_way_out_of_a_wet_paper_bag crap

Why would I choose the former? Even if I do that I'm sure they'll have another exploit by next Wednesday that wouldn't be defanged by disabling a scripting language, looking at their track record [google.com] ..

Color me tired of this much more so than surprised..

Re:Ditch Acrobat... (4, Informative)

Fatalis (892735) | more than 5 years ago | (#27763157)

It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

Re:Ditch Acrobat... (4, Insightful)

TommydCat (791543) | more than 5 years ago | (#27763211)

Ok, color me surprised then... Thank you for the clarification.

I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...

Re:Ditch Acrobat... (3, Funny)

Gordo_1 (256312) | more than 5 years ago | (#27764009)

Bloated? I don't think one should describe what Adobe has done to Acrobat Reader simply as "Bloat". I suggest redefining the term as a verb with a tip of the hat to the new masters, as in "you silly hack, you've adobed your software!"

After getting fed up with Reader in the wake of the Feb. 19th PDF remote exploit notice (http://www.adobe.com/support/security/advisories/apsa09-01.html/ [adobe.com] ) I decided to install FoxIt (I know, proprietary, not open source goodness)... But anyway, when I went to uninstall Adobe Reader, Windows claimed it to be taking up 221MB on my hard drive. 221 Megabytes! For a document reader!?

After installing FoxIt, Windows claims that it takes up only 7.15MB, which I corroborated by checking the size of the install directory. For the life of me, I can't figure out what exactly it is that Adobe Reader does that FoxIt doesn't. They're functionality identical so far as I can tell. So what in god's name is Adobe doing with that extra 200 megabytes of disk space?

Re:Ditch Acrobat... (2, Insightful)

an unsound mind (1419599) | more than 5 years ago | (#27764111)

Precisely that bloat functionality.

Advanced forms handling, embedded content, Adobe javascript, et cetera.

Things most people never need and things that would use Microsoft Word if Adobe had never offered the functionality.

You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

Re:Ditch Acrobat... (4, Insightful)

hairyfeet (841228) | more than 5 years ago | (#27764107)

Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.

These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader [wikipedia.org] which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.

Re:Ditch Acrobat... (0)

Anonymous Coward | more than 5 years ago | (#27763333)

Mod parent up... You do not disable javascript in your browser, only within the Adobe applications themselves.

Re:Ditch Acrobat... (5, Interesting)

wiredlogic (135348) | more than 5 years ago | (#27763703)

For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

disabling js will not save you (5, Informative)

Deanalator (806515) | more than 5 years ago | (#27763905)

Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml [immunityinc.com]

They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

Re:Ditch Acrobat... (0)

Anonymous Coward | more than 5 years ago | (#27764171)

As decisions go, Javascript inside PDF has to be one of the most boneheaded in history.

Re:Ditch Acrobat... (0)

Anonymous Coward | more than 5 years ago | (#27763941)

The summary made it pretty obvious it's talking about Javascript within Acrobat. Nice attempt at first-post kharma whoring though, you even crammed a useless link in there!

Re:Ditch Acrobat... (2, Informative)

Anonymous Coward | more than 5 years ago | (#27763539)

According to Secunia disabling Javascript does not mitigate the risk. Old news?

http://secunia.com/blog/44/ [secunia.com]

Re:Ditch Acrobat... (1)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27763567)

Anyone know if this affects Bluebeam PDF Revu?

Re:Ditch Acrobat... (0)

Anonymous Coward | more than 5 years ago | (#27763899)

I'm personally becoming quite tired of the "Oh, we implemented a 'bad programming language' into our design, so you should ditch it."

If the answer to the exploit was, "Javascript is at fault because of it's standard" then the answer to your problem is to remove Javascript.

If the answer to your problem is "Adobe f'd up and practiced coding without thinking.. AGAIN" -- Then Javascript should be left the hell alone. Seriously, what'd Javascript ever do to Adobe? Enable their own bad programmers to make bad decisions that get them bad publicity? Sounds like Adobe's fault to me :P

Re:Ditch Acrobat... (4, Funny)

OakDragon (885217) | more than 5 years ago | (#27764071)

Adobe is really slow about security patches on Acrobat.

Have you updated the Adobe Updater? Perhaps what we need is an updater to update the Adobe Updater.

Re:Ditch Acrobat... (0)

Anonymous Coward | more than 5 years ago | (#27764217)

I hate adobe, and I hate how wannabe "web developers" use it for the most bloated web sites I have ever seen.

Inevitable post recommending Foxit Reader (0, Redundant)

Nimey (114278) | more than 5 years ago | (#27763031)

because you knew that was coming.

Re:Inevitable post recommending Foxit Reader (1, Interesting)

MozeeToby (1163751) | more than 5 years ago | (#27763217)

How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...". I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

I suppose there must be a place for them, but it seems to me they're mostly used by people too lazy to create a page with the information they want to display, and instead just put a link to the PDF they sent to their printer, often from a years out of date brochure or flier.

Re:Inevitable post recommending Foxit Reader (5, Informative)

Rude Turnip (49495) | more than 5 years ago | (#27763321)

The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

Re:Inevitable post recommending Foxit Reader (5, Insightful)

nine-times (778537) | more than 5 years ago | (#27763437)

I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

Re:Inevitable post recommending Foxit Reader (-1)

Anonymous Coward | more than 5 years ago | (#27763805)

PDF is given a bad name because it's a horrible binary format that was secret and proprietary until last year (after people had wasted years reverse engineering it). Hey Adobe ever heard of XML?

Re:Inevitable post recommending Foxit Reader (3, Interesting)

Your.Master (1088569) | more than 5 years ago | (#27764027)

pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).

So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.

Re:Inevitable post recommending Foxit Reader (1)

Bill, Shooter of Bul (629286) | more than 5 years ago | (#27763989)

Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

RTF, No. HTML, yes. Or would you not consider Google App's spreadsheet to be complex? Images can be embedded in cdata tags. Its not easy or really recommended, but possible.

Re:Inevitable post recommending Foxit Reader (3, Insightful)

nine-times (778537) | more than 5 years ago | (#27764173)

Images can be embedded in cdata tags. Its not easy or really recommended, but possible.

Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"

Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.

Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.

So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.

Re:Inevitable post recommending Foxit Reader (2, Insightful)

Tubal-Cain (1289912) | more than 5 years ago | (#27763995)

If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

If you don't use a reader with a browser plugin, a PDF is just as likely to crash your browser as a zip file.

Re:Inevitable post recommending Foxit Reader (1)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27763677)

I suppose there must be a place for them

If you had job you could download and print tax forms.

Re:Inevitable post recommending Foxit Reader (1)

Kugrian (886993) | more than 5 years ago | (#27763757)

I run along them all the time just in general information gathering.

I'd love for them to be in a freer format, but at the same time, I love that they are in a format I can read on my computer.

Re:Inevitable post recommending Foxit Reader (3, Informative)

Fatalis (892735) | more than 5 years ago | (#27763275)

I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

Re:Inevitable post recommending Foxit Reader (4, Insightful)

thePowerOfGrayskull (905905) | more than 5 years ago | (#27763347)

All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!

No problem for Macs, really (0, Insightful)

Anonymous Coward | more than 5 years ago | (#27763033)

What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

All Adobe software is so overbloated that if you compare them with Microsoft, they're the lightweight ones.

Re:No problem for Macs, really (4, Informative)

1729 (581437) | more than 5 years ago | (#27763149)

What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

Re:No problem for Macs, really (1)

SpottedKuh (855161) | more than 5 years ago | (#27764085)

The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

I can second this: I've encountered fill-in forms that just didn't play nicely with Preview.app.

Another issue is that the full-screen presentation mode in Acrobat works much more nicely for, e.g., giving PDF presentations compiled in LaTeX. It works with clickers for advancing slides.

Re:No problem for Macs, really (1)

0racle (667029) | more than 5 years ago | (#27763165)

The problems also affect Acrobat proper.

Re:No problem for Macs, really (1)

jabithew (1340853) | more than 5 years ago | (#27764293)

In all seriousness, does anyone know if these zero-day exploits affect Preview? 1729's post implies that they wouldn't, but I'm curious.

Disable JavaScript (0, Redundant)

icebike (68054) | more than 5 years ago | (#27763035)

Or install any of the other PDF readers available and remove the spyware/call-home laden Adobe Reader once and for all.

Good idea... (1, Funny)

idontgno (624372) | more than 5 years ago | (#27763087)

kill Javascript.

And while you're at it, deep-six the rest of that Web 2.0 crap.

Just not on my lawn, you crazy kids!

Y'know... (5, Insightful)

Mr. DOS (1276020) | more than 5 years ago | (#27763121)

...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

      --- Mr. DOS

Re:Y'know... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27763357)

The average user immediately presses 'accept' or 'ok' on any prompt that comes up when they open a file without reading the message or thinking about what it means. Adding this requirement is just annoying for users and does absolutely nothing.

What I would like to see is a way to deploy Reader to client PCs with JavaScript disabled through a configuration file or command line flag. It is not realistic to expect users to go to preferences and disable JavaScript on an application that is used to view documents.

Re:Y'know... (1)

denis-The-menace (471988) | more than 5 years ago | (#27763643)

I'm told we can kill JavaScript because our "IntraNet" (cringes) uses PDFs with JavaScript!

Adobe could also implement Zones or something like it but that idea didn't work too well in IE.

If Adobe can put sound and videos in PDFs, why not security? They can't say it's because it would stops things from working, they already have DRM built-in to PDF.

Re:Y'know... (0)

Anonymous Coward | more than 5 years ago | (#27763747)

...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

      --- Mr. DOS

It might as well BE on by default. I'm always getting prompted to enable macros in documents that *I CREATED* that aren't even supposed to HAVE macros in them. After a while, you just click "yes" because the message mostly doesn't mean anything any you have to get on with your work.

Re:Y'know... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27764095)

Sounds like some of your standard template files (eg. normal.dot) have macros in them.

If you don't know what the macros are for and believe they should not exist, you should be clicking "no" and then getting back to work.

Can we always kill javascript? (4, Insightful)

nine-times (778537) | more than 5 years ago | (#27763175)

Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.

What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.

Re:Can we always kill javascript? (2, Funny)

doi (584455) | more than 5 years ago | (#27763239)

You mean like TEX?

Re:Can we always kill javascript? (4, Interesting)

characterZer0 (138196) | more than 5 years ago | (#27763265)

Programatically clone a page to the end of the document.

Calculate and fill fields based on the value entered into other fields.

Update reference data from the web.

There are good uses.

Re:Can we always kill javascript? (1)

avandesande (143899) | more than 5 years ago | (#27763659)

All of these things seem pointless with 'always on' internet connectivity. Why not just go back to the provider for a new version?

These architectural considerations for reader are so 1999.

Re:Can we always kill javascript? (5, Insightful)

iamhigh (1252742) | more than 5 years ago | (#27763823)

And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

Re:Can we always kill javascript? (2, Interesting)

PhxBlue (562201) | more than 5 years ago | (#27763993)

Programatically clone a page to the end of the document.

I'm not familiar with what you're talking about, here -- can you point me to an example? Also, when would you need to do this?

Calculate and fill fields based on the value entered into other fields.

PDF doesn't need to be a spreadsheet.

Update reference data from the web.

Seems like HTML/XML/Javascript would be a better solution to that, don't you think?

Re:Can we always kill javascript? (1)

mcrbids (148650) | more than 5 years ago | (#27763281)

Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app?

No, we can't.

Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

Yeah, it sucks. I like PDFs to be... PDFs - print-ready documents. But as soon as there's a checkbox that says "embed videos into PDF documents" that somebody else has that Adobe Reader doesn't, Adobe is screwed, and they know that.

Of course, we won't talk about the checkbox that says "doesn't take a blue moon to load"...

Re:Can we always kill javascript? (1)

smoker2 (750216) | more than 5 years ago | (#27763969)

Name those apps ....

Re:Can we always kill javascript? (2, Funny)

jeffb (2.718) (1189693) | more than 5 years ago | (#27763289)

Oh, fine. Next you'll be telling me that you don't want moving parts in your books. Well, maybe you can explain to my little boy why Mr. Giraffe won't wake up when we open that page in Happy Fun at the Pop-Up Zoo!, or why Baby Roo won't peek out of Mama Roo's pouch any more.

Besides, we've already learned to skip the page with Mr. Angry Monkey.

Re:Can we always kill javascript? (1)

Lord Ender (156273) | more than 5 years ago | (#27763503)

No, actually, Adobe can't do that. If they want to deploy software to the masses, they need to either make it part of Reader or make it part of Flash. Anything else is bound to fail.

Re:Can we always kill javascript? (3, Interesting)

colfer (619105) | more than 5 years ago | (#27763535)

The US Postal Service click-n-ship requires you turn on that JS crap in Acrobat. Once you click "yes", Acrobat leaves it on unless you go disable it again, each time. Vendors like the USPS need to get a clue.

Re:Can we always kill javascript? (1)

Chabil Ha' (875116) | more than 5 years ago | (#27763875)

Well, it's only following an evolution in documents. Pretty soon, a document reader/creator becomes 'feature complete' in respect to fulfilling those functions, so firms start adding features that enable documents to become, in effect, working applications. End users find them to be terribly effective in what the want as far as functionality goes, but you get with it the standard fair of problems of layering a development environment on the foundations of something that was never intended to be that.

creeping featuritis (3, Insightful)

wiggles (30088) | more than 5 years ago | (#27763201)

Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.

Seems like a solution in search of a problem to me.

Re:creeping featuritis (1)

CastrTroy (595695) | more than 5 years ago | (#27763965)

Not that I think we need JS in acrobat either, but I bet someone said the exact same thing as you when someone told them about the idea of putting Javascript in web browsers.

Disabling Javascript is standard (-1)

Nick Ives (317) | more than 5 years ago | (#27763213)

I'd have thought most people who post here would be savvy enough to have NoScript [noscript.net] installed. I appreciate that stuff like this is a pain for anyone who has to lock down Windows boxen in a company but that's what web filtering proxies are for, no?

Regular users have no hope but unfortunately that's been the case on so many fronts for so long that one extra Acrobat vulnerability isn't going to make things much worse.

Re:Disabling Javascript is standard (4, Insightful)

OverlordQ (264228) | more than 5 years ago | (#27763267)

And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)

Re:Disabling Javascript is standard (4, Informative)

RobBebop (947356) | more than 5 years ago | (#27763317)

Quite so... I didn't even realize that PDF's could run Java scripts...

But now I've got a new hoop to jump through when I update a new computer:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
  5. Click OK

Simple as that!

Re:Disabling Javascript is standard (1)

colfer (619105) | more than 5 years ago | (#27763661)

Any document that wants JS will prompt you, and if you breeze by with a "yes", then JS is now on for all documents, until you go disable it again. If you say "no", then your document may not even open. PDF's are great for so many things, scale wonderfully, etc. This feature bloat just ruins it.

Acrobat has had buffer-overflow vulnerabilities in even with JS turned off, due to some nonsense about Windows prefetching the meta info or something.

Re:Disabling Javascript is standard (1)

DiegoBravo (324012) | more than 5 years ago | (#27763893)

> and if you breeze by with a "yes"

Not to disagree with you, but ... did you ever see any "standard user" answering "NO" when a popup appears implying that a "YES" is just needed to do the intended work? "What the hell could be that f**k javascript thing? I just want to read the damn document"....

Re:Disabling Javascript is standard (1)

Fnord666 (889225) | more than 5 years ago | (#27763959)

But now I've got a new hoop to jump through when I update a new computer:

Here is a link [acrobatusers.com] to an article discussing the registry keys needed to turn off javascript in Reader. Scripting this should help automate your new machine build without any added human intervention.

Re:Disabling Javascript is standard (1)

Burkin (1534829) | more than 5 years ago | (#27763291)

I'd have thought most people who post here would be savvy enough to have NoScript installed.

They are talking about disabling JavaScript in Adobe Reader, not in your web browser.

Re:Disabling Javascript is standard (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27763303)

Disabling javascript entirely is a retarded concept because javascript is a wonderful tool that makes web pages much more dynamic and useable. How about a noscript specifically for PDF's? That would make sense.

Re:Disabling Javascript is standard (2, Informative)

Etherized (1038092) | more than 5 years ago | (#27763329)

This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.

Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.

Why do PDF readers need Javascript? (5, Funny)

serutan (259622) | more than 5 years ago | (#27763225)

Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

Re:Why do PDF readers need Javascript? (5, Funny)

Red Flayer (890720) | more than 5 years ago | (#27763453)

Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

Re:Why do PDF readers need Javascript? (2, Funny)

PotatoFarmer (1250696) | more than 5 years ago | (#27763519)

You'll be fine unless there's a buffer overflow. Though I suppose remote execution would be a problem if you're in the shower and some jackass decides to flush an output stream.

Re:Why do PDF readers need Javascript? (0)

Anonymous Coward | more than 5 years ago | (#27763737)

One reason for the Javascript is when making a pdf form. Although not perfect, you can do quite a lot if you know Java. I just started making forms for my users and love the scripting ability.

Re:Why do PDF readers need Javascript? (3, Funny)

RobBebop (947356) | more than 5 years ago | (#27763793)

Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

Woah now! Don't let the cat out of the bag too early. Considering how far toilets have come over the century, you'll be happy with a little Javascript injection turning your toilet into a Spam Zombie.

Let's review:

  1. Toilet 0.0: A bush. Possible attack vectors include bee stings and bear claws.
  2. Toilet 1.0: A hole in the ground. Insects and burrowing creatures stung and bit you when you dug your hole to close to them.
  3. Toilet 2.0: The community toilet. Walls give you privacy, but god awful smells make it painful to use.
  4. Toilet 3.0: The Flush Toilet. Don't put too much in or it overflows.
  5. Toilet 4.0: The Autoflush Toilet. Same as previous, but multiple flushes each time you try to wipe yourself.
  6. Toilet 5.0: (coming soon) Internet Integrated Diagnostics Toilet. Javascript vulnerabilities and toxic Chinese workmanship.

Re:Why do PDF readers need Javascript? (0)

Anonymous Coward | more than 5 years ago | (#27763801)

Haven't you heard? JavaScript is the new email. The next step? JavaScript support in an email client written in JavaScript.

Re:Why do PDF readers need Javascript? (1)

b4dc0d3r (1268512) | more than 5 years ago | (#27764265)

Here at the office, we have auto-flushers.

They usually wait until you adjust a little and then power-flush a gallon of water in a bidet-like fountain, then when you leave spray you again. Inevitably, every toilet will be, shall we say, visibly un-flushed upon entering the rest room, so you have to pre-flush using the manual black button.

Now, despite the obvious bugs, it has to have some sort of logic in there. I was going to reply saying "no, you're an idiot", but in preparing my response I decided that with any faulty junk software, the answer is to fix it in the next layer, and if you don't have another layer add one. Web formats database output, JS fixes web output.... Adobe makes a portable document and makes it dynamic, far from permanent.

So my point is, unless every one of us speaks up at that meeting where your manager says the client has requested for us to implement JS in a toilet, and says we absolutely will not do it and will quit if required to do so, and actually follow through on that, it is inevitable.

And finally to summarize, it is inevitable.

Kill Adobe reader, not java script (3, Insightful)

140Mandak262Jamuna (970587) | more than 5 years ago | (#27763233)

Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?

Re:Kill Adobe reader, not java script (1)

itzfritz (822208) | more than 5 years ago | (#27763355)

The problem is that none of the other commercial readers work as well as Adobe's. Of the three (IMO) main required features of a commercial pdf app (pdf create/edit; in-browser viewing; virtual pdf printer), only Adobe does all three of them well. I am currently using Foxit for the first two, and PDFCreator for the third, and I am not pleased.

Re:Kill Adobe reader, not java script (2, Informative)

keeegan (1526067) | more than 5 years ago | (#27763483)

Not much better than pdfcreator, but we use this at my work: http://www.primopdf.com/ [primopdf.com]

Re:Kill Adobe reader, not java script (1)

Thaelon (250687) | more than 5 years ago | (#27763937)

Sumatra is to Foxit what Foxit is to Adobe Acrobat Reader.

Re:Kill Adobe reader, not java script (1)

simp (25997) | more than 5 years ago | (#27764115)

Sumatra is a bit too lightweight. The version I tried did not remember the window size and position in between sessions and had some weird problems with the search box.

But the general idea is very good. It just needs that little bit more polishing of the rough edges.

JavaScript? (1)

owlstead (636356) | more than 5 years ago | (#27763287)

We don't need JavaScript in a PDF viewer, at least not for normal purposes. The problem is that Adobe keeps putting additional functionality in the reader. Functionality that I don't need 99% of the time. It's hard enough to create a secure document viewer thats able to do font rendering and vector graphics and such. Lets focus on that and use another viewer for forms and such. Heck, create a PDF viewer first where I can normally select and copy text.

BTW, this is how I currently use PDF documents. I use a small PDF viewer that does almost nothing but show/zoom and select for documents from the internet. I turn to Adobe if and only if I receive complicated PDF's from a known source. Oh, and OpenOffice writer if I want to make my own simple PDF's or when I make comments on a document/webpage or PDF.

Re:JavaScript? (0)

Anonymous Coward | more than 5 years ago | (#27763839)

If the PDF doesn't have selectable text, it was created as an image, and not an actual text based document. Using pdfwriter as opposed to distiller causes this issue.

Okular instead (2, Informative)

CajunArson (465943) | more than 5 years ago | (#27763297)

Okular rocks, and it apparently can run on Windows [kde.org] as well.
My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.

Mac? (3, Insightful)

dingen (958134) | more than 5 years ago | (#27763299)

There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?

Adobe Reader has more holes that swiss cheese (4, Insightful)

Manip (656104) | more than 5 years ago | (#27763309)

Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.

It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!

Re:Adobe Reader has more holes that swiss cheese (1)

keeegan (1526067) | more than 5 years ago | (#27763545)

Especially since its designed by a company of designers designing software for other designers.

This is a Zero-Day? (0, Offtopic)

mmkkbb (816035) | more than 5 years ago | (#27763365)

I've had Adobe Reader 9.1 installed for a few weeks. What gives?

Re:This is a Zero-Day? (4, Informative)

Red Flayer (890720) | more than 5 years ago | (#27763511)

Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

Re:This is a Zero-Day? (1)

mmkkbb (816035) | more than 5 years ago | (#27764011)

Indeed I am (or was).

Xpdf. (0)

Anonymous Coward | more than 5 years ago | (#27763377)

'Nuff said.

PDF Forms under Linux (2, Interesting)

mysteryvortex (854738) | more than 5 years ago | (#27763561)

I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.

Re:PDF Forms under Linux (1, Informative)

Anonymous Coward | more than 5 years ago | (#27763679)

Try again. Recent versions of evince allow you to enter data in fill out forms. I have been told ocular does this as well, but haven't personally tried it.

Re:PDF Forms under Linux (0)

Anonymous Coward | more than 5 years ago | (#27764137)

Okular can do PDF forms. I used it to fill out my state income tax form. It uses Qt widgets for the text boxes, but it works.

Re:PDF Forms under Linux (1)

CajunArson (465943) | more than 5 years ago | (#27764297)

Okular allows for you to fill in forms, and even save the form data in the PDF itself, putting it one step ahead of the free Adobe reader.

Disabling Javascript won't mitigate the risk still (3, Insightful)

biddly718 (1382689) | more than 5 years ago | (#27763591)

According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/ [secunia.com]

Incessant Acrobat JavaScript nagging (4, Interesting)

Allen Varney (449382) | more than 5 years ago | (#27763887)

It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"

Sumatra (5, Informative)

Tubal-Cain (1289912) | more than 5 years ago | (#27763915)

To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

Already ran into this... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27764067)

Fortunately Avira caught the trojan (first time this piece of shit reported something that wasn't a false positive). But I was on a site and, I think it came in through one of the advertisement banners, but suddenly I notice my web browser stopped temporarily and the system slowed down a bit. I noticed AcroRd32.exe had spawned in the processes list. About 30 seconds later it finds TR/Crypt.XPACK.Gen [trojan] in C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\DCF18OEB\xrun[1].tmp and C:\WINDOWS\system32\rn.tmp. At least I fucking hope the trojan was blocked, if it already wrote a .tmp file to system32 I'd hate to think something got installed that slipped past the AV's notice.

But yeah, this definitely came through a .PDF file that somehow piggybacked on a web banner because there was some randomly-named pdf file in Acrobat Reader's file history list when I checked. I promptly disabled JavaScript and disabled the Acrobat Reader plugin. But, you know, why did Firefox allow a web banner to run a .pdf file? Isn't this browser supposed to be secure? I'm using FireFox because I got sick of Internet Explorer pulling this exact same shit on me -- letting rogue sites run whatever code they wish on my computer. So I'm going to be looking for a new browser but I have a feeling all of them, even Opera and Chrome and whatever, they all are probably badly written like this.

The virus information sites don't really say much what this specific trojan does. Is it a key logger?

One amusing aspect of this is.... (0)

Anonymous Coward | more than 5 years ago | (#27764081)

The USPTO requires that you use Acrobat reader to fill out forms for patent filing. Those forms all require javascript. No javascript, and you cannot file. They are typically 1-2 months behind allowing updated "secure" versions of Acrobat to file, compounding the issue. Patent IP firms can find themselves vulnerable for 2 tiems the nessesary amount of time. uspto link [uspto.gov]

I 3 OO.o + Foxit (1)

tunapez (1161697) | more than 5 years ago | (#27764121)

That is all.

Re:I (Heart) OO.o + Foxit (1)

tunapez (1161697) | more than 5 years ago | (#27764151)

OOps, the cone fell off my heart... I loooooove OO.o + Foxit

Precisely why I use Preview on OSX (2, Informative)

rinoid (451982) | more than 5 years ago | (#27764155)

I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.

I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.

Finally, all PDFs are associated with Preview and not Acrobat.

Executable... (1)

GenP (686381) | more than 5 years ago | (#27764201)

So, uh, why are documents executable in the first place?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?