Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Warns of Reader, Acrobat Attack

timothy posted more than 4 years ago | from the gnome's-reader's-pretty-good-y'know dept.

Security 195

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

cancel ×

195 comments

Anyone still has JavaScript enabled? (5, Funny)

Anonymous Coward | more than 4 years ago | (#30445214)

I thought after so many vulnerabilities everyone had turned that off in Reader...

Re:Anyone still has JavaScript enabled? (4, Interesting)

jasonwc (939262) | more than 4 years ago | (#30445554)

I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

Re:Anyone still has JavaScript enabled? (0, Redundant)

sexconker (1179573) | more than 4 years ago | (#30446012)

I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

I agree. These security vulnerabilities appear to be a daily occurrence. Anyone that hasn't disabled Javascript, Acrobat/Adobe Reader, Flash, Quicktime, Java, etc. at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

Re:Anyone still has JavaScript enabled? (1)

Zumbs (1241138) | more than 4 years ago | (#30446298)

So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

DRM, I've heard. Another reason for having it would likely be that Adobe needs to be ahead of the competition, for example by supporting multimedia content. There are, after all, a lot of very good pdf readers/writers (and editors?) out there.

Re:Anyone still has JavaScript enabled? (3, Interesting)

wkk2 (808881) | more than 4 years ago | (#30446322)

JavaScript in PDFs has always been trouble. I use forms that auto complete, add columns, etc. A compromise might be a default of prompt before running scripts with a recommend/default of "no". I'd always click "no" unless I trusted the source. Since that would marginalize the product it will probably never happen. I wish I had never upgraded from 4.

Re:Anyone still has JavaScript enabled? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30446434)

We tested turning it off. It broke some important applications that use Reader as part of a workflow. There isn't any money in the foreseeable future to replace / rewrite these applications so Javascript is still on in Reader. This type of stuff is also what keeps us from going to alternate PDF readers. That plus the ability to digitally sign and several other things. Often (unfortunately) large companies find ways to use these things that make use of features that home users or smaller businesses find useless or bloat, etc. Heck, even our SOX compliance app uses this and it also breaks with Javascript off.

Re:Anyone still has JavaScript enabled? (5, Insightful)

jasonwc (939262) | more than 4 years ago | (#30446600)

Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.

Re:Anyone still has JavaScript enabled? (1)

IgnacioB (687913) | more than 4 years ago | (#30446628)

A variety of corporate applications including Adobe Forms use it.

Re:Anyone still has JavaScript enabled? (2, Interesting)

digitalhermit (113459) | more than 4 years ago | (#30446782)

It's easy enough to disable, but everytime a doc gets loaded with embedded JS, the reader will prompt to enable it with a message saying something like "the document may not display correctly" without it enabled. Clicking the "yes" will then re-enable it. The problem with this approach is that we get so many warnings that people may automatically start enabling JS accidentally.

Re:Anyone still has JavaScript enabled? (1)

jasonwc (939262) | more than 4 years ago | (#30446884)

Based on the numerous JS vulnerabilities, the default should be "No". A message should warn about the security vulnerabilities of running the document and tell the user only to enable JS (temporarily) if they trust the source of the document. However, it should also mention that if JS is disabled, it may not display correctly.

The fact is that Adobe simply doesn't care about the vulnerabilities. They have responded slowly or not at all to the issue.

Re:Anyone still has JavaScript enabled? (0)

Anonymous Coward | more than 4 years ago | (#30445616)

Are you kidding? After vulnerabilities showed up? I had it turned off or completely disabled (as in: most of the relevant plugins removed) back at version 6 or so, before any of the known vulnerabilities. It was a flaw waiting to be exploited, it was useless for 99% of PDFs out there, and it was one of many things making newer versions of Reader slower and slower to load. Good riddance.

Re:Anyone still has JavaScript enabled? (0)

Anonymous Coward | more than 4 years ago | (#30445768)

I thought after so many vulnerabilities everyone had turned that off in Reader...

I thought after so many vulnerabilities, everyone* had been turned off of Reader.

( * for values of "everyone" composed entirely of Slashdotters.)

Re:Anyone still has JavaScript enabled? (1)

Idiomatick (976696) | more than 4 years ago | (#30446124)

I am surprised anyone that comes to /. uses adobe reader anymore. Bloated to an almost impressive level and filled with security holes.

Re:Anyone still has JavaScript enabled? (2, Insightful)

maxume (22995) | more than 4 years ago | (#30446258)

And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.

Re:Anyone still has JavaScript enabled? (1)

psycho12345 (1134609) | more than 4 years ago | (#30446754)

Then use Reader inside a VM or otherwise a throw away OS. Seems like a fairly secure* sandbox for such vulnerable applications. *Yes a VM itself can be exploited and broken out of, but that is way harder then the swiss cheese of Adobe Reader.

Re:Anyone still has JavaScript enabled? (1)

maxume (22995) | more than 4 years ago | (#30446832)

I just have javascript turned off, the vast majority of exploits use it.

Really... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30445218)

Why on earth do you need JavaScript in a PDF?

Re:Really... (1)

ArchieBunker (132337) | more than 4 years ago | (#30445336)

Interactive forms. Forms that change options and check parameters when entered, etc etc.

Re:Really... (0)

Anonymous Coward | more than 4 years ago | (#30445516)

Since they already program the Reader software, then why even use JavaScript to handle interactive form input? Program their own handler. Using third party products to "be lazy" just open up those security holes.

Re:Really... (1)

ByOhTek (1181381) | more than 4 years ago | (#30445702)

using existing tools can also reduce bugs - if a tool has been around long enough.

Are you sure this isn't an in-house fudge-up of Javascript?

Re:Really... (1)

cheesybagel (670288) | more than 4 years ago | (#30446342)

AFAIK Adobe Acrobat Reader uses the Mozilla SpiderMonkey [wikipedia.org] Javascript engine.

Re:Really... (0)

Anonymous Coward | more than 4 years ago | (#30445980)

My understanding is that PDFs have their own language, but nobody bothered to learn it, so they added JS ability to the spec and now people actually (occasionally) do use it.

I agree however, I don't see the need for more than just something like mathxml.

Re:Really... (1)

camperdave (969942) | more than 4 years ago | (#30446132)

Since they already program the Reader software, then why even use JavaScript to handle interactive form input? Program their own handler.

On the other hand, why write your own handler for interactive forms input when the OS can provide that service to you (presumably with much greater security, much less coding errors, desktop theme consistency, and other benefits)?

Re:Really... (3, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#30445522)

To send an email after filling out a form and clicking sumbit in a PDF.

Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?

Re:Really... (1)

clone53421 (1310749) | more than 4 years ago | (#30445916)

It's not really like the Adobe reader has the vulnerability, its just javascript in general.

Citation?

According to TFS, this is specific to Adobe Reader, and it’s an actual bug, not just “executing the code”.

Re:Really... (1)

Lumpy (12016) | more than 4 years ago | (#30445646)

to do useless fancy web2.0 crap. it really is not needed. We disabled it automatically across the company.

Re:Really... (1)

amicusNYCL (1538833) | more than 4 years ago | (#30446414)

to do useless fancy web2.0 crap.

Yeah, like form validation. Who needs useless fancy web 2.0 crap like form validation? I say we should all trust the user's input. Users never make mistakes.

Re:Really... (1)

kbielefe (606566) | more than 4 years ago | (#30446064)

It's more useful than you might think. I've personally used it for two purposes:

  • For a food diary, I put in my current weight and it calculated my daily caloric needs and calories burned for different intensities of exercise.
  • For roleplaying game character sheets, there are a ton of fields that are dependent on other fields. Javascript lets you enter your dexterity score, for example, and your dexterity mod, defenses, and dex-based skills are all updated accordingly.

Re:Really... (0)

Anonymous Coward | more than 4 years ago | (#30446142)

Would have thought that a spreadsheet would be the better application to use for that.

Re:Really... (1)

StuartHankins (1020819) | more than 4 years ago | (#30446580)

Using a PDF means you don't have to worry about spreadsheet versions. A spreadsheet app is also substantially larger than a PDF reader. Not everyone even has spreadsheet software installed on their computer.

Re:Really... (1)

Abreu (173023) | more than 4 years ago | (#30446178)

For roleplaying game character sheets, there are a ton of fields that are dependent on other fields. Javascript lets you enter your dexterity score, for example, and your dexterity mod, defenses, and dex-based skills are all updated accordingly.

That sounds like a nice sheet. Could you post a link to it?

Re:Really... (3, Insightful)

kbielefe (606566) | more than 4 years ago | (#30446388)

Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.

Re:Really... (1)

TheCycoONE (913189) | more than 4 years ago | (#30446436)

Any other time and it would be off-topic

Re:Really... (1)

clone53421 (1310749) | more than 4 years ago | (#30446518)

For roleplaying game character sheets, there are a ton of fields that are dependent on other fields. Javascript lets you enter your dexterity score, for example, and your dexterity mod, defenses, and dex-based skills are all updated accordingly.

I’m just echoing what the other guy said, really, but I created a helluva Excel spreadsheet that did that for Runescape. Why on earth would you use a PDF?

Heck... I could probably even make it import the player data from the hiscores website, but I didn’t ever bother trying.

Look at the Acrobat Reader credits. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30445228)

Look at the names in the credits in the Acrobat Reader about dialog. Notice that many of them are clearly from an area well noted for the poor quality of the software developed by its off-shore software development industry.

If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

Re:Look at the Acrobat Reader credits. (3, Insightful)

Dunbal (464142) | more than 4 years ago | (#30445850)

If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

      Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.

      Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.

Re:Look at the Acrobat Reader credits. (1)

BrokenHalo (565198) | more than 4 years ago | (#30446160)

If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

Nevertheless, the Adobe reader still (I'm sorry to say) does a noticeably better job of rendering PDFs than any of the FOSS alternatives I've tried on Linux. Especially if the PDF includes much in the way of text scanned at too low a DPI setting.

Javascript Again (4, Informative)

Anonymous Coward | more than 4 years ago | (#30445236)

If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.

Re:Javascript Again (1)

Hurricane78 (562437) | more than 4 years ago | (#30446034)

With PDF being an open standard, and there being tons of free lightweight readers out there, there is really no excuse to use the Acrobat Reader.

Re:Javascript Again (2, Insightful)

gad_zuki! (70830) | more than 4 years ago | (#30446136)

What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.

The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have no legitimate reason for a JS PDF.

How many bad code offsets has Adobe bought? (1)

GungaDan (195739) | more than 4 years ago | (#30445244)

This shit happens every other week now.

Does it run Linux? (2, Interesting)

filesiteguy (695431) | more than 4 years ago | (#30445264)

Normally that would be my first response as a joke, but I begin to wonder if Adobe could affect anything that is not root-level (or admin level).

Adobe still used why? (1)

Killer Orca (1373645) | more than 4 years ago | (#30445278)

Why is Reader being used in large-scale deployments? It's freeware-ish and gets no more support from Adobe than many of the other free pdf reader alternatives out there would get. I have Reader installed at my work without having Writer or Photoshop either.

Re:Adobe still used why? (1)

Krneki (1192201) | more than 4 years ago | (#30445326)

Sheer lack of mental motivation to change what you use.

Nothing new.

Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.

Re:Adobe still used why? (1)

compro01 (777531) | more than 4 years ago | (#30445538)

Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.

Certainly there is missing functionality. This article points out one such instance of missing functionality.

Re:Adobe still used why? (2, Interesting)

COMON$ (806135) | more than 4 years ago | (#30445660)

I would love a good alternative personally. All my users do is read the PDFs and we use PDFCreator for merging documents. I just havent found one that seems to be solid enough for the enterprise push. Any recommendations from people who have made the switch? I am getting tired of patching every 5 minutes.

Re:Adobe still used why? (1)

betterunixthanunix (980855) | more than 4 years ago | (#30445708)

XPDF and Ghostscript.

Re:Adobe still used why? (1)

COMON$ (806135) | more than 4 years ago | (#30445778)

Have you used those on a network, eg in an office environment where it has stood the test of time?

Re:Adobe still used why? (1)

betterunixthanunix (980855) | more than 4 years ago | (#30446164)

Yes.

Re:Adobe still used why? (1)

COMON$ (806135) | more than 4 years ago | (#30446352)

any pros or cons vs foxit?

Re:Adobe still used why? (1)

haruchai (17472) | more than 4 years ago | (#30446772)

On Windows? Foxit Reader or PDF Xchange viewer ( http://www.docu-track.com/ [docu-track.com] ). Unlike Acrobat Reader, both have tabbed interfaces, can remember which docs were open and reopen them automatically.

I think PDF Xchange also will track where you were in each opened document and will take you right
back to the page you were reading when reopened.

Re:Adobe still used why? (1)

StuartHankins (1020819) | more than 4 years ago | (#30446618)

Cost -- the full product is hundreds of dollars -- and brand recognition, which is important to PHB's.

Preferences? (1)

vrmlguy (120854) | more than 4 years ago | (#30445282)

This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window.

I've used Reader forever, and I never even noticed that there was a preferences dialog. There's 26 sub-dialogs, each with one or two dozen options, and (checking a few at random) I see several that look worthy of more investigation. Anyone know of any recommendations of where I should start?

Re:Preferences? (4, Funny)

Killer Orca (1373645) | more than 4 years ago | (#30445312)

Wherever it says 'Uninstall'

Re:Preferences? (2, Insightful)

ByOhTek (1181381) | more than 4 years ago | (#30445748)

or Here [foxitsoftware.com]

Both are good places to start. You can end at the other.

Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)

Re:Preferences? (1)

Zumbs (1241138) | more than 4 years ago | (#30446454)

In W7 I had a problem where installing Foxit while Adobe were present would cause W7 to regularly forget the existence of the pdf extension, forcing the user to choose the program to use when trying to open a pdf. The fix were to uninstall Adobe and reinstall Foxit.

Acrobat attack. (5, Funny)

NoYob (1630681) | more than 4 years ago | (#30445306)

They're horrible. You have guys flipping and attacking you with their feet while standing on their hands. You have two other guys with one sitting on the other's shoulders while they punch down on you. You try to fight back and they just do backflips away or jump and balance on some pole way above your head.

Yikes! I hate acrobat attacks!

Dear Adobe: (0)

Anonymous Coward | more than 4 years ago | (#30445368)

Either fix your javascript holes or disable it till you do.
Sincerely, A.C.

Dear Anonymous Coward: (0)

Anonymous Coward | more than 4 years ago | (#30445652)

No.

Sincerely, Adobe

BUT WAIT!!!! (1, Interesting)

Monkeedude1212 (1560403) | more than 4 years ago | (#30445380)

No one uses Adobe Reader for anything other than business PDF's.

Seriously, The launch time for a PDF off the web is too large for me to bother. First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.

Seriously - I have only ever seen PDF's used at work and at school, and anywhere else they exist usually aren't worth the bother.

So who are the people taking advantage of these vulnerabilities?

Re:BUT WAIT!!!! (3, Interesting)

betterunixthanunix (980855) | more than 4 years ago | (#30445570)

Acrobat and Reader are bloated. Try something a little lighter like XPDF or Okular.

Re:BUT WAIT!!!! (1)

Sir_Lewk (967686) | more than 4 years ago | (#30446240)

I second Okular, it does this wicked thing where while dragging a document to scroll, the mouse cursor wraps from the top of the screen to the bottom (or vice-versa). It seems odd when you hear about it, but once you use it you'll swear by it.

Re:BUT WAIT!!!! (0)

Anonymous Coward | more than 4 years ago | (#30445576)

A large number of journal articles are pdfs, seriously!

Re:BUT WAIT!!!! (1)

Krneki (1192201) | more than 4 years ago | (#30445688)

Your problem is not PDF, but your PDF reader.

Change it, you will see how fast it can be with a proper application.

Oh, and it's not only the reader, everything from Adobe is as slow as humanly possible.

Re:BUT WAIT!!!! (1)

maxume (22995) | more than 4 years ago | (#30446058)

Reader 9 isn't really all that sluggish, and opposed to the alternatives, it actually has nice on-screen rendering (both the final product, and the initial presentation of that product, the others either have shit font support, need time to pre-render or tear all over the place...).

Re:BUT WAIT!!!! (2, Interesting)

jasonwc (939262) | more than 4 years ago | (#30445700)

Half of my readings in Law School are scanned documents/books in PDF format. Many of the documents are 25-40 MB in size and several hundred pages. I find that PDFs actually load very quickly - much faster than a similarly sized Word or Open Office document, and easier to read. Of course, you can use any PDF reader and not just Adobe Reader/Acrobat.

On my Core 2 Duo and Core i7 systems, I can open PDFs pretty much instantaneously (less than 0.5 seconds). The only delay is the download. Thankfully, this is one area where Comcast's 25 Mbit "Speedboost" actually comes in handy. At school, being able to download at 100 Mbit/sec makes the files load even faster. The only issue is that Adobe Reader sometimes stalls and I have to try again. However, I find the Adobe reader plugin to generally work better than the alternatives, and I like the full screen reader. I've used Foxit for the tab support but I prefer Reader for its menu layout simplicity when I don't need many documents open.

Re:BUT WAIT!!!! (1)

farlukar (225243) | more than 4 years ago | (#30445792)

First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.

how to not use reader inside a browser [mozilla.org]

And re:slow & bloated; just go to the plugin directory and delete anything you have no need for (ie. most of it). Voilà, fast-booting, non-bloated adobe reader.

imnsho, anything xpdf-based is way slower than acrobat in page-rendering, and generally not clever enough to search ligatured words.

Re:BUT WAIT!!!! (1)

maxume (22995) | more than 4 years ago | (#30446002)

They infect ad networks, automatically launching reader, and their exploit.

Re:BUT WAIT!!!! (1)

StuartHankins (1020819) | more than 4 years ago | (#30446662)

How else do you get portable documentation if you don't use PDF? There's no other format that can do what it can do, period.

Why javascript in a pdf reader? (3, Interesting)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30445386)

It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.

Re:Why javascript in a pdf reader? (1)

StuartHankins (1020819) | more than 4 years ago | (#30446700)

As others have mentioned, many businesses use the JavaScript features for field validation, action buttons, loading content from a remote DB, etc.

I'd say this has been around a while (0)

Anonymous Coward | more than 4 years ago | (#30445388)

I got a variation of worm on my machine, being dropped into a .bak file in the adobe directory. I was running 7.0 (somehow, I neglected to ever upgrade). I have since upgraded to 9.2, however, an alternative application seems like a good idea now.

Limit permissions and seek alternatives? (2, Informative)

oDDmON oUT (231200) | more than 4 years ago | (#30445472)

Seems like deja vu, since this has issue cropped up before [sans.org] , what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]

Which makes it a good idea to use alternatives like Preview, and Skim [sourceforge.net] (for OS X), as well as Foxit Reader [foxitsoftware.com] for Windows.

It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.

Don't cross streams (3, Insightful)

Gothmolly (148874) | more than 4 years ago | (#30445520)

Separate your programs from your data, and your documents from your interactive media.

seen it, I think (2, Informative)

1u3hr (530656) | more than 4 years ago | (#30445560)

I was browsing a soft porn site and suddenlty Acrobat launched, then crashed. So it looks like someone really is trying to use this. Since I use Acrobat 4, I think I'm safe from this. (I need a full version of Acrobat for DTP, and version 4 does the job, and quite quickly. If I need to open a later version file I use FoxIt.)

Re:seen it, I think (3, Informative)

StuartHankins (1020819) | more than 4 years ago | (#30446780)

Sounds like you need NoScript and AdBlock.

And this is why... (1)

Nerdposeur (910128) | more than 4 years ago | (#30445568)

a DOCUMENT READER shouldn't be interpreting javascript.

Seriously. Web pages are interactive. Documents are meant to be read and maybe filled out. The only reason we need PDF is for stuff that needs to look the same on every screen and print out the way it looks. We don't need Javascript in them.

Re:And this is why... (0)

Anonymous Coward | more than 4 years ago | (#30445696)

Turn off javascript in your browser then. As that is what a browser was originally designed for.

Re:And this is why... (1)

StuartHankins (1020819) | more than 4 years ago | (#30446810)

As has been discussed countless times in this thread already, turn off JavaScript if you don't need it. The rest of us use it for business purposes.

Adobe 5.x... (0, Redundant)

geekmux (1040042) | more than 4 years ago | (#30445578)

...was the last good Reader version, with the installer weighing in at a whopping 6MB. After that, feature creep turned it into insane bloatware. I'm willing to bet that 99.9% of PDFs out there are 5.x "compliant" and do not need these newer "features" we never really asked for in the first place.

Hey Adobe, are you listening? How about you give us JUST a Reader? I would say call it Reader Light, but you would probably get sued by many a beer company...

Re:Adobe 5.x... (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30445642)

Adobe Acrobat 5.x was still kind of bloated. Even on machines nowadays it'll still take a few seconds to boot up - with that annoying little splash screen of some guy prancing about with a few office complexes in the background.

I've never used just the 5.x reader before, where would you even GET that...

Re:Adobe 5.x... (0)

Anonymous Coward | more than 4 years ago | (#30446444)

http://www.oldversion.com/

They go all the way back to 1.0 for DOS

Re:Adobe 5.x... (1)

jasonwc (939262) | more than 4 years ago | (#30446494)

A few seconds? On a modern machine I can load a 100 page scanned PDF in Adobe Acrobat in under 0.5 seconds (perceptibly instant with Aero) with Acrobat 9.0.2 on a Core 2 Duo/Core i7. Are you using a slow machine?

Re:Adobe 5.x... (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30446820)

On a Core 2 Duo, 1 Gig RAM on an XP, 20 page PDF takes on average 4 to 5 seconds to load. This is just the full install of Adobe Acrobat 5.0

Re:Adobe 5.x... (1)

StuartHankins (1020819) | more than 4 years ago | (#30446868)

Agreed. I went from 5 to 9 and wow what a shock. Although I have to admit the last patch helped tremendously (it was suffering from really poor load times).

And, Adobe, get rid of that stupid FNPLicensingService.exe spyware that tries to run constantly in the background. I detest the idea of not being trusted when I *PAID* for the damn software!

Maybe limitations are a good thing? (1)

SteveHeadroom (13143) | more than 4 years ago | (#30445868)

Do we really need to make everything dynamic and interactive? Why do documents need scripting support? Why do emails need scripting support? We're blurring the line between documents and applications and security is suffering as a result. Are the benefits really worth it?

YOU KFAIL IT (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30446060)

lead developers they're gone Came Before play1nG to there are only

Help, how do you disable version check on startup? (0, Offtopic)

British (51765) | more than 4 years ago | (#30446066)

Yesterday morning, my system started up saying a new version of Acrobat reader was available. HOWEVER, reader_Sl.exe couldn't be found on my reader dir, plus I had it disabled in msconfig in the Startup tab.

How the hell did this thing startup? Adobe doesn't seem to make it easy to disable any pre-loader app on startup. Why does every software company insist on jamming this crap on everyone's system?

I would love to see Symnatec, etc list this as malware. After all, same symptoms(drains system resources), and was added w/o user consent, nor is it easy to remove.

Re:Help, how do you disable version check on start (1)

daveime (1253762) | more than 4 years ago | (#30446522)

I would love to see Symnatec, etc list this as malware

I would love to see Symantec listed as malware ... have you seen how difficult it is to actually uninstall that thing (completely), and what a piece of spamming shit it turns into once your free trial is over ?

darn (1)

thelonious (233200) | more than 4 years ago | (#30446110)

I hate when acrobats attack. They're so freaking limber!

Adobe Acrobat (1)

eples (239989) | more than 4 years ago | (#30446228)

Isn't it high time that Adobe got its act together with this thing? Javascript attacks, the whole non-redacted-data text redaction "feature" that recently bit the TSA - I mean REALLY.

Come on Adobe, you can do better.

Re:Adobe Acrobat (1)

amicusNYCL (1538833) | more than 4 years ago | (#30446558)

the whole non-redacted-data text redaction "feature"

I'm not sure if text redaction is a feature, they just drew a bunch of black rectangles over the text and them someone pointed out that that doesn't actually make the text go away, it's just under the rectangle.

Screw Acrobat, Adobe needs to fix Flash. Flash CS4 is the worst software I've ever used (I've been using Flash since Flash 5, now we're on Flash 10 and they still haven't fixed the major bugs).

What about brower plugins? (1)

thelonious (233200) | more than 4 years ago | (#30446260)

I loaded a pdf in firefox and didn't see any options within the plugin menus for disabling javascript. Anyone know what to do with the plugins? I haven't used the stand alone reader in a while.

Re:What about brower plugins? (1)

clone53421 (1310749) | more than 4 years ago | (#30446668)

Anyone know what to do with the plugins? I haven't used the stand alone reader in a while.

No. I haven’t used the in-browser plugin in a while.

Precisely because of this sort of exploit.

Any PDF file a website tells my browser to open will get saved to my desktop. If I expected to be downloading a PDF, I open it. If not, it gets deleted.

Why need to view PDFs inline in the browser anyway (1)

AC-x (735297) | more than 4 years ago | (#30446396)

After being bitten by a PDF vulnerability before (I run as a normal user account so it didn't completely own my box and was fairly easy to clean up) I disabled the PDF plugin in Firefox. Now if I try to view a PDF I get an open/download request for the file rather than just opening automatically.

This way a site can't open any PDF files without me knowing.

It seems Adobe PDF reader is fast becoming the new IE in terms of web security.

n00b question (1)

mapkinase (958129) | more than 4 years ago | (#30446710)

Why does PDF reader need JavaScript support?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...