×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Foxit One-Ups Adobe In Blocking PDF Attack Tactics

kdawson posted more than 3 years ago | from the can't-fox-us dept.

Security 112

CWmike writes "Foxit Software, the developer of a rival PDF viewer to Adobe's vulnerability-plagued Reader, released an update on Tuesday that blocks some attacks with a 'safe mode' that's switched on by default. Foxit Reader 3.3 for Windows' 'Trust Manager' blocks all external commands that may be tucked into a PDF document. 'The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,' the update's accompanying text explains. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe's and Foxit's software. That flaw in the PDF specification's '/Launch' function was disclosed in late March by Belgium security researcher Didier Stevens, who demonstrated how he could abuse the feature to run malware embedded in a PDF document. He also reported he had figured out how to change Adobe Reader's warning to enhance the scam."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

112 comments

patent it (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32091940)

then watch adobe squirm like the lousy bitches they are.

If Foxit Can Do It ... (5, Funny)

WrongSizeGlass (838941) | more than 3 years ago | (#32091968)

... then surely Adobe can do it. It's probably because Foxit is bigger and able to reassign resources better than Adobe ... oh wait ... how did Foxit beat Adobe on this fix?

Re:If Foxit Can Do It ... (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#32091986)

Based on the credits, Acrobat Reader is mainly written by Adobe's Indian development team. Now, if you've ever worked with developers based in India, you'd know that they aren't very good. In fact, they're usually pretty fucking lousy. It explains not only the many bugs and security flaws with their PDF viewer, but also their inability to get them fixed in a timely manner.

Re:If Foxit Can Do It ... (0, Flamebait)

xous (1009057) | more than 3 years ago | (#32092086)

This is explains why I avoid Abobe * like the plague.

Re:If Foxit Can Do It ... (1)

Anonymous Coward | more than 3 years ago | (#32092288)

This is explains why I avoid Abobe * like the plague.

Me too. He [google.com] has a wicked strong uppercut. Thankfully, he doesn't pay attention when he's on a conveyor belt whose end leads to a bottomless pit.

Re:If Foxit Can Do It ... (1)

geminidomino (614729) | more than 3 years ago | (#32092338)

This is explains why I avoid Abobe * like the plague.

Me too. He [google.com] has a wicked strong uppercut. Thankfully, he doesn't pay attention when he's on a conveyor belt whose end leads to a bottomless pit.

Who the hell designs a conveyor belt that leads into a bottomless pit, anyway? Seriously, someone needs to examine the CPE seal on those plans....

Re:If Foxit Can Do It ... (0)

Anonymous Coward | more than 3 years ago | (#32092166)

Acrobat reader may be shit (ok, it is shit!), but unlike the rest of adobe's line, at least the UI isn't Flash. Yet. Or maybe it is; I stopped using it a couple years ago.

Point is, Adobe sucks dick while Acrobat tosses salad.

Re:If Foxit Can Do It ... (3, Interesting)

Low Ranked Craig (1327799) | more than 3 years ago | (#32092354)

I don't think it's so much that they are lousy, I think it's that most companies simply send over source code and a spec and expect a working product back. We code review all changes and over 70% of fixes/enhancements from the Indian dev team were rejected on the first go, as compared to less than 20% for the team in California. Of course since the VP of engineering is originally from India and the outsourcing is his baby, the program is "doing really well".

Re:If Foxit Can Do It ... (3, Interesting)

PPalmgren (1009823) | more than 3 years ago | (#32091988)

Foxit has something to gain from this. For a long time, Adobe only had money to lose by spending anything on their dominant reader that you *had* to use. It appears they haven't lost that mindset.

Re:If Foxit Can Do It ... (2, Interesting)

lpq (583377) | more than 3 years ago | (#32094080)

Adobe has the mindset of a monopolist. In their markets they often are. There support is shoddy to non-existent and their innovation is down. A few years back to cement their position with their graphics tools as dominant (Photoshop et. al), they started requiring those wishing to develop plug-ins to adopt exclusive licensing with Adobe, where adobe could halt sales of their plug-in with any other competing product, if it was determined that it out-performed adobe's product. Most plugin developers don't bother with image editing products outside of photoshop now.

Their licensing mechanism sucks... they sold me a bill of good about functionality, regarding products in there Creative Suite 4 package. I bought 3 of them separately -- turns out that their tools that ties all of the together 'Bridge' only will enable suite
color management if it detects a package license, it won't enable separately bought pieces to work together. It only took me 3 months to get them to admit it was a broken conditional in their license processing in "Bridge" -- they then proceeded to issue me a new license -- for another single copy of photoshop. When I said that wasn't acceptable -- it had to be for all the products I'd purchased (because that's what the documentation says will work), they said I'd have to talk to customer service and would move it back there (I'd gone from customer service to technical, and then back again, and then technical and now again to C.S). That was about a month ago and I haven't heard from them since. Unfortunately I've been too tied up with other more pressing issues than to worry about their broken licensing model.

But basically their support sucks -- they have some wiz bang products that do great things, but prey you don't need technical support.

Their technical support people are way in over their heads (at least the ones I dealth
with).

Re:If Foxit Can Do It ... (1)

Skuld-Chan (302449) | more than 3 years ago | (#32092864)

how did Foxit beat Adobe on this fix

They didn't have to test it against 25+ different languages and 30+ different platforms (yes you read that right - if you think about every single version of Windows (server versions both x86/x64), Mac OS/X Linux and Solaris).

Re:If Foxit Can Do It ... (3, Insightful)

Hurricane78 (562437) | more than 3 years ago | (#32093096)

But since the average amount of registry entries is around 100,000 and the average amount of files is around what, 50,000? (Not even counting different versions and different configuration file entries), wouldn’t that mean

230 * 100,000 * 50,000 = 150 trillion "different platforms" or 25 * 150 trillion = 3,75 quadrillion different configurations? ;)

Or is it just, that when you make not really different setups count (like languages, which are not part of the code to test in such multilingual apps, or not actually different versions of Windows or Linux), that you can come up with whatever insane number you want? ;)

Re:If Foxit Can Do It ... (2, Interesting)

RealGrouchy (943109) | more than 3 years ago | (#32093550)

Indeed, one of my mac users was sent a PDF that had been marked up with Foxit by a volunteer. The markup only shows in Foxit reader, which is only available on Windows. A complete waste of the volunteer's time.

- RG>

Re:If Foxit Can Do It ... (1)

kenwd0elq (985465) | more than 3 years ago | (#32094096)

Only SHOWS, or only PRINTS? By default Adobe Reader does not PRINT the markups, even though it DISPLAYS them. In your PDF printing dialog, be sure to select to print both text and markups and annotations.

Re:If Foxit Can Do It ... (1)

RealGrouchy (943109) | more than 3 years ago | (#32094214)

Foxit's markup does not appear in Preview on OS X, nor did it appear in Adobe Acrobat Pro 8 or 9. My colleague was entirely unable to read the markup made to the PDF in Foxit (which kind of defeats the purpose of a published standard format).

- RG>

Re:If Foxit Can Do It ... (1)

ZosX (517789) | more than 3 years ago | (#32094282)

That's too bad. I had a printing project that required me to place two pages on a certain fixed page size. You think something like this would be trivial to do with acrobat, but NOOOOOOO the only way to do it is to have it resize the pages to fit the overall page. I wanted the pages to stay to a fixed size. This was impossible with acrobat and there were hundreds of pages, so laying them all down in illustrator was out of the question. I downloaded foxit and it had way better print options than adobe. I don't know about annotations displaying, but every pdf I've put in it looks fine as far as I can tell. It might not do what you need it to do, but it was nice to have some sort of alternative that gave me different options that happened to be the ones I need and shame on adobe for giving a total lack of output options on something that is designed to be print friendly.

Re:If Foxit Can Do It ... (1)

jhoegl (638955) | more than 3 years ago | (#32093536)

Security over Functionality... Foxit took the road they felt their users needed.
You can make your minds up why Adobe didnt come up with this, or if they even tried.

Evince (1)

WarJolt (990309) | more than 3 years ago | (#32091976)

I think you're all asking the same question I am. Is evince susceptible?

Re:Evince (1)

mirix (1649853) | more than 3 years ago | (#32092546)

I've been using okular lately (uh.. ex-kpdf).

I'm not sure if they fixed it, but evince had a bug where it wouldn't anti-alias on B&W stuff, which led to major eye-bleeding when reading non OCR'd scans. Hence the switch.

This was on debian (squeeze), not sure if it was limited to their package, or if it is/was all evince of that build. Guess I could try compiling the latest version and see what happens. But I've gotten used to okular in the mean time, I think I prefer it now.

I'm assuming the linux ones aren't vunerable, as, big assumption, even if they had the same flaws as acrobat, the exploits probably rely on windows hooks as well... so...

Re:Evince (1)

mirix (1649853) | more than 3 years ago | (#32092632)

Actually, now that I think about it, maybe the bug was with poppler? I think they both use it though. Not sure now.

Re:Evince (1)

Upsilonish (1250840) | more than 3 years ago | (#32093804)

I think it is poppler, because that still happens in evince and some other readers I tried (I just found out it was a bug a couple of days ago, rather than just low res scans). I was going to try okular, but I didn't want to install 150MB or so of kde libs. xpdf seems to work better, but has an ugly ui.

Hey! This thing has code! Were you expecting that? (4, Insightful)

LostCluster (625375) | more than 3 years ago | (#32091998)

They used to say there was no way an image file or text doc could spread a computer virus... then buffer overruns were discovered in image handlers, and Microsoft added VBA macros that basically had the full power of Visual Basic at its disposal to Office, and away it went!

Now, I make my living writing Visual Basic, so there's no way I want to see VBA going away. Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic... and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.

So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?" That should shut off the threat vector while still allowing the functionality to be used in trustworthy situations... why isn't this something in Adobe's official reader yet?

Re:Hey! This thing has code! Were you expecting th (4, Insightful)

just_another_sean (919159) | more than 3 years ago | (#32092090)

The only problem with all that is that most users just shrug and say, um, sure -> OK.
IMHO, for corporate use anyway, Foxit should add some way to leave the default "don't let
it run" enabled and prevent users from turning it off. Just to give us poor, overworked
sysadmins a way to prevent non-root/non-Administrator user "Just click OK" (TM) syndrome.

I believe MS does provide a way to handle the VBA situation you described but it's been
a while so not 100% sure

Re:Hey! This thing has code! Were you expecting th (1)

RESPAWN (153636) | more than 3 years ago | (#32092212)

You've hit the nail on the head here. One of my users received a particularly well crafted email from "me" today asking her to download a patch for Adobe products. It even included what looked to be a forwarded conversation from our CEO. Had she not co
e to me asking a question about the instructions, she could very well have infected her machine. Nevermi d that the link was to a .to domain. Typical users don't look for warning signs like that.

Re:Hey! This thing has code! Were you expecting th (2, Funny)

Anonymous Coward | more than 3 years ago | (#32092530)

Ar
e you sure that some of your mac hines aren't alr
eady
in fect
ed?

Re:Hey! This thing has code! Were you expecting th (1)

LostCluster (625375) | more than 3 years ago | (#32092832)

And that's a save for the "Um, you're doing something odd here... are you sure?" system. That extra dialog box most likely prompted the question to you, which saved the day. Yeah, the IT admin might want the control to Just assume the user clicked "No!"... but I don't know the number of times where the IT guys have locked out the custom code I was paid by them to develop because it tripped a "changed .exe" flag. Yes, I'm the developer and you own the software... yes, I think we can trust that changed .exe file for this one time and for and for as long as I'm here. What, the guy who oversees both of us haven't told you they hired me? :)

Re:Hey! This thing has code! Were you expecting th (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32092920)

One idea is with Acrobat itself. If there is a need to run code or fill a PDF form, the PDF should be signed. Verisign isn't perfect, but in general, if their cert says that a PDF came from a company, it did, and if there is an exploit, fingers can definitely be pointed in that direction.

At the minimum, unsigned PDFs should not be allowed to run scripts. If the user wants to run scripts, he or she will need to explicitly turn the functionality on.

Voila. Problem taken care of. Companies can have their interactive forms, and the mischief makers are locked out. Of course, there is the issue about a mischief-maker getting a Verisign cert, but that is more of the fault of the CA.

Re:Hey! This thing has code! Were you expecting th (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32092140)

It...won't work. Users are stupid. Not the programmers. The users.

Do you trust the source of this? "Sure, I trust Chuck not to forward me a virus" Of course, they never think that chuck is forwarding Anna K nekkid pics from Bob, who got it from Albert, who got it from Zed, who got it from Debby...

And of course, they'd never contemplate it might not actually be Chuck that sent it, but a virus Chuck opened up and scanned his inbox or address books. And that's just using issues that hit the streets over a decade ago.

No, nobody would *ever* innovate with malware, and actually do something like reply all to current emails to make them context sensitive in a current thread chain.

"Great point $SENDER, but there's a minor flaw. It's a bit hard to explain--but I've got it in this attachment... $CARBONCOPYLIST, can you confirm?"

Or run a multi-stage attack... or spoof an administrator saying to apply something... or host an e-card as shadyporn.cum, please click in the link and login with your AOL userid to continue...

No...users are the problem, and any amount of warnings you do will invariably result in one of two behaviors:
    1) they will be told by IT to hit "ignore" once, and they will hit ignore FOREVER MORE.
    2) they will be told it's dangerous by their nephew, and ignore it no matter what. If IT tells them to hit it "just once" they will either
            a] lie and not actually hit it, but say they did
            b] goto 1)

Bottom line--all people between keyboard and chair known as "users" are fucking incapable of exercising any judgement, discretion, or common sense.

Yeah, I'm in IT for a living. And my attitude isn't the problem. If you're incensed by this--you are.

Re:Hey! This thing has code! Were you expecting th (0)

Anonymous Coward | more than 3 years ago | (#32092964)

Pity this is so. If users were smarter, we wouldn't need smug nimrods like you in IT. Downsizing FTW! What amuses me is that you're actually complaining about the only thing that's keeping you employed.

Re:Hey! This thing has code! Were you expecting th (0)

Anonymous Coward | more than 3 years ago | (#32093476)

Yeah, I'm in IT for a living. And my attitude isn't the problem. If you're incensed by this--you are.

Actually I was in IT for 14 years. I left IT last summer to go into the medical field. I didn't leave because of all the crappy hardware and software manufacturers. I didn't leave because of the stupid end users or inept management or outsourcing or any of the other crap that gets complained about. I left IT because so many of my coworkers were arrogant socially inept morons who were a pain in the ass to be around.

Re:Hey! This thing has code! Were you expecting th (0)

Anonymous Coward | more than 3 years ago | (#32092162)

Now, I make my living writing Visual Basic, so there's no way I want to see VBA going away. Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic... and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled.

VB coders are going to be the first to the wall when the revolution comes!

If the user declined, macros won't run but users can see the static content in the file.

So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?" That should shut off the threat vector while still allowing the functionality to be used in trustworthy situations... why isn't this something in Adobe's official reader yet?

I don't think they care about Acrobat Reader anymore at all, too busy rolling in money from sales of Photoshop Crashing Edition 5, InDesign etc. Your solution is amazingly, a pop-up like ActiveX, UAC, and similar innovations which I think has been demonstrated does not work well on end-users. Confirm/deny reads like 'click here to be able to read the damn thing', the rest is blah blah blah do you trust your cat not to eat you at night. It's approximately as annoying as default deny, the sane approach. Bonus points if your accept/deny has an always accept option but not an always deny option.

You should set fire to your VBA bookshelf and buy HCI / UX books instead.

Re:Hey! This thing has code! Were you expecting th (2, Funny)

ProdigyPuNk (614140) | more than 3 years ago | (#32092172)

I'm almost done a "Database Design and Development" course at college. Turns out the course entirely relies on MS Access (not exactly what I had in mind when signing up). Anyway, in the later part of the course macros/VBA was embedded in the example files, and one of the first instructions in the book was always "Enable the contents" - but the book never bothered mentioning why the warning was there and what the purpose was. I'm sure at least half of my computer science major peers would click OK without thought.

Re:Hey! This thing has code! Were you expecting th (1)

LostCluster (625375) | more than 3 years ago | (#32092704)

Yeah, there should be some sort of "You can trust us, we're your textbook author and we included VBA macros in order to..." note somewhere in the book near the first introduction. Then again, if they were using VBA to prevent copying by students and not telling them about it, then that textbook should be burned.

Re:Hey! This thing has code! Were you expecting th (1)

jonwil (467024) | more than 3 years ago | (#32093530)

The VBA macros were probably being used to actually implement the example. I have seen far too many people (including academics) who think using Access to design a full database UI is a good idea.

Re:Hey! This thing has code! Were you expecting th (2, Funny)

sznupi (719324) | more than 3 years ago | (#32092382)

Now, I make my living writing Visual Basic...

And you freely admit it here?... ;)

Re:Hey! This thing has code! Were you expecting th (1)

noidentity (188756) | more than 3 years ago | (#32092498)

If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.

But that fails when everyone wants to start using this functionality, and a user has to constantly click allow. Regardless, how are end-users going to know what all this means? They just want to view the document. I think the failure is in even allowing executable code in a document. The point was a common format that could be viewed/printed from any machine. That's fine, let's stick with that. I really see no hope, because everyone wants every damn file format to be everything. Web pages, Flash apps, whatever, they want each one to have all the same features.

Re:Hey! This thing has code! Were you expecting th (1)

LostCluster (625375) | more than 3 years ago | (#32092664)

Everybody on Windows uses .exe functionality... and this kind of thing is the basis for allowing or disallowing network connections from suspect applications. It's a last line of defense against newly discovered threats, and works well in combination with Anti-virus which can stop known threats, but has no way of knowing about today's new threat.

Re:Hey! This thing has code! Were you expecting th (3, Insightful)

Anonymous Coward | more than 3 years ago | (#32092680)

There simply should not be active content in a PDF. PDF means "portable document format", not "program-distribution file". I believe the sane specification is called PDF/A (A for "archive"): No external references, no active content (no scripting, no video, no audio, no actions), no encryption, no blocking print or copy. PDF readers should have a simple preferences toggle: [x] restrict to PDF/A subset.

Re:Hey! This thing has code! Were you expecting th (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#32093240)

PDF/A is indeed the sane specification(though it has a few friends for slightly different purposes; but offering similar levels of standardness and sanity).

Trouble is, though, Adobe has very little incentive to stick to that(if some customer demands it, they obviously have an incentive to be able to emit sane PDF/A; but not much to stop there). Since the core, sane, bits of PDF are a royalty free standard, and Reader is free as in beer, Adobe only makes money if people buy the expensive versions of Acrobat, or heroically expensive "enterprise document workflow solutions" and so forth. Thus there are two pernicious forces at work: 1. If Adobe's de-facto PDF "standard" didn't keep sprouting tentacles of various sorts, it would be easier for competing products to reach parity, or "almost as good but a lot cheaper" status, and erode Adobe's profits. 2. Because Adobe's bread-and-butter involves worming their way into various horrible and convoluted enterprise document/form scenarios, their customers probably give them a lot of weird(and, outside of the customer's specific context, basically terrible) feature requests. "But if we could just embed Flash videos, we could consolidate the new-hire training module with the document compliance tracking system..." "Hey, could we work-in client-side input validation, and HTTP GET? It sure would save us a lot of time collecting the surveys that people fill out; but neglect to email back..", etc, etc.

Re:Hey! This thing has code! Were you expecting th (1)

klui (457783) | more than 3 years ago | (#32094086)

Or if you rename the file to a .pdfa or something like that, the reader will not enable "active" content.

Re:Hey! This thing has code! Were you expecting th (2, Insightful)

Vellmont (569020) | more than 3 years ago | (#32093058)


Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic

Yes, it's called a sandbox. Let the VBA code run in a very limited environment, specifically don't let it access the filesystem or the internet. What's so hard about that?

and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file

You've never actually watched people other than computer experts use a computer, have you? If you had you'd realize they ignore those long, boring, cryptic messages unknowing programmers such as yourself put up in front of them. They don't care, and they just want to get their work done. By relying on this approach that "the user will know what to do in this situation!" (when in fact they have no idea and are just confused) you've trained people to simply click through these messages in hopes that the program will work anyway (which sometimes it does).


So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?"

What the hell happened to the approach of my document just being a damn document, and not having to try to have all these whizz-bang features of accessing the internet? The fill in forms are neat and useful, but that doesn't require anything but a sandbox. Putting a scripting language in a format people commonly exchange is just stupid, and will only lead to more security problems. The shit adobe has pulled off has lead me to stop trusting reader entirely, and just use alternative PDF readers in hopes they're not programmed by idiots who just want to add more gold plating and whizz-bang features to an application that was essentially "done" about 10 years ago.

Re:Hey! This thing has code! Were you expecting th (1)

Zadaz (950521) | more than 3 years ago | (#32093674)

...why isn't this something in Adobe's official reader yet?

Because most people have no idea that there can be threats inside of PDFs and this kind of pop-up would only alert them that there could be a danger. Who wants that kind of publicity?

Re:Hey! This thing has code! Were you expecting th (1)

jhol13 (1087781) | more than 3 years ago | (#32093774)

NO!

The solution is not to give choice of "run" / "don't run at all" where "run" means "run with full privileges - bloody hell, let's give administrator while we are at it!".

Why, after who know how many years of Java, cannot there be a sandbox?

Re:Hey! This thing has code! Were you expecting th (1)

LostCluster (625375) | more than 3 years ago | (#32093990)

You don't keep your private info in a sandbox, and some programs need your private info in order to do what they're designed to do.

Re:Hey! This thing has code! Were you expecting th (0)

Anonymous Coward | more than 3 years ago | (#32093938)

the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled.

Come on dude, you should know better than this. Your average end user is going to click Yes to anything that pops up, especially when all they want to do is see the document they just opened.

The real solution is to not give documents the functionality of applications but I guess it's too late for that.

Re:Hey! This thing has code! Were you expecting th (1)

virgilp (1774784) | more than 3 years ago | (#32094636)

You see, the issue is that Adobe's reader ALREADY HAS this protection. It always did! Try reading the "researcher's" (notice the quotes) so-called attack, use a version of Adobe Reader however old, and see how it works - guess what, you get a warning telling you that the PDF is trying to execute code and you should only allow it in case you trust it.

Read the report people, this is a non-issue where Adobe's name was only mentioned because it is fashionable to bash Adobe for whatever "security" issues (saying Foxit had a security issue - because it did! - would not have been news; but put Adobe too in the press release - now you have something that people will read! ).

everybody (0, Troll)

ihxo (16767) | more than 3 years ago | (#32092062)

Everybody and their mom one-ups Adobe.
They are usually the last to do anything right.

Why wasn't this implemented from day one? (5, Insightful)

ProdigyPuNk (614140) | more than 3 years ago | (#32092120)

Is this really a "feature" that should be celebrated? This should have been implemented since the beginning. If you're making a PDF reader, and the PDF spec has an "execute" functionality, shouldn't everyone developing these programs have seen the spec and realized what this could do?

Re:Why wasn't this implemented from day one? (2, Interesting)

noidentity (188756) | more than 3 years ago | (#32092452)

There's always someone who comes along and says "it'd be useful if you could do this", be it "execute code embedded in a PDF" or "not have to remember or enter an annoying PIN code number when using the ATM". Never mind that the costs of adding this outweigh the benefit, so it gets added. And at some point, someone creates a new, just-a-freakin'-reader, and the cycle begins anew. Depressing.

Re:Why wasn't this implemented from day one? (1)

Knackered (311164) | more than 3 years ago | (#32092514)

It was implemented from day 1. Version 1.0 of PDF didn't have any ability to launch programs. Then, around day 1000, Adobe decided to turn it into a "platform" instead of a document format, and introduced this sort of problem.

Sort of... (2)

ProdigyPuNk (614140) | more than 3 years ago | (#32092206)

"It doesn't disable JavaScript entirely," Xiong said. "It only partially disables JavaScript."

That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures? Why not block ALL javascript unless it's explicitly enabled? I can't believe that they would let that go.

Re:Sort of... (2, Informative)

Shados (741919) | more than 3 years ago | (#32092316)

That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures?

-Extremely few-, if you're talking about correct SQL management. The only one that comes to mind among serious RDBMSs (DB2, Sybase, SQL Server, Oracle, Postgres...) was a datatype exploit in Oracle that only worked locally, AND was more theoritical than anything.

Parameterized queries (the only good way of handling "sql sanitization") are virtually flawless. Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)

Re:Sort of... (1)

lennier (44736) | more than 3 years ago | (#32093418)

Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)

So why is the obvious Wrong Way To Do It so popular? Or perhaps more to the point, why is the Right Way To Do It apparently so off-putting to developers that it doesn't get used? And is there a Better Right Way To Do It?

Re:Sort of... (1)

Shados (741919) | more than 3 years ago | (#32093772)

Misinformation and historical reasons. Urban legends, pretty much. And the fact that the technology on which a lot of people learnt to program didnt support it for a long time (even though everything else did).

Nothing more, really.

Re:Sort of... (1)

jhol13 (1087781) | more than 3 years ago | (#32093806)

Because there are huge number of JavaScript methods that cannot, if properly written, cause any problems.
Why not allow only them?

Adobe is down down down (4, Informative)

rcastro0 (241450) | more than 3 years ago | (#32092290)

Is it a coincidence that I read that Adobe is losing the grip on PDF just a few days after I read Job's "Thoughts on Flash [apple.com] ", essentially dumping Flash from iPhones/iPads, and burning it at a stake? Or is Adobe's strategy really failing spectacularly before our own eyes?

I should've seen it coming -- I haven't used Acrobat Reader for years. PDF Xchange Viewer [docu-track.com] is my current favorite, though Foxit was my first off-Adobe alternative, back when.

Re:Adobe is down down down (1)

Knara (9377) | more than 3 years ago | (#32092392)

"Losing the grip on PDF"? Sort of alarmist there, don't you think?

The only reason it seems like this is because, perhaps unconsciously (but perhaps not), editors tend to clear stories that seem to form a narrative. Regardless of the narrative existing or not.

Re:Adobe is down down down (1)

carp3_noct3m (1185697) | more than 3 years ago | (#32092762)

I agree it may be a bit alarmist, but as someone who has at my former employer worked with many kinds of businesses from small to medium, I can tell you that the only reason adobe acrobat is still in play is because of vendor lock down with businesses. They don't want to change readers/editors because "everyone else uses adobe", but as soon as enough of them get burned, and more IT admins realize it is one of the biggest threats on a companies network, they will start jumping ship. They just need an alternative that is worth it, and unfortunately the few alternatives that are out there haven't quite stepped up to that level yet. Its just a matter of time.

Re:Adobe is down down down (2, Insightful)

Culture20 (968837) | more than 3 years ago | (#32092940)

And there are a lot of companies, big and small, that are learning about pdf printing via open source tools, making Acrobat a waste of money. If Acrobat isn't being used to create the documents, why use Acrobat Reader?

Re:Adobe is down down down (2, Interesting)

Low Ranked Craig (1327799) | more than 3 years ago | (#32092396)

+1 on PDF Xchange (for Windows) That was the only 64-bit reader I could find at the time and it worked really well. On my mac I simply go with Preview.app. Acrobat is a bloated pig and is to be avoided along with Flash, although I'll probably need to get a Core i7 box because I NEED Photoshop - I think Adobe took lessons from Microsoft on how to incorporate more bloat during Vista development.

Re:Adobe is down down down (1, Informative)

Anonymous Coward | more than 3 years ago | (#32093434)

I'll probably need to get a Core i7 box because I NEED Photoshop

No you don't. I'm sure I read somewhere that newer versions of Photoshop support hardware acceleration using recent GPU's (Nvidia 8x 9x) either directly or through a plugin (I'm pretty sure Nvidia made a plugin for Photoshop to make use of CUDA).

Re:Adobe is down down down (1)

Low Ranked Craig (1327799) | more than 3 years ago | (#32094152)

Awesome if true. On the other hand I hope not as I need an excuse for the wife so I can get a new machine...

Re:Adobe is down down down (1)

ZosX (517789) | more than 3 years ago | (#32094326)

Its directly integrated. In CS4 it is mostly used for image display and smooth zooming, but can be nice with a modestly fast gpu. I like how you can grab the image and slide it across the screen and release the mouse and it will keep on smoothly scrolling until you click again or it decelerates. I'm sure they included more stuff in CS5, but I have yet to see that in action. I find for CS4 a quad core athlon seems fine. Memory is really the bigger issue, and the more the merrier, though I regularly manipulate 1gig files with about 2 gigs assigned to photoshop and it works ok. A lot of tasks in photoshop are really single threaded, so multiple cores doesn't give you a great deal of gain in a lot of tasks. It does help in some areas though. My advice: if you have a machine that has been built in the last year or two, don't upgrade for CS5. Just maybe max out your ram situation and go for it, unless you happen to be running some ancient P4 or something.....

Re:Adobe is down down down (1)

Skuld-Chan (302449) | more than 3 years ago | (#32093016)

How can you lose the grip on PDF when its a fully published spec, and an accepted ISO standard (several of them)?

pdf's are great for linking to layout large prints (1)

kyle222234 (1330867) | more than 3 years ago | (#32092320)

Maybe PDF's support of linked source files cause some vulnerabilities

Safe computing? (3, Insightful)

cdrguru (88047) | more than 3 years ago | (#32092322)

The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.

A method to invoke an external program was put there for flexibility I am sure and it did offer a reasonable way to extend the functionality of the PDF document structure. The same thing is in WinHelp, for exactly the same reason. It allows a "tutortial" document that by clicking on active parts would invoke external programs to do things.

Now we have a situation where virtually nothing can be trusted to do what it is claiming to do. If you get an email with a file with any sort of active content in it you can assume that it will do something bad.

Where 15 years ago "active content" was something to be desired and provided extensability, today "active content" is a way to compromise computers and steal from people. A significant problem for Adobe (and plenty of others) is how to eliminate the possibility of bad things happening with active content while retaining the functionality? Today, I would say active content has to go, period. Anyone that is using and relying this needs to change their methods.

It is a pity that we have to give up flexibility and extensability because of criminals that we cannot or will not police.

Re:Safe computing? (0)

Anonymous Coward | more than 3 years ago | (#32093162)

Where 15 years ago "active content" was something to be desired and provided extensability,

No, "active content" was never desirable. It was just willfully ignorant assholes pushing it on others while ignoring the security consequences. Good OS' have had sophisticated privilege systems since the 60's for a reason and embedding unsecured executables in documents to bypass those security systems was a seriously stupid thing to do. Not to mention it being seriously bad design to mix data and code.

PDF jumped the shark long ago (0)

Anonymous Coward | more than 3 years ago | (#32092360)

PDF was supposed to be a document format. Since it turned into a programming platform and Internet platform to run executable files while reading a document, it "jumped the shark". THERE IS NO NEED TO USE JAVASCRIPT OR ANY OTHER EXECUTABLE PROGRAM WHEN READING A DOCUMENT. It's no wonder most agencies, departments, etc won't accept PDF for documents. It turned from something practical to something that only spammers and malware enthusiasts love.

PDF, for me, is as stupid and outdated as Steve Jobs, iTunes, Flash, Web2, Web3, MySpace, Facebook and patents.

FoxIt for Linux? (0)

will.perdikakis (1074743) | more than 3 years ago | (#32092428)

If FoxIt is gaining ground on Windows, they should consider releasing it for Linux. Abode actually beat them to that (more important, IMO) punch.

Plus, it will hopefully be the first decent PDF reader for Linux.

Re:FoxIt for Linux? (5, Informative)

ichthyoboy (1167379) | more than 3 years ago | (#32092560)

You mean like they already have [foxitsoftware.com] ?

Re:FoxIt for Linux? (1)

will.perdikakis (1074743) | more than 3 years ago | (#32093242)

There should be a way to mod down for retardation, sorry folks!

This is what happens when a Ubuntu user does not find a software package in the integrated package manager.

Anyone try this out?

I have awful luck with XPDF, and the default reader. I will not touch Adobe on Linux...

Re:FoxIt for Linux? (0)

Bootarn (970788) | more than 3 years ago | (#32092824)

Just install Xpdf/evince and be happy. You don't need embedded crap in your documents.

Replace PDF with PTF (2, Funny)

postmortem (906676) | more than 3 years ago | (#32092590)

Plain Text Format!

Even companies such as Adobe, Microsoft, and Apple with joint efforts could eventually make TXT format readers that have next-to-0 security holes. :)

Re:Replace PDF with PTF (1)

mirix (1649853) | more than 3 years ago | (#32092712)

I'm a big fan of plain text myself.

But there are a lot of times when ASCII art doesn't cut it.

Re:Replace PDF with PTF (0)

Anonymous Coward | more than 3 years ago | (#32092858)

i recall a few months back of there being a notepad exploit for windows 7.

captcha: corrupts

Re:Replace PDF with PTF (0)

Anonymous Coward | more than 3 years ago | (#32092892)

What are you taking about? Adobe and MS working together can come up with a TXT spec that could crash the entire Internet.

Re:Replace PDF with PTF (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32093484)

But LF,CRLF, or in the case of pre-OSX mac, CR?

This is why PDF should be abandoned (2, Insightful)

Arancaytar (966377) | more than 3 years ago | (#32093142)

There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.

We've almost taught people not to send Office documents in emails - next step, eradicate PDFs.

Re:This is why PDF should be abandoned (1)

bit9 (1702770) | more than 3 years ago | (#32093564)

Do you know of any FOSS PDF-to-PS converters? I have a significant number of PDF files that I'd like to not have to worry about.

[I haven't actually gone and Google'd the answer to my own question yet, so mod me down if you will, but I'll take personal advice any day over a blind Google search]

Re:This is why PDF should be abandoned (0)

Anonymous Coward | more than 3 years ago | (#32093710)

I think you're looking for `pdf2ps` (surprise surprise). It's a part of Ghostscript.

Re:This is why PDF should be abandoned (3, Informative)

flyingfsck (986395) | more than 3 years ago | (#32094046)

Uhhh, got news for you. Postscript is a programming language. Someone with too much time on his hands even wrote a chess program in postscript.

Re:This is why PDF should be abandoned (1)

DMUTPeregrine (612791) | more than 3 years ago | (#32094748)

Mod parent up and GP down. Postscript is a turing-complete programming language. It's as far from devoid of code execution features as one can get. One of my favourites is the randomly generated postscript maze [sorotokin.com] . Open it, get a maze, print it on a postscript printer and get a new maze every time.

Re:This is why PDF should be abandoned (1)

Main Gauche (881147) | more than 3 years ago | (#32094298)

DVI? No. One word: fonts.

The "P" in PDF stands for portable. You don't replace that with DVI.

Re:This is why PDF should be abandoned (1)

TeknoHog (164938) | more than 3 years ago | (#32094744)

There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.

Ironically, PostScript is a full programming language. Does it count as networking, if there are web servers written in it?

What I really want to know is... (2, Insightful)

bit9 (1702770) | more than 3 years ago | (#32093542)

Blocking PDF exploits is a great first step, but is there a way to detect infected PDF files, and disinfect them? I have no problem leaving Foxit permanently in safe mode, but it would be nice to be able to trust a PDF file once in a while, and be able to turn the JavaScript/etc back on for files I trust.

There's a line somewhere... (0)

Anonymous Coward | more than 3 years ago | (#32093948)

The last time I installed Acrobat Reader, it demanded a system restart.
It is a userland program. It reads user data files and displays them on the user's screen.
And yet it demanded an action reserved for system driver and kernel updates.

I propose this:
Every time a userland program demands a reboot, a programmer from the team responsible gets shot.

Are most exploits in PDF/Javascript or in Acrobat? (1)

guanxi (216397) | more than 3 years ago | (#32094156)

You read about many exploits in Acrobat, but are they really exploits in the PDF format and/or JavaScript? What I'm really getting at is, does using an alternative PDF viewer (such as Foxit, Nitro, or MacOS X Preview) protect you from most exploits?

I've asked this question in a few places and tried to do some research on it, but I haven't found much relevant info at all.

Since I can't change behavior... (5, Informative)

drumcat (1659893) | more than 3 years ago | (#32094358)

As an IT admin, I'm not getting anyone to drop PDF as a format. That's insane. But this, along with the 9.2 update installing McAfee without permission, has made me decide my company will be moving to Foxit. Adobe has screwed me for the last time. For anyone's info, if you have Reader 9.0, without the McAfee install selected, and you then do a "Check for updates" update from within the program, McAfee AV will be installed. I now have to UNinstall it from a shit-ton of machines. Adobe is famous for bad installers, but this takes the cake.

tubgIrl (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32094756)

it simpl3, I have a life to to the cr0wd in Or chair, return

would someone please post a link to (or create) .. (1)

prawn_narwp (1579473) | more than 3 years ago | (#32094964)

a script or scanner I can point my directory of PDFs too? PDFs are a great attack vector when you have tons of IT folk downloading programming and sysadmin related ebooks ...

Belgian (0)

Anonymous Coward | more than 3 years ago | (#32094988)

Belgian researcher, not Belgium researcher.

Please.

uninstaller not ok ! (0)

Anonymous Coward | more than 3 years ago | (#32095846)

This product might have nice features but the uninstaller is a pain...
So if you want to try the free version of foxit, you better have to be ready to clean up manually once you uninstall it.

How about better Foxit install documentation? (0)

Anonymous Coward | more than 3 years ago | (#32096832)

I would love to have documentation listing all the install options, and an easy way to make .mst files for automated silent distribution.

These options do exist, but they are scattered all over third-party forums that people discovered by trial & error.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...