Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Adobe PDF Zero-Day Under Attack

CmdrTaco posted more than 4 years ago | from the duck-and-cover dept.

Security 203

Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."

cancel ×

203 comments

Sorry! There are no comments related to the filter you selected.

No credibility to this story (5, Funny)

symbolset (646467) | more than 4 years ago | (#33523162)

Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

Re:No credibility to this story (2, Informative)

tlhIngan (30335) | more than 4 years ago | (#33523230)

Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.

Re:No credibility to this story (1)

docrmc (551146) | more than 4 years ago | (#33523842)

I would have been more skeptical had I not already been made aware, this morning, of an ongoing attack against my Pop's workplace, via a zero-day PDF vulnerability. Forgive me if i don't name-drop the company, but I'd definitely confirm any public statement they make at some later date...

Re:No credibility to this story (1)

BrokenHalo (565198) | more than 4 years ago | (#33524320)

There's a nice little glossing-over in TFA:

Details on the vulnerability are not yet public [...] However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community...

But obviously not thee or me. Guess it's just as well I'm not depending on Adobe for anything important.

Re:No credibility to this story (1)

BrokenHalo (565198) | more than 4 years ago | (#33524360)

Just when I thought I didn't need to bother with a preview... :-|

Poor management at Adobe? (1)

Futurepower(R) (558542) | more than 4 years ago | (#33524480)

Quote: "Guess it's just as well I'm not depending on Adobe for anything important."

It seems to me that there are many indications that Adobe is not managed well in recent years.

Re:No credibility to this story (-1, Flamebait)

JAZ (13084) | more than 4 years ago | (#33524564)

here's a link to the pdf my company is getting:

http://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr [multimania.co.uk]

Re:No credibility to this story (1)

amicusNYCL (1538833) | more than 4 years ago | (#33524646)

That's not a PDF... You can tell, because a PDF file ends with ".pdf".

Re:No credibility to this story (1)

jonescb (1888008) | more than 4 years ago | (#33525034)

File extensions aren't a reliable way to determine the file type. You can change the .pdf extension on a file to .xxx, but it's still a PDF file. Any decent PDF reader would read it.

Re:No credibility to this story (1)

Dr_Barnowl (709838) | more than 4 years ago | (#33525096)

The .scr file extension (screensaver) is treated the same as .exe on Windows ; stupid isn't it.

Unpacking the content of that file reveals a bunch of nasty VBScript that tries to worm it's way into your machine and anything else near it on the network, amongst other stuff, I'm sure. Nice.

Re:No credibility to this story (1)

amicusNYCL (1538833) | more than 4 years ago | (#33525258)

Right, a PDF reader isn't going to open that, and if it did then it wouldn't execute the VBScript. That's not a PDF exploit, that's basically a phishing attack to try to get someone to open something that's not what they think it is.

Re:No credibility to this story (1)

camperslo (704715) | more than 4 years ago | (#33524944)

Those that don't trust zdnet can go to where Adobe mentions [adobe.com] this issue (CVE-2010-2883) [adobe.com] .

Incoming sockpuppet troll odies/sopssa/SquarePixel (-1)

Anonymous Coward | more than 4 years ago | (#33523182)

Which sockpuppet will be used to troll this thread?

Remember it moderators, odies = sopssa = SquarePixel, three sockpuppets, one stupid troll! His posts are simple: repeat ad nauseam what the article posted, add a few 'Captain Obvious' style facts and then add his anti Linux/Google/Apple/USA innuendo. Or it's a simple China or MS apologist post that turns into a straw man, and you guessed it, it's against Linux/Google/Apple/USA.

Peace out!

Re:Incoming sockpuppet troll odies/sopssa/SquarePi (0, Offtopic)

mark72005 (1233572) | more than 4 years ago | (#33525010)

Maybe a joke about how there's really no pain associated with an Adobe exploit, because Adobe's users are already used to installing updates 6 times a day anyway.

What is this stupidity??? (5, Insightful)

gweihir (88907) | more than 4 years ago | (#33523204)

PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

Re:What is this stupidity??? (4, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#33523340)

Because Adobe has decided to take what should be a basic document format and added scripting to it.

Re:What is this stupidity??? (4, Interesting)

SQL Error (16383) | more than 4 years ago | (#33523822)

They took a document programming language and stripped out all the programming features to make a document description format.

And then they added a programming language.

Re:What is this stupidity??? (4, Interesting)

drolli (522659) | more than 4 years ago | (#33524062)

Let me add: They started from a programming language where security is *easy to implement*.

Re:What is this stupidity??? (0)

Anonymous Coward | more than 4 years ago | (#33524808)

Let me finish by saying Adobe sucks.

Re:What is this stupidity??? (1)

lahvak (69490) | more than 4 years ago | (#33524994)

Is this latest vulnerability related to scripting? The article is somewhat short on details.

Re:What is this stupidity??? (2)

martas (1439879) | more than 4 years ago | (#33523372)

what alternatives? no, seriously?

Re:What is this stupidity??? (0)

Anonymous Coward | more than 4 years ago | (#33523434)

I hear there's this markup language that supports linking between documents, a sort of "hypertext" if you will. Maybe people could move to that. If only I remembered what it was called...

Re:What is this stupidity??? (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#33523512)

Because HTML rendering is exactly the same on every system in every browser? Oh wait, it's not and thus is not an alternative to PDF.

Re:What is this stupidity??? (1)

MozeeToby (1163751) | more than 4 years ago | (#33523596)

If you really need layout to be consistent (and really unless you're printing that seems like an obsolete idea to me) you could use TeX. Considering the original goal was "to provide a system that would give the exact same results on all computers, now and in the future" think it meets your requirements.

Re:What is this stupidity??? (1)

amorsen (7485) | more than 4 years ago | (#33524090)

TeX is somewhat difficult as a render target. In the general case it degenerates to embedding PS or PDF images...

Re:What is this stupidity??? (4, Informative)

MozeeToby (1163751) | more than 4 years ago | (#33523526)

Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe [google.com] and come up with a variety of alternatives yourself.

Re:What is this stupidity??? (2, Interesting)

Lennie (16154) | more than 4 years ago | (#33524380)

Funny you should mention that one, the last non-scripting exploit for Adobe Acrobat Reader was also an exploit for Foxit Reader.

Re:What is this stupidity??? (5, Informative)

MozeeToby (1163751) | more than 4 years ago | (#33524482)

Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.

Switching between masters is not freedom. (1)

jbn-o (555068) | more than 4 years ago | (#33524908)

All computer users deserve software freedom. Switching from Adobe Acrobat to Foxit Reader is moving from one proprietor/monopolist to another hoping that the switch makes users more safe. Without software freedom one cannot inspect the program to see what it does (a spy program that has no bugs is still doing spying on users), change the program to make it better, or help one's community by distributing the improved version. Proprietary software is untrustworthy by default. We don't fully know what it does nor should we trust it does only what we want it to do.

Re:Switching between masters is not freedom. (1)

Dr_Barnowl (709838) | more than 4 years ago | (#33525176)

I agree, but the chances of Joe Average User, and let's face it, most of us as well, inspecting the source code for the majority of the applications they use is low. Changing to Foxit still represents a vast improvement in security.

That said, use SumatraPDF [kowalczyk.info] . It's probably not as polished as Foxit, but it suits my purposes for most things, and it's licensed GPLv3.

Re:What is this stupidity??? (0)

Anonymous Coward | more than 4 years ago | (#33524496)

It was an exploitation of the format itself. The format called for the ability to run commands (like System.exec in Java or sys in c). It's hardly due to poor implementation that this can be exploited. It's entirely due to poor specification that this was exploited.

Re:What is this stupidity??? (2, Informative)

6031769 (829845) | more than 4 years ago | (#33523640)

xpdf [foolabs.com] .

Re:What is this stupidity??? (5, Informative)

Pascal Sartoretti (454385) | more than 4 years ago | (#33523718)

what alternatives? no, seriously?

The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A [wikipedia.org] ), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.

Now, all we need is a PDF reader with an option "only open PDF/A documents"

Re:What is this stupidity??? (1)

nashv (1479253) | more than 4 years ago | (#33525194)

Or just go to the Acrobat settings for Javascript and the Trust Manager (which by default is set to require explicit permission to execute scripts), to set up according to how much paranoia you feel...

Re:What is this stupidity??? (1)

icebraining (1313345) | more than 4 years ago | (#33523740)

Zathura, Evince, ePDFview, Okular...

Re:What is this stupidity??? (1, Informative)

Anonymous Coward | more than 4 years ago | (#33523742)

In Gnome use Evince, or in KDE use Okular or KPDF, instead of Adobe Reader (Evince and KPDF are also available for MS Windows, if you must use that buggy software). These GNU/Linux applications are simpler and safer when dealing with PDF files. They support reading PDF files, fillable PDF forms, etc. but not the more fancy stuff that opens security holes.

I wish we had two document standards: PDF and something else, let's call it "PDM" for portable document - multimedia, where Adobe can stick all of the buggy crap they want.

Re:What is this stupidity??? (2, Informative)

nashv (1479253) | more than 4 years ago | (#33525070)

How about XPS [wikipedia.org] ? *ducks* But seriously, the major problem is to convert the tons of literature , especially academic/scientific that exists as PDF into something else...

Re:What is this stupidity??? (0)

Anonymous Coward | more than 4 years ago | (#33525180)

Simple, use a mac ..

Re:What is this stupidity??? (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#33523442)

You might have a point if not for the fact that the alternatives like FoxIt have had to patch their fair share of security holes as well (with a number of them being the exact same issue as spotted in Reader).

I work for Adobe and... (4, Funny)

Anonymous Coward | more than 4 years ago | (#33523648)

We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.

COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.

Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

- the adobe1

Re:I work for Adobe and... (0)

Anonymous Coward | more than 4 years ago | (#33523816)

32 hours? In a week? People work 40 hours per week minimum where I am from.

Re:I work for Adobe and... (1)

Dr_Barnowl (709838) | more than 4 years ago | (#33525260)

He said a 32-hour SESSION. As in, they programmed from 0900 until 1700 the next day

Although that doesn't impress me. Rather it speaks of bad management - crunches to meet deadlines might be occasionally necessary for a small company trying to break into a market. For a company that essentially IS the market, it just sounds like a harsh taskmaster wringing as much as he can out of his team.

Re:I work for Adobe and... (0)

Anonymous Coward | more than 4 years ago | (#33523870)

We invest a TON of $$ and hours into security.

How much exactly does a ton of $$ weigh? How much does a ton of hours weigh?

Re:I work for Adobe and... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#33523966)

2000 lbs. That's the definition of a ton. It's like asking if a ton of bricks weighs more than a ton of feathers.

A ton of money is... (1)

Lead Butthead (321013) | more than 4 years ago | (#33524114)

US penny issued after 1984 weights 2.5g ~ 0.0881849049 oz.
2000 lbs ~ 362873.89589281056195820652293973 pennies = $3,628.74.
A ton of money indeed.

Re:A ton of money is... (3, Funny)

Lennie (16154) | more than 4 years ago | (#33524408)

Only on slashdot ?

Re:I work for Adobe and... (0)

Anonymous Coward | more than 4 years ago | (#33523942)

Then it's about time you put the mess that you've created over the years into a sandbox. It's 2010, not 1990.

Re:I work for Adobe and... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#33523944)

And you wouldn't have to do that if Adobe Reader didn't have fucking scripts! The entire purpose of the format is to display printable pages. It doesn't need movies or sounds or any of that other shit.

Re:I work for Adobe and... (2, Insightful)

Nursie (632944) | more than 4 years ago | (#33524182)

Advice to you if you genuinely work for adobe - make a noscript option. Or even better - just cut out all the scripted elements.

PDFs were and are awesome for one thing only, displaying documents the same everywhere. Active content is a mistake.

Re:I work for Adobe and... (2, Insightful)

sjames (1099) | more than 4 years ago | (#33524528)

What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.

Re:I work for Adobe and... (0)

Anonymous Coward | more than 4 years ago | (#33524412)

We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner.

Given the US-ness of Adobe, I'll assume that is USD and a US ton. A US ton of US dollars in one cent coins is 3628 dollars. In corporate budget terms, that sounds like not much. In fact it sounds like fuck all, especially if spread over a whole team.

And it shows in the shite products Adobe turn out. There's plenty of fans of things like Photoshop, but only because they tend to make a living using tools like PS. The reason why governments entrust their secrets to your products is because the people making decisions about what products a government should be using are either inept bureaucrats, or politicians taking backhanders from those who stand to profit from the government using said products.

Re:I work for Adobe and... (1)

amicusNYCL (1538833) | more than 4 years ago | (#33524712)

Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

Is that out of a 40-hour work week? Or are you based in France?

Re:What is this stupidity??? (4, Insightful)

sqlrob (173498) | more than 4 years ago | (#33524100)

I've never heard a 700 page specification called "not highly complicated"

Re:What is this stupidity??? (1)

carn1fex (613593) | more than 4 years ago | (#33524306)

It is total bullshit. I recall in years past one of the primary advantages for using PDFs was because you could trust them from random web links as if they were JPGs. I recall my professors saying not to send any homework in DOC format because of its silly security problems. Nowadays I IP get block notices from our admins the minute my PDF reader is outdated.. it is ridiculous.

Re:What is this stupidity??? (1)

The Moof (859402) | more than 4 years ago | (#33525078)

PDF is not a highly complicated format

Truly spoken like someone who has never looked over the full PDF format specification. Here's a link [adobe.com] to all 980 pages of version 1.4. It's a little outdated, but you get the idea of how complex it actually is.

Fortunately... (4, Insightful)

mcgrew (92797) | more than 4 years ago | (#33523216)

"Unfortunately, there are no mitigations we can offer. "

I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?

Re:Fortunately... (2, Funny)

codewarren (927270) | more than 4 years ago | (#33523436)

If the exploit affects spelling, you have cause for concern

Re:Fortunately... (0)

Anonymous Coward | more than 4 years ago | (#33523554)

Having an antivirus with up-to-date definitions would help, but since Mac's don't get viruses you have nothing to worry about.

Re:Fortunately... (1)

ShadowFalls (991965) | more than 4 years ago | (#33523864)

"Meanwhile, how do I know if I'm alreadt pwned?"

When your computer wears the colors of the Machines and attempts to hack government computers to launch nuclear weapons.

Re:Fortunately... (3, Funny)

wbhauck (629723) | more than 4 years ago | (#33524250)

Meanwhile, how do I know if I'm alreadt pwned?

It's all explained in this FREE guide. Just download our convenient PDF for more information.

Re:Fortunately... (0)

Anonymous Coward | more than 4 years ago | (#33524574)

You've been pwned....

Thank you. Have a nice day.

Re:Fortunately... (4, Funny)

ThatsNotPudding (1045640) | more than 4 years ago | (#33524826)

Meanwhile, how do I know if I'm alreadt pwned?

You start slurring your y's.

cue adobe bashing in 3.2.1... (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#33523224)

Cue the Adobe bashing in 3.2.1...

PDF (-1)

Anonymous Coward | more than 4 years ago | (#33523232)

Nothing

Feel at liberty to mod. I am worthy.

PDF (1)

Vahokif (1292866) | more than 4 years ago | (#33523350)

How can they screw up a format designed to print the same everywhere so badly?

Re:PDF (5, Insightful)

ledow (319597) | more than 4 years ago | (#33524052)

1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)

Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.

Re:PDF (1)

gad_zuki! (70830) | more than 4 years ago | (#33524626)

6) Do not provide an auto-update mechanism. Let users do it manually via help > update or the ignored tray icon and only in version 9.2 even allow a check box for "Download and install updates automatically."

Can there be a 0-day that's not under attack? (1, Informative)

danaris (525051) | more than 4 years ago | (#33523376)

Correct me if I'm totally off base here, but...isn't part of the definition of "zero-day" that the flaw is being exploited? I mean, it's "zero-day" because it's being exploited on "day zero", right?

Dan Aris

Re:Can there be a 0-day that's not under attack? (2, Funny)

tater86 (628389) | more than 4 years ago | (#33523896)

I'm pretty sure we have this argument every time someone mentions zero day. If we could have a zero day bricking, we could have the best thread ever.

What the hell (1)

C_Kode (102755) | more than 4 years ago | (#33523424)

Does Adobe employ the the worst programmers on the planet? Between Flash and Acrobat their critical bug count has to be racing up the charts of companies with the most critical bugs in their software.

Re:What the hell (1)

spiffmastercow (1001386) | more than 4 years ago | (#33523528)

Not only that, but how hard is it to develop a DOCUMENT FORMAT that doesn't allow arbitrary code to be executed?

Re:What the hell (1)

MaWeiTao (908546) | more than 4 years ago | (#33523836)

Saying it's merely a document format doesn't mean much. You can do quite a lot with many document formats nowadays. PDFs aren't used only as a means is displaying text and images consistently. You can embed quite a lot of functionality into them. It could be argued that PDFs shouldn't permit that kind of functionality considering it opens up opportunities for exploits but then you could argue the same thing about any technological progress.

The problem is that there are people working just as hard, and perhaps harder, to find and create exploits are there are people working to stop them. It's possible I'll be proven wrong some day but I expect we're never going to see truly and completely secure platforms and it's not because of any ineptitude on the part of the original developers.

Re:What the hell (0)

Anonymous Coward | more than 4 years ago | (#33524954)

No.

Microsoft's SQL-SMO [microsoft.com] library authors are the worst programmers on the planet.

I'm convinced MS hired retards to write that for Americans With Disabilities Act compliance.

Disable Javascript in PDF reader (3, Informative)

Anonymous Coward | more than 4 years ago | (#33523492)

A work around for end users is to disable javascript, such as this guide:

http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/

For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):

http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/

Re:Disable Javascript in PDF reader (1)

swb (14022) | more than 4 years ago | (#33523730)

Why isn't this the default setting?

Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

Re:Disable Javascript in PDF reader (1)

rsborg (111459) | more than 4 years ago | (#33524272)

Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

Adobe is a corporation.

Whenever a corporation does something seemingly stupid or evil, you can always trace that back to some fool in the organization who convinced the others that the stupid/evil would lead to more profits (or kickbacks).

If you follow the money you will 99.44% of the time get the right answer. It's all about the money.

Re:Disable Javascript in PDF reader (0)

Anonymous Coward | more than 4 years ago | (#33524980)

That's a feature, not a bug.

Corporations exist to maximize profits.

It doesn't excuse stupidity or short-sightedness, and it doesn't explain it away either. Making a stupid decision for the right reasons is still a stupid decision.

Limited? (2, Informative)

supernothing (1661929) | more than 4 years ago | (#33523546)

I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module [metasploit.com]

Re:Limited? (2, Informative)

phantomfive (622387) | more than 4 years ago | (#33524662)

It's not a zero day [wikipedia.org] , either. Check out what Wikipedia says (in case anyone is unclear what a zero-day is, since the submitter for one hasn't figured it out):

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.

oops, missed one (1)

ILuvRamen (1026668) | more than 4 years ago | (#33523954)

Unfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Oops, they're so flustered that they forgot to tell people to uninstall Adobe Reader.

Flashblock -- PDFblock? (1)

MobyDisk (75490) | more than 4 years ago | (#33524014)

Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

Re:Flashblock -- PDFblock? (1)

Xian97 (714198) | more than 4 years ago | (#33524166)

Where I work Adobe Reader is also installed and likewise I use Foxit at home. Just disable javascript in preferences. I have had it disabled for years and haven't had any issues displaying PDF files, though I do not fill out many PDF forms where it might be used. I guess I could always enable on a case by case basis if one actually required it but I haven't run into any yet.

Re:Flashblock -- PDFblock? (1)

davidbrit2 (775091) | more than 4 years ago | (#33524192)

NoScript seems to block PDFs by default, which you can then click to load.

Re:Flashblock -- PDFblock? (1)

denis-The-menace (471988) | more than 4 years ago | (#33524224)

It would just need to scan the PDF for non-document-like features being used and display a BIG warning to the user.

Re:Flashblock -- PDFblock? (1)

Prosthetic_Lips (971097) | more than 4 years ago | (#33524330)

I setup my browsers to not use the built-in PDF render within my browser, but force an external application launch. This way I always have the full Adobe Reader viewing the PDF, and not just whatever "fits" into my browser.

So, does anyone who understands the vulnerability know if this setup is any more protected? Is the vulnerability based on being in the browser, or is it really independent?

I ask this because I won't ever get to a webpage with an IFrame and a PDF within it, or some wierd construct like that, without knowing it is opening a PDF. So, in a way, this is *like* a PDFblock. With or without Firefox.

Re:Flashblock -- PDFblock? (0)

Anonymous Coward | more than 4 years ago | (#33525220)

I doubt the exploit(s) are limited to the PDF plugin only, unless it wants to unnecessarily target the browser through the plugin (why?). In fact Acrobat is hypothetically -- but not in reality -- less secure than its browser plugin, as the plugin can be sandboxed with less difficulty. I think Google did this with their proprietary Chrome PDF plugin. Adobe doesn't have the inclination/ability to do the same. If you want better security for PDFs, load the document in a VMed Acrobat process... preferably on a separate machine with no network access.

Re:Flashblock -- PDFblock? (1)

Thelasko (1196535) | more than 4 years ago | (#33525174)

Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

Tools>Options>Applications change anything that says "Use Adobe Acrobat (in Firefox)" to "Always Ask"

Evince, Okular, xpdf? (2, Interesting)

bill_mcgonigle (4333) | more than 4 years ago | (#33524094)

So, are any of the viewers I use vulnerable?

As soon as you move a new exploit will come (1)

gsgriffin (1195771) | more than 4 years ago | (#33524198)

Seriously, as soon as any software becomes the primary program used, a new vulnerability would surface. Don't say that your pet program will not have any problems like Adobe does. As soon as a different program becomes the norm, it will be attacked and vulnerabilities will be found and exploited. Same would be true if Mac OS were to be 95% of the world's OS in use today. All the hackers in the world would be spending their every waking (and sleeping) moments finding the flaws and making havoc. Sure, this isn't fun to solve, but simply changing programs won't solve the real issue for everyone unless we want to flush away features or standards.

!Hackers (3, Insightful)

jgrahn (181062) | more than 4 years ago | (#33524220)

... warning that hackers are actively exploiting the vulnerability in-the-wild ...

Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:

  • ... warning that criminals are actively exploiting the vulnerability in-the-wild ...
  • ... warning that crackers are actively exploiting the vulnerability in-the-wild ...
  • ... warning that malware authors are actively exploiting the vulnerability in-the-wild ...
  • ... warning that Men of Low Moral Fiber are actively exploiting the vulnerability in-the-wild ...

Insult to injury, the updater SUCKS (2, Insightful)

scorp1us (235526) | more than 4 years ago | (#33524314)

There is way too much manual intervention required in the Adobe updater.
1. It does not download updates automatically.
2. It requires a new EULA to be accepted.
3. It makes you wait as it downloads the update
4. It makes you wait as it installs.

Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.

This way, in no more than 1 click you'll updated.

So... (0, Redundant)

MadGeek007 (1332293) | more than 4 years ago | (#33524366)

What else is new...

What to know more? (1)

slapout (93640) | more than 4 years ago | (#33524410)

Click here to download a PDF that will tell you more about the vulnerability.

Again??? (1)

hesaigo999ca (786966) | more than 4 years ago | (#33524452)

OMG, is there ever going to be 1 week, where we don't hear another adobe vulnerability has been found....can their programmers as this is just too much, no one is doing their job properly there, neither quality control, nor programmers, not even project team leads...

Instruction, meet data (1)

Gothmolly (148874) | more than 4 years ago | (#33524550)

If you separate executable code from data, this doesn't happen.

Rocket Scientists... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33524668)

Yup... just hit NASA like 5 minutes ago (sent to all-agency minus JPL). The best part is that you can see who clicked on the link, because they immediately sent out another message!

Here is the e-mail (don't download the PDF obviosuly!):

Hello,
This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.

Cheers,

Re:Rocket Scientists... (2, Funny)

GigsVT (208848) | more than 4 years ago | (#33525012)

The link seems to be broken.

Adobe and security (1)

Beelzebud (1361137) | more than 4 years ago | (#33524948)

Is it just me, or is Adobe the King of Insecure programs?

What does Linux and Windows 7 have in common? Adobe makes both insecure and unstable!

Attack under way (1)

Maxo-Texas (864189) | more than 4 years ago | (#33525218)

getting spammed by people who clicked on PDF's...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?