Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Adobe Flash 0-Day

CmdrTaco posted more than 3 years ago | from the thats-not-gonna-work-out-well dept.

Security 133

Trailrunner7 writes "Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well, and is being used in some highly targeted attacks right now. The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X's Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris."

cancel ×

133 comments

Sorry! There are no comments related to the filter you selected.

Mac, Linux, Android and Solaris. (-1, Troll)

divxio (2016536) | more than 3 years ago | (#35494042)

Someone said no exploits for Mac and Linux, huh?

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35494072)

Secure OS's are only as good as the software running on it.

Re:Mac, Linux, Android and Solaris. (2)

dc29A (636871) | more than 3 years ago | (#35494350)

Secure OS's are only as good as the software running on it without administrator privileges.

There, fixed it for ya.

Re:Mac, Linux, Android and Solaris. (1)

Sancho (17056) | more than 3 years ago | (#35494418)

What does that have to do with anything? Do you think that malware can't do bad things unless it gets root?

Re:Mac, Linux, Android and Solaris. (3, Interesting)

gad_zuki! (70830) | more than 3 years ago | (#35494590)

Most exploits are written as an attempt to get root/admin or affect system settings. In my testing of adobe exploits (not this one, but previous ones) I noticed that if I ran as a limited user the exploits don't usually work. If I run as admin with UAC running, the UAC never comes up and the exploit works. UAC + admin is not the same as running as a limited user.

Yes, you're right about malware running in user userspace and that's a real problem with this approach, but running as limited gives some benefits that are not obvious. Arguably, AV and smart computer usage makes up for the rest. This excel file seems to already be in all the major virus definitions.

Re:Mac, Linux, Android and Solaris. (2)

hairyfeet (841228) | more than 3 years ago | (#35495240)

Exactly and I would argue the next big malware attacks most likely will simply ignore trying to get root as new features like ASLR and DEP make it harder to use the old tricks like buffer overflows.

And the simple fact is to do most of the stuff your average malware writers want to do (send spam, steal data, etc) it isn't even needed. See this example [geekzone.co.nz] of how to write a Linux virus in 5 easy steps with no need for root, just good old social engineering like we see every day, and it will autorun, send spam, do anything the malware writer wants to do.

So I would argue the reason we saw so many viruses running as root before was because it was easy to obtain root and now that that is not the case malware in the future simply won't bother and will instead do its damage from userland.

Re:Mac, Linux, Android and Solaris. (1)

Sancho (17056) | more than 3 years ago | (#35495522)

Absolutely.

The main benefit to running as root/system/administrator is that it makes it easier to hide. It's much harder for a process to hide from antimalware tools (which are running as root/system/administrator) if that process is running with lower privileges. For Macs and Linux, it's almost completely irrelevant--so few people run antimalware tools on those platforms that the difference between malware with and without root is inconsequential.

Re:Mac, Linux, Android and Solaris. (2)

WaffleMonster (969671) | more than 3 years ago | (#35494506)

Secure OS's are only as good as the software running on it without administrator privileges.

There, fixed it for ya.

So if I understand correctly...

Protect the operating system at all costs... but pay no attention to what really matters ... YOUR DATA.

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35494904)

Most malware doesn't give a fuck about your data, it simply wants to send spam and connect you into a botnet.

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35495122)

Is that so bad? Perhaps what we need is an OS (maybe a meta-OS) which can ensure that exploits only use a limited percentage of your resources. Then everybody will be happy.

Re:Mac, Linux, Android and Solaris. (1)

ByOhTek (1181381) | more than 3 years ago | (#35495124)

All of which can be done from a user account, even if it is only limited to when the user is logged in.

Re:Mac, Linux, Android and Solaris. (1)

secolactico (519805) | more than 3 years ago | (#35497082)

Unless it's a multiuser system. In that case YOUR DATA may be toast but everybody else's will be fine.

Re:Mac, Linux, Android and Solaris. (2)

Shikaku (1129753) | more than 3 years ago | (#35494074)

Good luck leaving userland from a flash plug-in, unless you are dumb and run everything from root.

Re:Mac, Linux, Android and Solaris. (1)

Beelzebud (1361137) | more than 3 years ago | (#35494140)

Careful. This guy probably has no idea what "root" is.

Re:Mac, Linux, Android and Solaris. (1)

Anonymous Coward | more than 3 years ago | (#35494262)

Yeah, because local privilege escalation exploits in Linux are just so rare...

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35494332)

On a full desktop distro that's probably the easiest part.

Re:Mac, Linux, Android and Solaris. (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35494670)

Agreed. Local privilege escalation exploits are a dime a dozen on desktop Linux distributions (especially those that install the full Gnome suite). Surprisingly enough, Ubuntu is one of the better distributions in this regard because it ships with reasonably decent App Armor profiles.

Re:Mac, Linux, Android and Solaris. (1)

deadhammer (576762) | more than 3 years ago | (#35494300)

Hey, don't you know? Real men run as root. [garyshood.com]

Re:Mac, Linux, Android and Solaris. (1)

Anonymous Coward | more than 3 years ago | (#35494536)

Hey, don't you know? Real men run as root. [garyshood.com]

I just laughed for the first time today.

Re:Mac, Linux, Android and Solaris. (1)

CastrTroy (595695) | more than 3 years ago | (#35494530)

The same could be said about Windows now. Since Vista, it's been highly discouraged to run as root. Also you can do quite a bit of damage from userland.

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35494916)

Good luck leaving userland from a flash plug-in, unless you are dumb and run everything from root.

cause non of your important files are in userland?

Re:Mac, Linux, Android and Solaris. (1)

nstlgc (945418) | more than 3 years ago | (#35496064)

I don't need to leave userland, I'm more than happy messing around in your documents. Sincerely, Flash 0-day.

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35494218)

Only the strawman that whispers in your ear.

Re:Mac, Linux, Android and Solaris. (2)

Anthony Mouse (1927662) | more than 3 years ago | (#35494600)

Someone said no exploits for Mac and Linux, huh?

Speaking of which, this pretty much means that every PowerPC Mac ever made has to be thrown in the scrap heap, doesn't it? Because Adobe has stopped updating Flash for PowerPC, which means it will be vulnerable forever. So unless you want to give up Hulu, YouTube and half the internet, they're pretty much doorstops now. Or pretty Linux home servers.

I wonder if anybody wants to buy a G4 PowerBook? It's faster than a lot of the Atom netbooks they're still selling.

Re:Mac, Linux, Android and Solaris. (0)

atisss (1661313) | more than 3 years ago | (#35496378)

Just upgrade to decent browser, Youtube supports HTML5 video [youtube.com]
As workaround - flashblock could help, but it's now possible to survive without flash completely.

Re:Mac, Linux, Android and Solaris. (2)

interkin3tic (1469267) | more than 3 years ago | (#35494780)

Someone said no exploits for Mac and Linux, huh?

I've also heard rumors that zero Windows ME users are getting infected. Just sayin...

Re:Mac, Linux, Android and Solaris. (2)

FutureDomain (1073116) | more than 3 years ago | (#35496798)

I've also heard rumors that zero Windows ME users are getting infected.

Apparently, having to run System Restore every hour also wipes out viruses.

Obviously, iPad has it right (0)

Anonymous Coward | more than 3 years ago | (#35494784)

Someone said no exploits for Mac and Linux, huh?

Thus, the iPad is the only truly secure platform. Yet another example of the superiority of the walled garden!

Re:Mac, Linux, Android and Solaris. (0)

Anonymous Coward | more than 3 years ago | (#35496212)

LOL, yeah there are, providing that you use binary stuff like Adobe flash player, etc.
Than you also have open source substitutions...
Remember, it's not that those platforms are invulnerable, but at least with Linux 95% of users wont go down with one type of attack as with one of those OS's that you troll for.
Linux fan club will pretty much confirm my statement above, after all there were no precedents of that. And btw, a lot of stuff, that is vulnerable in same crossplatform plugin, cannot simply be exploited on Mac and Linux platforms!

Thanks for the warning... (1)

ackthpt (218170) | more than 3 years ago | (#35494084)

I re-installed Windows and cleared up the infestation last year. Not a particularly happy episode.

Re:Thanks for the warning... (1)

snookiex (1814614) | more than 3 years ago | (#35494288)

I re-installed Windows

You clearly didn't terminate the infestation

Flash in Acrobat Reader (4, Insightful)

moosehooey (953907) | more than 3 years ago | (#35494088)

What the hell for? Fucking Adobe.

Re:Flash in Acrobat Reader (1)

Beelzebud (1361137) | more than 3 years ago | (#35494132)

This is why I turned to using open source readers for pdf files.

Re:Flash in Acrobat Reader (1)

24-bit Voxel (672674) | more than 3 years ago | (#35494692)

I've hearing on slashdot about these open source readers for some time, but only recently did I experience one. I had a 300MB pdf that Adobe Reader just wouldn't open at all. A day or so of reading forums and updating components and I finally got it to open the file.... takes about 5 minutes and lags whenever I try to scroll. So I downloaded Foxit (after reading about it on /., and I'll never switch back. It opens the scene in about 2 seconds, and scrolls nicely. (Not that the file DID open originally in photoshop *and* illustrator, but not the native application that is supposed to read the file.

I don't know what adobe did to reader, but it's unusable nowadays and frankly I'm done tinkering with it. It's a bloated POS. It's sort of how I feel about all of Adobe's software anymore, with the exception of lightroom.

Re:Flash in Acrobat Reader (0)

Anonymous Coward | more than 3 years ago | (#35495416)

Another good one is Evince http://projects.gnome.org/evince/

I just love being able to open pdf datasheets and catalogs easily and instantly, makes you no longer afraid of those "pdf" links on google or digikey.

Re:Flash in Acrobat Reader (2)

David Gerard (12369) | more than 3 years ago | (#35495570)

Re:Flash in Acrobat Reader (0)

Anonymous Coward | more than 3 years ago | (#35496012)

Thanks, sorry i fail at hyperlinks...i guess i'm just used to EVERY OTHER PIECE OF FORUM SOFTWARE UNDER THE SUN that catches them and makes them links for you.

Oh..might as well toss in a complaint about the lack of unicode support while i'm at it...

Re:Flash in Acrobat Reader (1)

KDEnut (1673932) | more than 3 years ago | (#35494174)

IIRC it's part of the PDF standard.

Re:Flash in Acrobat Reader (1)

Anonymous Coward | more than 3 years ago | (#35494426)

There is only one sane PDF standard, PDF/A, and Flash is not in it.

Re:Flash in Acrobat Reader (1)

garcia (6573) | more than 3 years ago | (#35494392)

To make it the slowest possible PDF reader available. I recently switched to FoxIt after Adobe's shitty software continually hung Windows for MINUTES at a time searching for disconnected network printers I only access when I'm at the office.

No problems with FoxIt and thus I haven't bothered to look back.

Re:Flash in Acrobat Reader (1)

David Gerard (12369) | more than 3 years ago | (#35495546)

This is why it's bad that Windows doesn't include a basic PDF reader. Mac OS X uses Preview (an independent reimplentation) and Unix uses derivatives of Ghostscript (an independent reimplementation).

Re:Flash in Acrobat Reader (0)

Desler (1608317) | more than 3 years ago | (#35496306)

This is why it's bad that Windows doesn't include a basic PDF reader.

There's a reason there isn't one built in. The EU and a bunch of tards will start bawwwwing over the fact that Microsoft is "bundling" a PDF reader. Then all the other PDF reader makers are going to get butthurt and lobby that Microsoft get punished.

Re:Flash in Acrobat Reader (4, Funny)

syousef (465911) | more than 3 years ago | (#35495816)

What the hell for? Fucking Adobe.

How else do you fit so many vulnerabilities in one product so efficiently? In fact they found they had to tap higher dimensions to fit more holes than there was physical space in Adobe products. Kinda like a cross between the Tardis and a permanent help desk role: The void is greater than physically possible.

Some details (0)

Anonymous Coward | more than 3 years ago | (#35494116)

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

During testing, the particular exploit was not able to run successfully on Windows 7. It did work on Windows XP.

Version check (2)

jbeaupre (752124) | more than 3 years ago | (#35494192)

for those of you who want to check which version you have and which is the latest:

http://www.adobe.com/software/flash/about/ [adobe.com]

Re:Version check (1)

spoilsportmotors (1251392) | more than 3 years ago | (#35494326)

Neat. According to that page, I have version 10.2.154.18 installed, which isn't listed in their table. Mind you, I'm running a dev version of Chrome, so who knows what vulnerabilities I'm actually exposed to.

Re:Version check (1)

hAckz0r (989977) | more than 3 years ago | (#35494738)

I think I have you beat. I'm running 10.3.162.29, and according to their page their latest is 10.2.154.12, so I'm approximately 0.1.8.17 into the future development cycle. ;)

btw - I have a 64 bit plugin running under Firefox/Fedora.

Re:Version check (1)

Brebs (888917) | more than 3 years ago | (#35495780)

For 32-bit users, the latest versions are:

ver 10 (10.3.180.42): wget http://download.macromedia.com/pub/labs/flashplatformruntimes/flashplayer10-3/flashplayer10-3_b1_lin_030811.tar.gz [macromedia.com]

ver 11 (11.0.0.60): wget http://download.macromedia.com/pub/labs/flashplatformruntimes/incubator/flashplayer_inc_debug_lin_022711.tar.gz [macromedia.com]

Both of these seem to be OK, judging from the version number, but ver 11 is better - doesn't crash when loading a new youtube video.

To see the version:
strings libflashplayer.so | grep FlashPlayer_

Shockwave flash file inside an excel spreadsheet? (4, Informative)

140Mandak262Jamuna (970587) | more than 3 years ago | (#35494248)

The attack vector is a excel spreadsheet delivered via an attachment that contains a swf file that has this vulnerability. Looks like it is not a drive by download. Not sure if the streamed flash videos have the vulnerability. It does not affect Win7. Affects XP. If it is leveraging some specific bug in excel and then a bug in flash, it is very specific to that combination. XP+Excel+Adobe. The rest of us can rest easy and enjoy a little bit of schadenfreude.

Re:Shockwave flash file inside an excel spreadshee (2)

_0xd0ad (1974778) | more than 3 years ago | (#35494390)

The payload might only be leveraging a specific bug in XP, but what's to say that a different payload couldn't be delivered through the same attack vector? One that targets other versions of Windows, even other operating systems altogether?

Re:Shockwave flash file inside an excel spreadshee (2)

ColdWetDog (752185) | more than 3 years ago | (#35494400)

The rest of us can rest easy and enjoy a little bit of schadenfreude.

I'm sorry, I can't even pronounce that. I'd like a Kahlúa please.

Re:Shockwave flash file inside an excel spreadshee (0)

Anonymous Coward | more than 3 years ago | (#35494748)

but it's a great word.

I say it sha-den-froid-ah (but am likely wrong).

Re:Shockwave flash file inside an excel spreadshee (1)

Nimey (114278) | more than 3 years ago | (#35495182)

Kraft durch Schadenfreude.

Re:Shockwave flash file inside an excel spreadshee (1)

Anonymous Coward | more than 3 years ago | (#35495820)

shaw den froy duh (lightly roll the "r" in froy for some extra authenticity)

German for "bad pleasure", means taking pleasure at the misfortune of others.

Re:Shockwave flash file inside an excel spreadshee (1)

Anonymous Coward | more than 3 years ago | (#35494524)

TFA says DEP is the reason it doesn't work on Win7, so doesn't that mean 32-bit Win7 is still affected?

Re:Shockwave flash file inside an excel spreadshee (1)

jpea (879421) | more than 3 years ago | (#35494868)

So, you have to open up a pdf with one hand, unplug your power cord with the other, curl your left big toe, dial 911 with your right pinkie toe, open up excel, type "meow" into row 3, column 204, then hit ctl+space+enter? damn!

Re:Shockwave flash file inside an excel spreadshee (0)

Anonymous Coward | more than 3 years ago | (#35496106)

WinXP + MS Excel + Acrobat is probably the single most common configuration on the planet, no?

What's in a name? (1)

sootman (158191) | more than 3 years ago | (#35494304)

Adobe is copying Apple from ten years ago by naming the product that comes after 9, 'X'. One key difference: Acrobat X does not run on Apple computers.

Re:What's in a name? (0)

theArtificial (613980) | more than 3 years ago | (#35495866)

Apple is copying Apple records. Apple is copying the ancient Romans by using their already developed counting system.

Perhaps Acrobat X doesn't run on Apple computers because they're not powerful enough xD? One key difference: Your computer is expensive.

Flash will rule the world (0)

Anonymous Coward | more than 3 years ago | (#35494330)

First, it only infected Windows running exploited Flash. Now it's going after Acrobat and other platforms. Soon, it will reboot your PC and install an entire Flash based virus as its own OS from an infected MBR. Together, they will all form a botnet, a dark cloud if you will. It shall be named, SKYNET!

who uses Adobe Reader anyways? (4, Informative)

Ionized (170001) | more than 3 years ago | (#35494340)

Seriously, get FoxIt PDF reader. It's free, and approximately 5 million times faster than Adobe Reader.

Oh, no, Foxit is SLOWER by FAR !! (0)

Anonymous Coward | more than 3 years ago | (#35494410)

Foxit is much slower than Acroat and loading -> displaying a PDF. Foxit is slow, period exclamation mark

I still use it anyway now since I don't get to PDFs all the time like I used to. Acrobat shows immediately what takes Foxit several seconds, even small, simple PDFs.

Re:Oh, no, Foxit is SLOWER by FAR !! (1)

ByOhTek (1181381) | more than 3 years ago | (#35494444)

Really? I have to use PDFs a lot, and I've never seen a PDF render faster in Acrobat than Foxit.

I guess it's based on some other factor we have different.

Re:Oh, no, Foxit is SLOWER by FAR !! (1)

Amouth (879122) | more than 3 years ago | (#35494626)

In my experience Foxit is faster than Adobe on cold load.. but if you have Acrobat and acrotray is running Acrobat is faster .. but that is simply because it is already mostly sitting in memory

Great, but does it work with everything? (1)

Lead Butthead (321013) | more than 3 years ago | (#35494458)

I had no end of problems using "other PDF" readers when I print postage from USPS.COM (yeah, I sells stuff on and off on fleaBay) This is not to say that I am a fan of Adobe, but with some things, there's just no substitute.

Re:Great, but does it work with everything? (1)

Ionized (170001) | more than 3 years ago | (#35494512)

I don't even have Reader installed, I use FoxIt for any PDFs I have to open and have never noticed issues. YMMV, but I suggest you at least give it a try.

I notice the biggest difference when working with large (50+ page) PDF docs on my netbook. Adobe Reader is unbearably slow to scroll through pages, but FoxIt is painless and smooth.

Re:who uses Adobe Reader anyways? (1)

b0bby (201198) | more than 3 years ago | (#35495362)

We tried it at work, but we get lots of crazy restricted pdfs from outside & we had even more problems with Foxit than Reader. Which I know, is pretty hard to believe.

Re:who uses Adobe Reader anyways? (1)

Songilly (1993968) | more than 3 years ago | (#35495844)

I've had a few problems with the browser plugin not working on some pages. But for the most part I'm very happy with Foxit. Easily way better than Adobe Reader. I don't know why Adobe doesn't just make a Reader lite that is super zippy that works for 95% of things. Most people don't need all that security and locked down features. We just want to read a doc.

creators' big flash not scheduled for today? (-1)

Anonymous Coward | more than 3 years ago | (#35494354)

then there's still time. we could spend it a little better, in case it speeds up, or goes away, before we're done.

intentionally, there's time, and a time-out 'room' for out-of-control grownups to think/feel something/anything, thanks;

1. DEWEAPONIZATION (not a real word, but they like it) almost nothing else good happens until some progress here, 'they' say.

2. ALL BABYS CREATED/TO BE TREATED, EQUALLY. (a rough interpretation (probably cost us. seems like a no-brainer but they expressed that we fail on that one too(:)->) 'we do not need any 300$ 'strollers', or even to ride in your smelly cars/planes etc..., until such time as ALL of the creators' innocents have at least food, shelter, & some loving folks nearby.' again, this is a deal breaker, so pay attention.

3. THOU SHALT NOT VACCINATE IRRESPONSIBLY. this appears to be a stop-gap intention.

the genuine feelings expressed included; in addition to the lack of acknowledgment of the advances/evolution of our tiny bodies/dna (including consciousness & intellect), almost nobody knows anymore what's in those things (vaccines) (or they'd tell us), & there's rumor much of it is less than good (possibly fatal) for ANY of us. if it were good for us we'd be gravitating towards it, instead of it being shoved in our little veins, wrecking them, & adversely affecting our improving immune systems/dna/development? at rite-aid, they give the mommies 100$ if they let them stick their babys with whoknowswhat? i can see why they're (the little ones) extremely suspicious? many, oddly? have fading inclinations to want to be reporters of nefarious life threatening processes, ie. 'conspiracies', as they sincerely believe that's 'stuff that REALLY matters', but they KNOW that things are going to be out in the open soon, so they intend to put their ever increasing consciousness, intellect, acute/astute senses & information gathering abilities, to the care & feeding of their fellow humans. no secrets to cover up with that goal.

4. AN END TO MANUFACTURED 'WEATHER'.

sortie like a no-(aerosol tankers)-fly zone being imposed over the whole planet. the thinking is, the planet will continue to repair itself, even if we stop pretending that it's ok/northing's happening. after the weather manipulation is stopped (& it will be) it could get extremely warm/cold/blustery some days. many of us will be moving inland..., but we'll (most of us anyway) be ok, so long as we keep our heads up. conversely, the manufactured 'weather' puts us in a state of 'theater' that allows US to think that we needn't modify our megaslothian heritage of excessiveness/disregard for ourselves, others, what's left of our environment etc...? all research indicates that spraying chemicals in the sky is 100% detrimental to our/planet's well being (or they'd talk to US about it?). as for weather 'extremes', we certainly appear to be in a bleeding rash of same, as well as all that bogus seismic activity, which throws our advanced tiny baby magnets & chromosomes into crisis/escape mode, so that's working? we're a group whose senses are more available to us (like monkeys?) partly because we're not yet totally distracted by the foibles of man'kind' (including; eugenatics, weapons peddlers, fake 'weather', media hoopla etc..). the other 'part' is truly amazing. we saw nuclear war being touted on PBS as an environmental repair tool (?depopulation? (makes the babys' 'accountants' see dark red:-(-? yikes. so what gives? thanks for your patience & understanding while we learn to express our intentions. everybody has some. let us know. come to some of our million baby play-dates. no big hurry? catch your breath. we'll wait a bit more. thanks.

do the math. check out YOUR dna/intention potential. thanks again.

why can't we deweaponize now (-1)

Anonymous Coward | more than 3 years ago | (#35494948)

first of all, it's not a real word, like depopulation IS? next, if it were such a good idea, our uncle sam.gov would promote it for us? finally, (& it sort of looks that way from the babys et al, groundead viewpoint ) it's only rumors that the babys et al rule now, & that stopping running weapons 24/7 would add to our life cycles? the 'math' used has been challenged by the invisible authors of the georgia stone, so that's it? ALL MOMMYS, GET YOUR BUTTS TO THE MIDDLE EAST, JAPAN, DC, LA, GA, NY, FL ETC.... WE'VE HAD IT. WE'RE DYING HERE. they hesitated to use theatrical terms due to the stuff that matters topic of the next story, but they are feeling extremely overextended (even for the advanced lifeforms they are), &/or almost dead. most of us would be a little cranky/colicky in their situation? help's on the way?

good thing they're still little/waiting to applaud us?

Reader X sucks (1)

CmdrPorno (115048) | more than 3 years ago | (#35494378)

Reader 8 and 9 were tolerable, but Reader X seems like less of a reader app and more of a bloated advertisement for Adobe's other products. I suppose my machines will remain vulnerable but usable.

Re:Reader X sucks (1)

yuhong (1378501) | more than 3 years ago | (#35494604)

One nice thing about Reader X for me is when the browser plug-in is invoked, it displays a progress bar indicating the download of the PDF.

Re:Reader X sucks (1)

Anonymous Coward | more than 3 years ago | (#35494728)

Reader 8 isn't vulnerable to this because it lacks support for embedded flash files. Likewise removing authplay.dll (the dll Reader 9+ uses for embeded flash data) should mitigate the issue as well.

When will Adobe get its act together? (3)

WaffleMonster (969671) | more than 3 years ago | (#35494398)

I am totally sick and tired of the constant wave of security bugs in these products. How hard can it really be after all these years to render compressed postscript without all of the underlying nonsense?

Re:When will Adobe get its act together? (0)

Anonymous Coward | more than 3 years ago | (#35494578)

Why can't we move the internet away from Flash?

Nathan

Re:When will Adobe get its act together? (1)

Tharsman (1364603) | more than 3 years ago | (#35494820)

No product is entirely secure, browsers are getting patched all the time due to people finding new vulnerabilities. This covers all browsers, Firefox, IE, Safari, Opera and even Chrome.

What @#$@#$^ me off, is being forced to keep watch on two fronts for my security. If i'm using my browser, I'd wish the only thing I was able to blame for an exploit was the browser itself. With stupid plugins that web designers feel they must force visitors to use, they force me to double the potential exploitable entry points. Can we kill Flash already?

I want an Adobe Free web experience!!!

Re:When will Adobe get its act together? (1)

trollertron3000 (1940942) | more than 3 years ago | (#35495020)

Particularly with how advanced our compilers and other tools are now. When you combine compiler warnings, bounds checking, and stack shielding you don't really have any leg to stand on when it comes to exploits in your code do you?

0 day... for Acrobat? (5, Funny)

MrEricSir (398214) | more than 3 years ago | (#35494424)

How can it be a 0 day attack when Acrobat takes 2 days to start?

Re:0 day... for Acrobat? (0)

Anonymous Coward | more than 3 years ago | (#35494572)

It's funny because it's true.

Oh and please quit it with the "0-day" buzzword. Doesn't "unpatched exploit" work equally well? I know, it's not as sensationalist, but please. Let's not over-dramatize every little software defect.

Re:0 day... for Acrobat? (1)

trollertron3000 (1940942) | more than 3 years ago | (#35495050)

Lately 0-day has come to mean they haven't seen it in the wild yet and haven't released the code to reproduce it (AFAIK they haven't). But yeah they toss that on anything these days .A true zero day is one you keep to your group or yourself. Groups stack them like cards in a deck for later use while keeping them secret.

Re:0 day... for Acrobat? (1)

_0xd0ad (1974778) | more than 3 years ago | (#35495132)

All 0-day means is that they found the exploit in the wild before they knew the vulnerability existed.

What is with Slashdot these days? (0)

Anonymous Coward | more than 3 years ago | (#35494434)

This story was on Engadget this morning. Slashdot was at one point the place you went for nerd news. Now they are regularly posting stories that are days old as top news.

Re:What is with Slashdot these days? (1)

Yvan256 (722131) | more than 3 years ago | (#35494830)

Now they are regularly posting stories that are days old as top news.

Isn't that the job of newspapers?

Why doesn't DJVU format get more press? (-1)

Anonymous Coward | more than 3 years ago | (#35494508)

http://djvu.sourceforge.net/
http://djvu.org/

It even looks better on screen compared to PDF and its opensource.

Re:Why doesn't DJVU format get more press? (1)

kimvette (919543) | more than 3 years ago | (#35494680)

I wanted to read up on djvu but I went to the site and they didn't have the info posted in a PDF file, so I skipped it. ;)

Seriously though, why isn't it more popular? Easy. It's for the same reasons opendoc isn't popular yet:

* like MS Office, Adobe Reader is already entrenched
* Commerce has largely standardised on PDF
* PDF is basically encapsulated postscript, which makes it ideal for proofing work that is going to press

Also, PDF is an open standard, and you can choose from a number of readers and print filters to generate the files in the first place. Why abandon one open press and printer-compatible format for a new open format that enjoys very little support, where you have to explain to everyone where to download the software to open it, and the current reader offerings are free to begin with (both free as in beer and free as in speech options are available)?

So, you're moving from an established corporate-originated (Adobe) "free/open" to corporate-originated (AT&T) "free/open" format, except the new format has less support and the file sizes are much larger. Where is the benefit again?

Re:Why doesn't DJVU format get more press? (1)

TrancePhreak (576593) | more than 3 years ago | (#35495636)

I also found the PDF readers were better than the djvu readers I found. Probably has to do with like you said, PDF being around longer.

Who knew? (0)

Anonymous Coward | more than 3 years ago | (#35494664)

Wow, I guess it's no longer safe to open up Excel file email attachments from strangers.

Reader X warning - missing IFilter (1)

Bill Dimm (463823) | more than 3 years ago | (#35494912)

If you are considering "upgrading" to Reader X for safety, be aware that the installer does not contain an IFilter for extracting text from PDF files, so desktop search products relying on the IFilter will no longer be able to search your PDF files. Actually, it's worse than that. Not only does it lack an IFilter, it will remove the IFilter installed by older versions. More details here [adobe.com] .

this is why.... (1)

hesaigo999ca (786966) | more than 3 years ago | (#35494940)

This is why i hate so many websites that use flash, why put all your eggs in one basket, so that when again another flash 0 day comes out, your like...wtf....do we really need to be stuck to a propitiatory software that is useless when it comes to security....all in the hopes of achieving greater visual effects for your site....at least offer a flashless option to view the site.....so many suffer from the fact that if you have no flash installed, you can not continue, but this means it hurts them more in the end, then the end user who will go to a competitor website without flash to do the same thing.

Re:this is why.... (1)

tlhIngan (30335) | more than 3 years ago | (#35495274)

On the other hand, at least Android users (flash is also vulnerable there) don't have to wait for their carriers to decide when they can update their flash runtime. I assume you can just update it right there from the marketplace.

Not sure about those Androids that ship with flash though - maybe they might be stuck?

Re:this is why.... (0)

Anonymous Coward | more than 3 years ago | (#35497016)

"it hurts them more in the end, THEN the end user"

What the hell is it with you Americans and "more THAT" and "more THEN"?

It isn't rocket science. It's

MORE THAN.

We even have a bloody company in the U.K. named "More Than", isn't that enough to remind you of simple bloody English?

It's almost getting to be 50% of the time now that I see "more that", "his first car was better that his other one", it's driving me mad.

Learn how to write properly or DON'T WRITE AT ALL, idiots.

iOS safe (0)

Anonymous Coward | more than 3 years ago | (#35494942)

Gosh, I am so glad that shit won't run on my phone or tablet. Flash is an exploit all on its own.

Flash inside Excel? Erm... (1)

daveewart (66895) | more than 3 years ago | (#35495116)

Article reports: "There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment"

*BOGGLE* If that sort of functionality is even possible, then it was just an accident waiting to happen.

Re:Flash inside Excel? Erm... (1)

phntm (723283) | more than 3 years ago | (#35495318)

the description made me twitch a bit too.
next step i guess is to e-mail xp vmware images running internet explorer iframing excel using flash embedding a pdf

So who did HBGary sell this one to? (1)

Slutticus (1237534) | more than 3 years ago | (#35495312)

And who are they after?

Switch to Sumatra! (2)

jensend (71114) | more than 3 years ago | (#35496060)

In related news, SumatraPDF [kowalczyk.info] , the primary open-source PDF viewer for Windows, just had its 1.4 release a couple of days ago. In the course of the past ~6 months they've added GDI support so documents can print quickly (rather than sending huge bitmaps to printers), improved performance in all sorts of ways (notably including much-faster zooming and searching), and quashed lots of bugs. They've also added a browser plugin and a Windows Search filter (both optional). So even if you've tried it in the past and it didn't meet your needs, it's likely worth trying again.

Outside of multimedia (e.g. Flash) and JS- both of which I've never seen used in a PDF for anything other than an exploit- the only thing Sumatra lacks at this point, AFAIK, is the ability to work well with forms.

Re:Switch to Sumatra! (1)

jerk (38494) | more than 3 years ago | (#35496564)

I switched from FoxIt to Sumatra on Windows after I ran into a PDF that wouldn't open in FoxIt.

Get rid of Flash. (1)

ShadowFoxx (2015582) | more than 3 years ago | (#35496372)

Flash is archaic and should be on it's way out. Advertisers are waisting a lot of money on flash as they're missing a huge market share (iOS devices). HTML5 does anything flash can do... but better and is openly supported cross platform. Even google got the smack down when they tried to nix HTML5 out of chrome as it got patched by microsoft to support it.

Who gives a $h1T (0)

Anonymous Coward | more than 3 years ago | (#35496880)

Seriously, this is front page news? How many bugs do windows, linux and osx have? How many bugs do IE, Firefox, Chrome, Safari have? Who really gets this up in arms about a pdf bug.... apple fanboys, that's who. http://www.computerworld.com/s/article/9197184/Apple_patches_critical_drive_by_Safari_bugs

0-day in an adobe product? (0)

Anonymous Coward | more than 3 years ago | (#35496886)

Considering their track record, Adobe would have to release something that DIDN'T have gaping security holes for it to actually count as "news".

"Adobe software exploit-ridden" is about as novel as "New Pope is Catholic".

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>