Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Warns of Critical Zero Day Vulnerability

Soulskill posted more than 2 years ago | from the might-want-to-just-trademark-that-term dept.

Security 236

wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."

Sorry! There are no comments related to the filter you selected.

Listed mitigation: Adobe Reader X Protected Mode (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38287064)

Why on earth isn't "Adobe Reader X Protected Mode" the default?

Re:Listed mitigation: Adobe Reader X Protected Mod (4, Funny)

Jeremiah Cornelius (137) | more than 2 years ago | (#38287086)

Good I stopped using that blob...

Re:Listed mitigation: Adobe Reader X Protected Mod (5, Insightful)

capnkr (1153623) | more than 2 years ago | (#38287712)

"Blob" is very apt terminology, yet "(Unecessarily) Giant Blob" might be even more accurate. Not sure if these are exact numbers, but they are probably close. From Wikipedia [wikipedia.org] , re: Sumatra PDF:

It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.

Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

What more could you ask for?

Re:Listed mitigation: Adobe Reader X Protected Mod (5, Funny)

FatdogHaiku (978357) | more than 2 years ago | (#38287824)

Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

What more could you ask for?

Ummm, could you maybe toss in an eternally running updater?
And if the same people could come up with a useless "download manager", well that would just be peachy!

Re:Listed mitigation: Adobe Reader X Protected Mod (4, Informative)

Calos (2281322) | more than 2 years ago | (#38287158)

In my experience it can (or used to) break things when interacting with other programs.

It broke my LaTeX editor. Couldn't compile a document and automatically have it open in Reader. After some fighting, I think I got it to open, but if you make some edits and recompile... it quickly errors out if you don't manually and completely exit out of Reader first. It's really annoying. Spent far too long reading up on how Reader is supposed to interact with other software and setting my editor to try different commands invoking Reader. No dice, and it looked like the documentation wasn't up to date for all the changes in X yet. But turn off protected mode, and it worked just fine.

Granted, they might have fixed that in the mean time, I've not used it in a couple months, and don't even have Reader installed any more...

Re:Listed mitigation: Adobe Reader X Protected Mod (2)

Gr8Apes (679165) | more than 2 years ago | (#38287276)

I'm actually in the process of becoming Adobe free. No Reader, no Flash, and hopefully my system will run better.

Re:Listed mitigation: Adobe Reader X Protected Mod (3, Insightful)

smpoole7 (1467717) | more than 2 years ago | (#38287332)

Most of our technical manuals come in PDF form now, but thank God for Okular. It has really, really improved. :)

Re:Listed mitigation: Adobe Reader X Protected Mod (1)

Nom du Keyboard (633989) | more than 2 years ago | (#38287452)

Why on earth isn't "Adobe Reader X Protected Mode" the default?

Wouldn't matter since Reader X crashes on every XP system I've tried it on. That leaves me with Reader 9, and I don't really care to hear any comments about why I shouldn't be on XP. It's not dead or out of support yet and I have my reasons to still be running it.

My question is: after all of these years, why can't Adobe write a secure version of reader. I mean it's just one program to do basically one simple enough thing. Are they too busy on new development to actually fix their existing product?

Re:Listed mitigation: Adobe Reader X Protected Mod (3, Insightful)

hairyfeet (841228) | more than 2 years ago | (#38287664)

Hey I don't have a problem with you being on XP friend, if it works why fix it? I have windows 7 on one machine and XP on another, why bother switching the older XP machine?

My question would be why are you trying to run Adbobe reader at all when there is both Foxit and Sumatra on Ninite [ninite.com] . Just check the box, click the download button and run it, that's it. then you can say goodbye to crappy Adobe Reader.

As for why Adobe can't build a secure reader? you answered it yourself friend when you said you thought it was " one program to do basically one simple enough thing" when to try to sell copies of Acrobat Adobe has been piling shit into that program for years. That is why frankly for production software like Acrobat i really wish they'd go to a yearly license model like AV companies use. that way instead of being pressured to constantly add new shit to the program so they have an excuse to upsell you they could just focus on making it better and more secure and get paid without having to add crap.

Re:Listed mitigation: Adobe Reader X Protected Mod (2)

yuhong (1378501) | more than 2 years ago | (#38287748)

It is the default already (I checked using my copy of Adobe Reader X), which is part of why they are delaying the patch for this version until next month.

Oh adobe... (4, Informative)

mirix (1649853) | more than 2 years ago | (#38287070)

You can pretty well set your watch by adobe exploits. Get it together, guys...

Look at the credits for Adobe Reader. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38287098)

If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.

Re:Look at the credits for Adobe Reader. (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#38287144)

Why is the parent modded down? I just checked my installation of Reader, and what he says is true.

Re:Look at the credits for Adobe Reader. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38287182)

Because anytime you single out a creed, religion, race, or other general status, anyone belonging to said group interprets it as a personal attack and employs all possible methods to censor the shit out of said perceived attacker. It's like a biological kill-switch.

Re:Look at the credits for Adobe Reader. (4, Insightful)

hipp5 (1635263) | more than 2 years ago | (#38287376)

Because there is an assumption implicit in his post that that Indian names = outsourced, two-bit programmers in an Indian code sweatshop. The statement that names in the credits are Indian is indeed true. The broad assumption that follows is wild conjecturing with weak evidence and is thus deserving of a down mod.

Re:Look at the credits for Adobe Reader. (1)

hipp5 (1635263) | more than 2 years ago | (#38287386)

Sorry for the self-reply. If I'm going to post on a geek site it should say "...Indian names == outsourced, two..."

Re:Look at the credits for Adobe Reader. (3, Insightful)

MechaStreisand (585905) | more than 2 years ago | (#38287540)

What's more likely, a large number of Indian names referring to Adobe's US center which is largely Indian-Americans for no reason, or a large number of Indian names referring to Indians, in India? Furthermore, what is the primary reason American companies hire Indian programmers in India? Quality? Or is there some other reason, perhaps relating to their cost?

Re:Look at the credits for Adobe Reader. (2, Interesting)

pclminion (145572) | more than 2 years ago | (#38287720)

I've been to Adobe's campus in San Jose and seen the place. There are many, many Indian engineers there, as is common throughout Silicon Valley. Ignorant fuck.

Re:Look at the credits for Adobe Reader. (3, Informative)

KhabaLox (1906148) | more than 2 years ago | (#38287782)

I work for a media company in Los Angeles, and just about all of the developers in our Burbank office working on our flagship media management software are Indian. Our facility in Bangalore is where we send the actual media work if we can (transcoding, editing, etc.). But I think most of the software development stays in the States, but is done by Indians (with a few Chinese and other Asians).

Re:Look at the credits for Adobe Reader. (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38287696)

The term you're looking for is "fact", not "assumption".

The industry as a whole has now had 10 to 15 years of experience with Indian software developers. That's actually quite a long time, given the relatively young age of the industry. Yet for every successful project we hear about, there are literally tens of thousands of horror stories. That's clearly not a balanced ratio.

There comes a point when repeated and consistent observations must be accepted as the truth, even if this may be a painful truth to accept. Reoccurring trends start to indicate the norm. In this case, the norm is that Indian-developed software is very typically of an inferior quality, riddled with bug and security flaws.

You talk about "wild conjecture" and "weak evidence", but every observation and every shred of experience we have show quite the opposite. There's a reason why Indian developers as a whole have a bad reputation; it's because they have fucked up software projects again and again and again and again and again and again and again and again and again and again and again.

Re:Look at the credits for Adobe Reader. (5, Informative)

Anonymous Coward | more than 2 years ago | (#38287244)

Why is the parent modded flamebait? S/he's telling the truth. We just discussed this very issue: Does Outsourcing Programming Really Save Money? [slashdot.org] .

Somebody please mod the parent up. Sometimes the truth isn't pretty, but it's still the truth. I don't care if feelings get hurt by it. It's still the truth.

Re:Look at the credits for Adobe Reader. (4, Insightful)

hairyfeet (841228) | more than 2 years ago | (#38287732)

Exactly. Nobody is saying the Indians are shit, they are saying that companies that take the lowest priced shit get shit for their money and when we see Indian coders that is EXACTLY what we are seeing, why try to hide it? Good Indian coders cost good money, same as good coders anywhere. These companies don't go to India because they want to hire top notch Indians at a decent wage, these corps want as close to sweatshop as they can possibly get. you know this, i know this, hell didn't anybody watch "How NOT to hire an American"? These corps don't give a shit about quality, its all about cost. This is why our landfills are overflowing with cheap plastic garbage and people are being poisoned in China melting circuit boards for the metals, cheap ass bottom of the line shit. this is just cheap ass bottom of the line software instead of hardware and India is where you go to get a programmer for a price lower than dinner at Mickey D.

As for TFA this is why i'm so glad i haven't included Adobe Reader on a build of mine since Adobe 6. There are several excellent alternative readers like foxit and sumatra and foxit comes with safe reading on by default, so why would you want the risk that Reader causes? With Flash sandboxed in low rights mode and no reader i don't have to worry about Adobe bugs, which is nice. You'd have to be nuts to want Reader unless you simply have no other choice.

Re:Look at the credits for Adobe Reader. (0)

Ethanol-fueled (1125189) | more than 2 years ago | (#38287294)

Look at all those guilty Caucasian people shuffling nervously in the crowd after reading your comment.

It's like they all want to mod you up, but none of them have the balls to be the first one to do it. That's America's IT workers in a nutshell...

Re:Look at the credits for Adobe Reader. (3, Informative)

human spam filter (994463) | more than 2 years ago | (#38287666)

I tried, but adobe reader crashed when I clicked on "credits". (No joke, 9.4.2 on amd64 Linux)

Re:Oh adobe... (1)

Ethanol-fueled (1125189) | more than 2 years ago | (#38287104)

Is it a Slashdot article dupe or Deja VU?

Oh, wait, Adobe actually warned us this time. Huh.

Re:Oh adobe... (3, Funny)

Anonymous Coward | more than 2 years ago | (#38287118)

>You can pretty well set your watch by adobe exploits. Get it together, guys...,

My watch doesn't display milliseconds.

Re:Oh adobe... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38287214)

You can pretty well set your watch by adobe exploits. Get it together, guys...

You actually have several options: If you want it to run fast, set by exploits. If you want it to run slow, set by fixes.

Release dates?? (0)

Anonymous Coward | more than 2 years ago | (#38287076)

Jan 10??? They're leaving exploits that can allow intruders to hijack computers unpatched for over a month?

Am I missing something?

Re:Release dates?? (3, Informative)

Calos (2281322) | more than 2 years ago | (#38287168)

Yes.

The attack can be stopped using their Protected Mode. Versions that ship with the protected mode will not be addressed to specifically mitigate this attack until later, with Adobe recommending everyone turn on protected mode to protect them in the mean time.

Whether or not that's a reasonable reaction is a whole different question.

Patched when? (5, Insightful)

binaryhat (2494814) | more than 2 years ago | (#38287078)

Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad... Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.

Re:Patched when? (1)

Anonymous Coward | more than 2 years ago | (#38287146)

The good ones probably left the company long time ago.

Re:Patched when? (5, Informative)

DERoss (1919496) | more than 2 years ago | (#38287162)

If you follow the "exploited to cause a crash ..." link in the initial Slashdot item, you will see that a fix to Acrobat Reader 9 will be available by this coming Monday. You will also see that, unless you disable Protected View in Acrobat Reader 10, you are not vulnerable and thus can wait a month.

Re:Patched when? (1)

yuhong (1378501) | more than 2 years ago | (#38287634)

Actually, Adobe Reader X is vulnerable, but Protected View isolates exploit code.

Re:Patched when? (3, Interesting)

syousef (465911) | more than 2 years ago | (#38287354)

Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad...

Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.

You naive sod. You think the DEVELOPERS determine the release schedule? For all you know there are developers there with a fix ready and tested that are agitating and itching for it to go out.

Re:Patched when? (1)

sincewhen (640526) | more than 2 years ago | (#38287684)

Clearly they are too busy coding up new vulnerabilities to have the time for fixes...

Shocking (1)

Anonymous Coward | more than 2 years ago | (#38287088)

I'm socked, shocked I say.

A lack of diversity... (5, Insightful)

jenningsthecat (1525947) | more than 2 years ago | (#38287092)

...leads to increased vulnerability, whether in biology or in software.

Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.

On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.

Re:A lack of diversity... (2, Informative)

Anonymous Coward | more than 2 years ago | (#38287112)

Not good enough alternatives? FoxIT reader is better imho. Heck, the Ubuntu default document viewer works fine for me. It's a shame that "adobe" has become synonymous with "pdf".

Re:A lack of diversity... (0)

Tomato42 (2416694) | more than 2 years ago | (#38287436)

Exactly, both Gnome and KDE environments have very good PDF readers built in, OSX is exactly the same if not better. The only OS that's behind is Windows. But then if the PDF viewer was programmed by MS it wouldn't change a thing from security perspective...

Re:A lack of diversity... (4, Informative)

Carnildo (712617) | more than 2 years ago | (#38287514)

Exactly, both Gnome and KDE environments have very good PDF readers built in, OSX is exactly the same if not better. The only OS that's behind is Windows. But then if the PDF viewer was programmed by MS it wouldn't change a thing from security perspective...

If you look under the hood, Linux has the same lack of diversity in PDF viewers that Windows does: almost everything is just a frontend for the Poppler library. If a security hole is found in eg. kpdf, it's a good bet that the hole is also present in epdfview or xpdf.

Re:A lack of diversity... (0)

Anonymous Coward | more than 2 years ago | (#38287596)

I don't know what you need it for, but I use sumantra (sumatra?) pdf for windows and it does everything just fine. And at like 2.something megs, compared to whatever Adobe PDF reader is up to now :)

So yes ther are alternatives that work well enough on mac, unix, AND windows.

Re:A lack of diversity... (0)

Anonymous Coward | more than 2 years ago | (#38287624)

Actually, I installed evince (the Gnome PDF viewer) on my mother's Windows 7 machine so she wouldn't have to worry about Adobe Reader updates.

Re:A lack of diversity... (1)

labnet (457441) | more than 2 years ago | (#38287502)

Another vote for Foxit
I remove adobe PDF from any systems I administer and install Foxit

Re:A lack of diversity... (-1)

Anonymous Coward | more than 2 years ago | (#38287642)

I remove adobe PDF from any systems I administer and install Foxit

that sounds like Servers, in which case why is any pdf reader installed?

Re:A lack of diversity... (2)

sdnoob (917382) | more than 2 years ago | (#38287776)

foxit is a little safer, imho, for windows, but doesn't support everything adobe reader does. not that 99% of the people need those extras, though...

we have run across a few instances where adobe reader (even latest version at the time) would have problems opening up certain files (electronic bank statements were the biggest problem here.. ever since the bank talked dad into going with online-only statements, he'd have problems every month).. while any version of foxit we tried opened them up just fine.

however, foxit is also getting bigger and bigger. the installer for the current version is 8x larger than it was 4 1/2 years ago (the version i use on our winxp system), and 5 1/2 years ago the exe needed to run it would fit on a floppy disk. and i dont think the feature set has added that much to justify the differences. lightweight it may be still -- compared to adobe reader.. but not compared to itself.

Re:A lack of diversity... (0)

TaoPhoenix (980487) | more than 2 years ago | (#38287114)

That's actually a complicated problem because different groups "argue" over the inefficiency of diversity, often called incompatibility.

Echoing a poster above, Jan 12? Really? 40 days (ish) is good enough for a fix?

That's just corporate laziness.

Re:A lack of diversity... (5, Informative)

enoz (1181117) | more than 2 years ago | (#38287170)

I recall the Adobe loading screens on older Acrobat versions. One time while waiting for Acrobat to load its bloated carcass into memory I actually paid attention to the loading messages and noticed "movie.api" among others being loaded. That was the nail in the coffin.

While switching to non-Adobe PDF software may not be in the power of everyone, you can blacklist the Adobe PDF plugin from running in your web-browser. Apart from improving your internet experience it may also help prevent some drive-by PDF exploits.

Re:A lack of diversity... (2)

Anonymous Coward | more than 2 years ago | (#38287192)

I just use the default PDF things that come with Debian Squeeze and OpenOffice. I can read and print anything to PDF (and I can even create PDFs in my PHP code). If you want all the bloat that comes with Adobe software, then yeah there are no alternatives. If you just want to read/write basic PDF documents, then there are enough if you know where to look.

Without a significant official repository of FOSS and non-free packages that can be browsed with something like Synaptic for Debian, Windows users in particular are left to their own devices as far as finding alternatives.

No matter what troubles I have with Linux, it is the security of Synaptic coupled with 29-odd thousand packages at my fingertips that keeps me away from Windows on my home computers. Some people complain that they can't do everything on Linux that they can do with Windows, but apart from specific games (I love StarCraft) I haven't yet come across many killer-apps that are limited to Windows. 3D CAD maybe (I use Autocrap Inventor at work).

Its unfortunate that to some people market share is all that matters, which means they will always be blinded to what is free. I pity these poor fools.

Re:A lack of diversity... (2)

Mad Merlin (837387) | more than 2 years ago | (#38287396)

Some people complain that they can't do everything on Linux that they can do with Windows, but apart from specific games (I love StarCraft)...

FYI, both SC1 and SC2 run flawlessly in Wine, I've been playing^Wtesting both for years.

Re:A lack of diversity... (5, Interesting)

mirix (1649853) | more than 2 years ago | (#38287404)

Evince [gnome.org] (gtk) and Okular [kde.org] (ex-kpdf, iirc, Qt) both seem pretty usable to me.

At work, I'm stuck with windows, and the Evince win32 port seems to work quite well there too. Only issue I ran into was that be default it tried to print things in landscape mode or something like that, and I didn't notice.
A nice feature is that it does djvu and postscript as well, instead of having multiple readers (although I seem to think ps might not work with windows in default, probably relies on ghostscript or so..?).

Re:A lack of diversity... (1)

astrostl (2524450) | more than 2 years ago | (#38287482)

Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share.

I think Apple's Preview app is doing pretty well. Who installs Adobe Reader on a Mac?

Re:A lack of diversity... (4, Insightful)

Mad Merlin (837387) | more than 2 years ago | (#38287530)

Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share.

Are you kidding me? Acrobat is such a steaming pile of crap that it has bred a completely misplaced hatred of PDF in most Windows users. Ever seen a Slashdot summary with a "(warning, PDF)" note after a link? Only Acrobat can manage to bog down a brand new system opening a 1 page PDF, every other PDF reader in the world will open it instantaneously.

If anything, Acrobat has single handedly painted PDF into the very niche corner that it's in now. PDF is a good format hobbled by a hopelessly lousy reference implementation.

Re:A lack of diversity... (2)

yuhong (1378501) | more than 2 years ago | (#38287564)

They improved it in Adobe Reader X by among other things finally showing a progress bar.

Re:A lack of diversity... (0)

Anonymous Coward | more than 2 years ago | (#38287608)

Foxit [foxitsoftware.com] works pretty well for me

Re:A lack of diversity... (2)

jezwel (2451108) | more than 2 years ago | (#38287574)

I've requested a review of Adobe Reader/Acrobat by a number of groups in our organisation, as there are continuing issues with security, incompatibility with PDFs created with other products, plus the licence management if you don't have an Adobe enterprise agreement is a massive PITA.

I'm hoping they choose an alternative product, cause I have a large number of Acrobat purchases to make if not :|

FYI: U3D = Universal 3D (5, Informative)

Anonymous Coward | more than 2 years ago | (#38287128)

According to the Wikipedia article on Universal 3D [wikipedia.org] :

The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).

and

There are four editions to date.

The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.

The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.

The fourth edition provides definitions for higher order primitives - curved surfaces.

I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.

Re:FYI: U3D = Universal 3D (5, Insightful)

Mojo66 (1131579) | more than 2 years ago | (#38287320)

Why do we need support for 3D files, embedded file attachments, JavaScript and all that crap in a file format that was originally intended to print documents? I'm glad that there are alternativs to Adobe Reader that just support the old idea of a printable document file format and nothing more, for example Preview on OS X, for other OS see this list [wikipedia.org] . The crazy thing is that Adobe Reader is promoted by a lot of companies that use PDFs to send out bills electronically, i.e. to open the attachment, you need to download Acrobat Reader. Which is not only a wrong statement, but also a suggestion to install an application that has been plagued with security faults.

Re:FYI: U3D = Universal 3D (0)

Anonymous Coward | more than 2 years ago | (#38287568)

Printable? It's portable document format. I think you're reading too much into the fact that it has postscript as its guts. To me its greatest use is for *replacing* printed documents with electronic ones. And while you're at it, you might as well take advantage of the new opportunities provided by a non-printable document.
I'm actually finding the 3D files support really useful at work.

Re:FYI: U3D = Universal 3D (1)

yuhong (1378501) | more than 2 years ago | (#38287586)

Personally, I'd suggest disabling advanced PDF features like this one by default, and allow it to be enabled by the user when necessary.

Too late (4, Informative)

Natales (182136) | more than 2 years ago | (#38287196)

This type of vulnerability is serious enough that I find rather appalling that Adobe is pushing this to their regular "scheduled" quarterly update. If they are serious on being considered as a credible platform, they absolutely need to address these kind of issue with more sense of urgency.

Re:Too late (1)

yuhong (1378501) | more than 2 years ago | (#38287616)

They are doing an out of cycle update, but only for Adobe Reader 9 for Windows because that is the version currently exploited.

evince (0)

Anonymous Coward | more than 2 years ago | (#38287206)

install it [gnome.org] already

Re:evince (1)

an unsound mind (1419599) | more than 2 years ago | (#38287270)

Windows port of Evince is somewhat lacking, especially given it's way of handling file associations and compressed comic book files.

Frankly, if it came out of the box as a portable touch-nothing install and had cbz and cbr support, I'd probably use it and drop Foxit.

Re:evince (1)

mark-t (151149) | more than 2 years ago | (#38287522)

evince does not handle pdf layers

Layers have been a standard part of the pdf spec for years, but the only pdf reader that supports them properly, to the best of my knowledge, is Acrobat.

What a mess: No patch for 9 and no IFilter for X (1)

Bill Dimm (463823) | more than 2 years ago | (#38287216)

The summary makes no mention of a patch for Reader 9, but some of us have been stuck with Reader 9 because Reader X has no IFilter to allow PDF indexing by search tools [adobe.com] (even worse, installing Reader X removes any older IFilter that you might already have). So we get to choose between having a security hole or an IFilter. Thanks, Adobe.

Re:What a mess: No patch for 9 and no IFilter for (3, Informative)

Bill Dimm (463823) | more than 2 years ago | (#38287246)

OK, the summary omits it, but the article [adobe.com] says "We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011" so Reader 9 will be fixed after all.

Sandboxing? (0)

Anonymous Coward | more than 2 years ago | (#38287220)

Can this circumvent the PDF protected mode?

Sumatra (4, Informative)

HBI (604924) | more than 2 years ago | (#38287234)

It doesn't do everything Acrobat does, but it reads PDFs. Which is enough for me.

Re:Sumatra (0)

Anonymous Coward | more than 2 years ago | (#38287418)

Or Foxit Reader http://www.foxitsoftware.com/

Re:Sumatra (0)

Anonymous Coward | more than 2 years ago | (#38287466)

Or Google Chrome

Re:Sumatra (0)

Anonymous Coward | more than 2 years ago | (#38287620)

And it's The Only pdf viewer that will show two facing pages in the full screen view.

Re:Sumatra (1)

mapuche (41699) | more than 2 years ago | (#38287750)

Comparing Sumatra to Reader or Foxit. Sumatra does bad with some rendering, sometimes the output is very different.

Update .... Carefully (1)

EnempE (709151) | more than 2 years ago | (#38287248)

Adobe have to be very careful about even recommending that you update these days, as that can lead to problems if not handled correctly.
Adobe is forced to officially advise the need to update, at the same time as spam containing malware laden upgrades are released. Naked Security article about malware spam [sophos.com]
They might get a greater hit rate by using the Zero Day to create FUD that increases the number of clicks on the email rather than pushing an exploit on the Zero Day directly.

Re:Update .... Carefully (1)

EnempE (709151) | more than 2 years ago | (#38287254)

By "they" I meant the Malware writers and general evil types, not Adobe. I know how grey all of this can seem though.

Re:Update .... Carefully (1)

geekmux (1040042) | more than 2 years ago | (#38287606)

By "they" I meant the Malware writers and general evil types, not Adobe. I know how grey all of this can seem though.

Speaking of grey...

(cue fall guy wearing Adobe employee badge getting arrested on the evening news on suspicion of writing malicious code...)

"I swear! They told me to write it! I swear they did! Didn't you guys get the memo too?!? Why isn't anyone LISTENING TO ME??!!"

I haven't updated Reader in several months... (2)

Man On Pink Corner (1089867) | more than 2 years ago | (#38287258)

... because Adobe broke the search feature in the versions after 9.4.0 (both 9.x and 10.x) If you search in a .PDF in the newer versions, it will fail to highlight at least some of the matches.

This is a pretty huge deal and it would be astonishing if it were still broken. Does anybody know if they've fixed the bug?

Mac? (3, Interesting)

93 Escort Wagon (326346) | more than 2 years ago | (#38287278)

I'd be curious to know how many Mac users install Adobe Reader at all, since Preview does a very good job of basic PDF handling - and loads almost instantly, as opposed to Reader's geologic-era-scale load time.

Re:Mac? (2)

Mojo66 (1131579) | more than 2 years ago | (#38287358)

I wouldn't underestimate the userbase, because nowadays bills are often attached to an e-mail as PDF, and the mail reads something like to view the attached PDF file you have to install Adobe Reader. The mandatory sound made a not-so-computer-savvy friend of mine install AR on her Mac until I explained to her that Preview would work fine.

Re:Mac? (0)

Anonymous Coward | more than 2 years ago | (#38287524)

A lot of Mac users are designers who may have the entire Adobe suite installed which includes Acrobat. It sucks but if you want to be a design pro you have to deal with Adobe shit, at least for 2d.

Re:Mac? (3, Informative)

ender- (42944) | more than 2 years ago | (#38287602)

I was forced to install it recently. Some PDFs from my state government required it. If I tried to open them in Preview, it complained that it needed a newer version of Acrobat Reader. So I installed it, printed what I needed, then removed it.

A lot of less technical folks though would have just kept it. Assuming the figured out that they needed to install it in the first place.

Re:Mac? (1)

antdude (79039) | more than 2 years ago | (#38287662)

With my client's three years old MacBook Pro and Mac OS X 10.5.8, he needed it for some weird Adobe format (forgot which it is). It was like an interactive book/slideshow.

January?? (1)

mcavic (2007672) | more than 2 years ago | (#38287310)

How about TOMORROW?

Idiots.

I think the time has come for "PDF Lite" (3, Interesting)

sootman (158191) | more than 2 years ago | (#38287318)

... or maybe just go back a few versions. No movies, no scripting, no interactivity other than hyperlinks and form elements, no live connection to the Web, no motion of any kind. Just vector shapes and a handful of well-known image formats. Please, just go back to what PDF was originally supposed to be: a virtual print that looked the same anywhere, including a small handful of well-known image formats. Oh, and make it "safe", which it never would have occurred to me to ask for in the past but I guess we need to specifically request that that these days. (Hi, GM, can you please make a car without an array of eight-inch spike in the middle of the steering wheel?) And, as long as I've got this crackpipe, I'll ask them to make the spec simple enough and open enough that anyone can make a program to generate them or read them.

I don't know what features Adobe is packing into the spec these days but to the best of my knowledge there's nothing I do today that couldn't be handled by PDF 1.2 and Acrobat 3. The only problem is, when people make PDFs, they tick the little box that says "Require Acrobat _ or greater" and I always have to update.

Re:I think the time has come for "PDF Lite" (0)

Anonymous Coward | more than 2 years ago | (#38287702)

I think you're talking about PDF-X [wikipedia.org] .

Memo to Adobe: (-1, Offtopic)

kheldan (1460303) | more than 2 years ago | (#38287390)

How about you fix Flash so that it doesn't lock up my entire computer 1 time out of 10 that I go to play a YouTube video?

Acrobat Reader? (0)

Anonymous Coward | more than 2 years ago | (#38287448)

I personally prefer Foxit Reader

liliana | Conjuros De Amor Efectivos [conjurosde...ctivos.com]

NFL jersey (-1)

Anonymous Coward | more than 2 years ago | (#38287450)

Beijing time this morning, in the NFL2011 regular season for seventh weeks in Wholesale NFL jerseys [jerseymall.biz] a game, the defending champion Green Bay Packers NHL jerseys [jerseymall.biz] away 33-27 victory over the Minnesota Vikings, stay undefeated season.The Green Bay Packers Jersey sales MLB jerseys [jerseymall.biz] have been nice.Because the NBA NBA jerseys [jerseymall.biz] is shutdown stage, so plenty of people will pick to go to NFL, so NFL Jersey sales is also greatly improved.In addition to the original, sell replica cheap.

Why even announce this... (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38287456)

...if you're going to follow up your "zero" day announcement to the world with a statement that your "fix" for this is to release a patch that is scheduled for release in a month or so from now. What, is patching out of cycle for a zero-day vuln suddenly against someones religion or something? That's about the only excuse that would seem somewhat sane (if you call organized religion sane) here.

If I were one of those paranoid type of guys, I would say that Adobe wrote this fucking thing themselves, and was paid to do it by all of the major computer hardware vendors in order to create a massive wave of "broken" computers just in time for holiday sales.

(Cue massive attack in 3...2...)

That could never happen, right?

Right?

Uh...right?

Good God (3, Insightful)

tsotha (720379) | more than 2 years ago | (#38287542)

It's a freakin' document reader. How did Adobe end up here? Not only is it such a bloated piece of crap it takes forever to open a document, but they seem to have one vulnerability after another. The functionality that they added for 0.0000001% of their customers isn't really worth the price they're paying.

Re:Good God (1)

SumterLiving (994634) | more than 2 years ago | (#38287834)

3 seconds to open a 46 page PDF in Adobe Reader 9 on my system. Actually on most computers I work with/on, the time to open an Adobe 9 PDF is quite quick. May be bloatware but I think the 3 second wait is rather reasonable. And if I can help others by letting them take over my system due to this exploit, well....forget that part.

It seems like everyday is zero day for Adobe... (2)

thestudio_bob (894258) | more than 2 years ago | (#38287618)

I guess all the good programmers left Adobe years ago.

You're Kidding, Right? (1)

Zamphatta (1760346) | more than 2 years ago | (#38287632)

0-day that allows 1,000,000's of system to be rooted + No update for a month & 6 days when its scheduled update is ready = How Adobe Does Business while Its Flash platform is losing Adobe's grip on the internet.

Be careful of "fixes" Adobe sends you by email. (4, Informative)

Rakarra (112805) | more than 2 years ago | (#38287652)

I and a bunch of others received emails today claiming to be from Adobe (it wasn't, as mail headers showed) that included an attachment, an .exe in a zip file.

Of course, you should never run attachments sent via email, even if the source appears trusted.

FUUUU.. (0)

Anonymous Coward | more than 2 years ago | (#38287704)

Get swamped at work when these blunders become well known...

So... (0)

Anonymous Coward | more than 2 years ago | (#38287726)

what else is new?

Attack surface (4, Insightful)

WD (96061) | more than 2 years ago | (#38287752)

I wrote it years ago, but it's still quite relevant:
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html [cert.org]

Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.

WTF? (2)

Hamsterdan (815291) | more than 2 years ago | (#38287756)

Why is it under Preferences | General instead of, I don't know, crazy idea, under Preferences | Security ?

And 4 weeks? They're leaving that hole open for 4 fscking weeks?

1- Announce a security flaw
2- Leave it open for a month
3- ???
4- Profit!

manganese sulfate (-1, Offtopic)

zincsulfates (2483892) | more than 2 years ago | (#38287804)

Manganese Sulfate [rqsulfates.com] think Apple's Preview app is doing pretty well. Who installs Adobe Reader on a Mac? Zinc sulphate [rqsulfates.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?