×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Confirms Unpatched PDF Backdoor

CmdrTaco posted more than 6 years ago | from the machines-wide-open dept.

Security 170

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

170 comments

Yay! (1, Troll)

TripMaster Monkey (862126) | more than 6 years ago | (#20898617)

One more reason not to upgrade to IE7. Thanks, Microsoft!

Alternative PDF viewer? (1)

The Monster (227884) | more than 6 years ago | (#20898919)

One more reason not to upgrade to IE7.
What if you use Foxit Reader [foxitsoftware.com] instead of Adobe's PDF-handling tools?

Re:Alternative PDF viewer? (-1, Flamebait)

somersault (912633) | more than 6 years ago | (#20898957)

Doesn't matter, you probably still don't want IE7.. yuck! :P

Karma Whore (0)

Anonymous Coward | more than 6 years ago | (#20899489)

Yeah guys! IE 7.0 is the suck!

Welcome... (0)

cosmocain (1060326) | more than 6 years ago | (#20898619)

...to the URI-hell. No, this is no problem of MS, XP or IE7. It just affects tons of programs, the OS is - by chance - in every case XP and you need - such a coincidence - IE7. Great. So... just one tiny question: Where's the bugfix, Steve? Ah, non of your bussiness? Sweet.

Welcome... (5, Funny)

sakdoctor (1087155) | more than 6 years ago | (#20899061)

...to hyphen hell! The rules - of style that apply to dashes - and hyphens - have evolved to support ease of reading in complex constructions; editors - often accept deviations - from them that will support, rather than --- hinder, ease of reading.

Re:Welcome... (4, Funny)

Anonymous Coward | more than 6 years ago | (#20902273)

Shatner? Is that you?

If it's only a problem on XP (1, Troll)

foniksonik (573572) | more than 6 years ago | (#20898643)

Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is.

Re:If it's only a problem on XP (5, Insightful)

JoelKatz (46478) | more than 6 years ago | (#20898941)

From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.

Re:If it's only a problem on XP (1)

ozmanjusri (601766) | more than 6 years ago | (#20899119)

From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw.

Secunia [secunia.com] disagrees with you.

What's disgraceful about this is that it's an exploit that's been known since April at least, and neither Microsoft nor Adobe have patched it.

Re:If it's only a problem on XP (1)

cnettel (836611) | more than 6 years ago | (#20899585)

Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else? (Yeah, I'm being ignorant right now.) The main point is that it's possible to register URI handlers in many ways. IF you choose to do it on the command line, you need to be extremely careful. As the GP said, there is no way to tell that the URL is really invalid. What could be done would be to specify an escpaing scheme to be used, but that's "only" a design error, not a bug, and anyone implementing an URI handler should consider and test how escaping is(n't) handled, to implement the unescaping properly on the receiving end (AND to consider security implications).

Re:If it's only a problem on XP (2, Informative)

ozmanjusri (601766) | more than 6 years ago | (#20900103)

Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else?

Other security sites do call it a Vista [securityfocus.com] issue. It looks like Vista is only OK if IE7 is running in protected mode.

Re:If it's only a problem on XP (1)

jZnat (793348) | more than 6 years ago | (#20899579)

Then whose fault is it that so many applications have had security issues lately due to how IE passes arguments to applications when launched? Is it a shitty API, or are these programmers just incompetent or ignorant of how to correctly do things?

Re:If it's only a problem on XP (0)

Anonymous Coward | more than 6 years ago | (#20901319)

What has the IE to do with security issues in other applications that can arise if you pass some stupid arguments?

It is like saying cmd.exe is insecure, because with the wrong parameters it can fuck up your whole system.

Re:If it's only a problem on XP (1)

Spy der Mann (805235) | more than 6 years ago | (#20899743)

It is an Adobe vulnerability if, after saving said PDF and opening it, you get infected.

Has this been confirmed?

Impossible (0, Troll)

Anita Coney (648748) | more than 6 years ago | (#20898655)

As we all know that Internet Explorer 7 is the most secure browser on the planet!

Re:browser or plugin issue (3, Informative)

JcMorin (930466) | more than 6 years ago | (#20898701)

The browser should be secure by itself but when a plug-in is installed by the user (like Adobe Acrobat Reader) that plug-in can execute code and do pretty much what it what... so I would not blame IE7 for that. But I'm still happy to never have upgrade to IE7... yet.

Re:Impossible (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20898753)

Hello??? What does IE7 have to do with this? The summary clearly states the problem affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3. This is an Adobe problem. Damn Microsoft bashers. Keep off of my lawn!

Informative? (0)

Anonymous Coward | more than 6 years ago | (#20898849)

As I post this, my parent post is marked "+1 Informative". For the love of vi, no! I was going for funny, I'd accept troll or flame bait, but informative?? Look the problem emerges under the Adobe products, and ideally their code should have been more secure, but the root cause of this problem is IE7.

Now if I can get Slashdot to allow me to post a second anonymous comment before the sunsets, I'll be happy.

Disagree (0)

Anonymous Coward | more than 6 years ago | (#20899629)

Well, no. Actually, if the installation of IE7 changes the systemwide URL-handling behaviour, this is - at the very least - ALSO a Microsoft problem. AFAIK, the Firefox update from 2.0.0.6 to 2.0.0.7 had to take care of the same problem.

If an update of a system component changes the system's behaviour - in this case, the way URLs are passed on to other apps - from the behaviour used in previous versions of Windows (2000) and previous iterations of the same version (XP, XPSP1, XPSP2) - to something different and, what's more, DANGEROUSLY different, this should be the system vendor's concern, and we should not allow MS to wash their hands of this.

Also: why should other vendors have to produce lots of different versionsof their product for XP alone: XP pre-SP2, XP post-SP2 without IE7, XP-post SP2 with IE7 ....

Ridiculous

Unsupported workaround? (2, Interesting)

techpawn (969834) | more than 6 years ago | (#20898675)

In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers
So they want me to do what with my what? Isn't that like your mechanic telling you to do something but "if they ask, [they] didn't tell you"

solution (0, Troll)

Anonymous Coward | more than 6 years ago | (#20898705)

use mac instead of windows

simple

Re:solution (0, Offtopic)

jimstapleton (999106) | more than 6 years ago | (#20898789)

or Firefox for a web browser and Foxit for a PDF reader.

Simpler and cheaper if you are a Windows user.

Re:solution (1, Informative)

nine-times (778537) | more than 6 years ago | (#20898883)

Cheaper? Foxit Reader for Windows is listed as $39.00 [foxitsoftware.com].

Adobe Acrobat Reader is free. How is that cheaper? Am I missing something?

Re:solution (1)

Victor Antolini (725710) | more than 6 years ago | (#20898969)

Mac is not free. PC isn't free either, but definitely cheaper than Mac

Re:solution (5, Informative)

Victor Antolini (725710) | more than 6 years ago | (#20899049)

Oh, I missed to point out what you missed. From http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]

Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:

* View or print PDF document
* Basic PDF form operations i.e. filling out PDF forms and printing them out
* Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
* View PDF as text
* Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc

The followings are several examples of non-free, advanced add-ons:

* Foxit Reader Pro Pack is not free. It includes the following functions:
o Annotation
o Text viewer and text converter
o Form filler
o Spell checker
o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more

Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.

Re:solution (1)

Creepy (93888) | more than 6 years ago | (#20899701)

This is similar to Acrobat itself - the Adobe Reader (formerly Acrobat Reader) is free, but if you want to write or annotate, you need to buy a license. I assume Foxit has to pay Adobe a royalty to create a writer, as even though Acrobat itself is an Open standard. Adobe has a lot of patents on both Acrobat itself and the underlying renderer, which is a subset of PostScript.

Note that the Ghostscript program allows conversion (writing) of a file format such as Word into Acrobat by printing to an Acrobat file rather than a printer, but has dual licensing as well (free only for non-commercial use). Adobe has a similar "printer" for Windows that writes Acrobat format, but I think that is also commercially licensed (I have it at work).

Re:solution (2, Informative)

X0563511 (793323) | more than 6 years ago | (#20901015)

There are GPL versions of ghostscript. They are not as up-to-date though.

The non-commercial licenced one gets new code first it seems.

See here [wisc.edu].

Re:solution (1)

jimstapleton (999106) | more than 6 years ago | (#20899033)

in addition to the other users comment, you can download and use foxit for free, legally, from thier site. They pay version probably has special support or some other bonus.

Re:solution (1)

X0563511 (793323) | more than 6 years ago | (#20901073)

It's almost the same as the difference between Adobe Acrobat Reader, and Adobe Acrobat Pro. Foxit free lets you read, Foxit Pro lets you write.

In both cases they can all go to hell, I'll take my Ghostscript, thank you.

Re:solution (1)

Spy der Mann (805235) | more than 6 years ago | (#20899783)

Am I missing something?

Yes, the price is for the "Pro" version, which includes: Annotation, Text viewer and text converter, form filler, etc. etc. etc.

The free version, if you're only reading and printing PDF's, should suffice.

Re:solution (0)

Anonymous Coward | more than 6 years ago | (#20898863)

And what if you run Windows on your Mac? (yes, there actually are cabbage heads out there who get a Mac just to run Windows on it)
But I guess you meant "use OS X instead of Windows"..

PC = computer
Mac = computer
Windows = OS
OS X = OS

Simple.

(ps. Linux = LULZgsdhjfafhd)

Thank goodness I use foxit and firefox (0)

Anonymous Coward | more than 6 years ago | (#20898743)

Problem Solved at both ends.

Why bother with Adobe Acrobat? (0)

Anonymous Coward | more than 6 years ago | (#20898767)

It takes two eternities to start up and it hogs a mind-boggling 50mb+ on your hard drive - A true testament to how far "software engineering" has come. Sigh.

Use the Foxit Reader instead - less than 5mb in size, and fires up instantly: http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]

High RAM usage = human progress (2, Funny)

CRCulver (715279) | more than 6 years ago | (#20898859)

Why do you hate civilization, you luddite?

Low RAM usage = human progress (1)

tepples (727027) | more than 6 years ago | (#20899101)

Why do you hate civilization, you luddite?
Citation needed that preferring efficient software amounts to hating civilization. I measure human progress in how many things a computer can do for its user at once, and for a given configuration of paid-for hardware, less RAM use per program means more progress.

Re:Low RAM usage = human progress (0)

Anonymous Coward | more than 6 years ago | (#20899643)

Citation needed for understanding a joke, dipshit. Somebody needs to stuff your ass in a locker or something.

Re:Low RAM usage = human progress (0)

Anonymous Coward | more than 6 years ago | (#20900037)

So angry over not getting a joke, how sad.

What About Foxit? (4, Interesting)

Lagged2Death (31596) | more than 6 years ago | (#20898771)

I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader [foxitsoftware.com], which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?

Re:What About GSview? (1)

anomalous cohort (704239) | more than 6 years ago | (#20899107)

I use GSview [wisc.edu]. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything special with URLs.

Re:What About GSview? (1)

Threni (635302) | more than 6 years ago | (#20900901)

> I use GSview. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything
> special with URLs.

It doesn't do anything special with printers either - took me 20 mins to print a 40 page document that just whizzed through using Reader.

Re:What About Foxit? (1)

wetelectric (956671) | more than 6 years ago | (#20899145)

Is there a pay-per-post thing happening right now? These 'foxit' posts seem suspect...

Re:What About Foxit? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20899195)

No, people just like foxit and wonder why Adobe would be used.

I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).

Re:What About Foxit? (0)

Anonymous Coward | more than 6 years ago | (#20901413)

No, people just like foxit and wonder why Adobe would be used.

I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version


This post was brought to you by the fine folks at Foxit. If you don't Foxit you must Coxit.

Sumatra Re:What About Foxit? (1)

bubblegoose (473320) | more than 6 years ago | (#20899333)

Sumatra is even "lighter-weight" (is that a word?) than Foxit. 1MB - also runs portably

My first attempt at using FoxIt wouldn't even open a PDF (open - not print), because apparently they didn't support my default printer.

Re:Sumatra Re:What About Foxit? (1)

maskedbishounen (772174) | more than 6 years ago | (#20900043)

For those like me who have never heard of this before, Sumatra [kowalczyk.info] is an open source PDF viewer for Windows. Giving it a little whirl, it seems to render a couple manuals nicely. Links don't get parsed for easy clicking. Quick look at the forums seems to reveal it doesn't support password protected PDFs or searching.

For a very slim PDF viewer, it appears to be quite nice (and GPL to boot). Thanks to the parent for bringing it up.

Re:What About Foxit? (2, Interesting)

Hatta (162192) | more than 6 years ago | (#20899651)

I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?

Re:What About Foxit? (4, Informative)

darkmeridian (119044) | more than 6 years ago | (#20899693)

Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.

Dear Industry: (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20898777)

Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange? Thanks.

Define low volume (1)

tepples (727027) | more than 6 years ago | (#20899153)

Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange?
Define "low volume" and we'll talk. Specifically, where should the transition between code in, say, the Python virtual machine and native C++ code occur?

Foxit (1)

aLEczapKA (452675) | more than 6 years ago | (#20898785)

Another good reason to use Foxit, small, robust and free (standard version)

http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]

Re:Foxit (2, Informative)

nurb432 (527695) | more than 6 years ago | (#20899397)

That also isnt 100% compliant.

While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.

Have they fixed the weblink bug yet?

plus about running into this on Vista (4, Informative)

dioscaido (541037) | more than 6 years ago | (#20898795)

If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.

Re:plus about running into this on Vista (2, Funny)

wizardforce (1005805) | more than 6 years ago | (#20899191)

If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
get your free ringtones/[other garbage appealing to the less technically inclined] here!!!! and if you see a UAC window, just click ok to download!

Re:plus about running into this on Vista (2, Insightful)

AeroIllini (726211) | more than 6 years ago | (#20901379)

First Rule of Internet Security:

People will install anything if it promises naked pictures.

Not a backdoor (5, Informative)

Anonymous Coward | more than 6 years ago | (#20898799)

From the information available, this is just yet another security vulnerability.

A backdoor is an intentional feature that one puts so that they can take over you computer.

Microsoft shares the blame, Apple blindly copies. (3, Insightful)

argent (18001) | more than 6 years ago | (#20898813)

URI and MIME type handling in both Windows and OSX is profoundly broken. It's second only to ActiveX in the opportunity for exploits... the basic problem is that when apps register handlers for local use (eg, 'help:' or '.chm') they are available to untrusted content by default. The fix is to have separate registries or separate flags that allow applications to explicitly register as handlers for internal use, or for use on untrusted documents.

Re:Microsoft shares the blame, Apple blindly copie (3, Interesting)

jonwil (467024) | more than 6 years ago | (#20899265)

Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder.
RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)

Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.

I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

Re:Microsoft shares the blame, Apple blindly copie (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20900259)

I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".

Re:Microsoft shares the blame, Apple blindly copie (1)

suv4x4 (956391) | more than 6 years ago | (#20901439)

My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".

Ever thought why IE does it this way? It's because the servers (*cough* Apache *cough*) have historically, and still have plenty of the mime types wrong. They report mime type, but the wrong one. Anything that's not image or html is text to them.

Well, IE did what they had to make web pages work.

Firefox does it too, again, because of the servers.

I'm sorry if it's not as simple as "IE sucks" for you.

Re:Microsoft shares the blame, Apple blindly copie (1)

Fweeky (41046) | more than 6 years ago | (#20900321)

I'm pretty sure all the major browsers do some guessing these days, since there are a lot of misconfigured servers out there; CSS, JS, images, even HTML end up being served as text/plain or application/octet-stream, and people expect them to work.

In Opera it can be configured from opera:config [opera] under User Prefs -> Trust Server Types. I can't find an equivilent in Firefox.

Re:Microsoft shares the blame, Apple blindly copie (2, Interesting)

Fweeky (41046) | more than 6 years ago | (#20900371)

Grr, that link should be opera:config#Trust%20Server%20Types -- Slashdot ate my #

This is not up to the browser (1)

argent (18001) | more than 6 years ago | (#20900733)

I'm pretty sure all the major browsers do some guessing these days, since there are a lot of misconfigured servers out there

It doesn't matter what the browser does. The problem is that when the browser goes to resolve a URI, it sees one list of URI and mime-type handlers (and, in the case of Windows, ActiveX controls) that are used both for local content (for example, "help:" on OSX and the ".chm" handler on Windows) and global (for example, "http:" or ".html").

Applications, like a help viewer, that are not intended to be used by untrusted objects, are frequently subject to attacks that more paranoid applications designed for the web aren't. In some cases, like the control panel applets in Windows and the script handlers on both platforms, they can't be made secure because they need to do dangerous things.

There needs to be a way for an application to register it as a handler for internal, local use only... and that needs to be the default for applications that have not upgraded to the new API. There needs to be a way for applications that are handling untrusted objects to request only handlers that have explicitly registered as "secure"... and, ideally, it should be possible to make that the default for an application that has not yet upgraded to the new API.

Windows has a second problem that isn't shared by other desktops, in that the mechanism used to call a program is more like the UNIX "system" API than the UNIX "exec" API... and the calling application has to guess how the called application will interpret things like quotes.

Regardless of how the browser decides what the mime-type is, there must be a way for the browser to request from the OS a list of handlers that will always use a sandbox when displaying the content, regardless of its nominal source.

Re:This is not up to the browser (1)

weicco (645927) | more than 6 years ago | (#20901859)

Windows has a second problem that isn't shared by other desktops, in that the mechanism used to call a program is more like the UNIX "system" API than the UNIX "exec" API... and the calling application has to guess how the called application will interpret things like quotes.

I have never thought that it is UNIX way to not to check and sanitize input. Have I done wrong all these years when I've checked everything that user, be it real person or another app, inputs?

PS - the value of trust. (1)

argent (18001) | more than 6 years ago | (#20900825)

PS: It's not the *type* that is trusted or not trusted... it's the *application* that's supposed to display it. No attribute of a file downloaded from an untrusted source (and all web pages, no matter where located, are 'untrusted') should ever need to be correct for trust to be maintained, and only the user should be able to request that a file be granted any kind of trust.

That means, a downloaded file is not unpacked, installed, or otherwise opened unless there is a trusted viewer that maintains a hard sandbox registered for it, OR the user selects the file and requests that it be opened, installed, unpacked, etcetera. And that trusted viewer, in turn. must not install or unpack a file outside of a sandbox that normal applications won't stumble into.

I don't know of any system that maintains this level of security without custom user configuration, but nothing else is acceptable.

That shouldn't have an effect on security. (1)

argent (18001) | more than 6 years ago | (#20900881)

Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is.

If the OS and the browser were configured correctly, and the browser maintained a hard sandbox and the OS made it possible for it to know reliably what helper applications and plugins also maintained a hard sandbox, then it wouldn't matter whether the MIME type was guessed or not... because there would be no mechanism for it to be passed to an application that would allow the content to execute of the type were wrong.

THAT is the real problem, that the Windows registry and Apple's LaunchServices can not be trusted to securely handle untrusted content.

IE, itself, has additional problems because it has internal components that themselves are not secure, and so it can be tricked into executing code even without using naive helper applications. That's a whole different class of problems and one that is, so far at least, limited to IE and (to a far lesser extent) Firefox.

Re:Microsoft shares the blame, Apple blindly copie (1)

badboy_tw2002 (524611) | more than 6 years ago | (#20901961)

"Intercrap Exploder"

Its too bad Ponce De Leon didn't live in the modern era. He would have finally found the fountain of youth in the Internet and its magical ability to make its users sound like 12 year olds.

Mod offtopic + Troll + Flamebait (0, Flamebait)

GonzoTech (613147) | more than 6 years ago | (#20898833)

Typical Adobe. This business model approach is startling, but the good news is that it hasn't reached Microsoft's proportions of stupidity. On a side note, ... The flavor text at the bottom of the page, "If the rich could pay the poor to die for them, what a living the poor could make!" Don't Republicans already do this with our soilders in Iraq?

Re:Mod offtopic + Troll + Flamebait (0)

Anonymous Coward | more than 6 years ago | (#20899273)

Don't Republicans already do this with our soilders in Iraq?

Do you really believe in everything that Algore, the inventer of the Internets, says? Please go to the window and buy a clue.

Perhaps this would also be a good time... (1)

popo (107611) | more than 6 years ago | (#20898915)

To reduce the horrendous bloat of Acrobat Reader?

If only Adobe hadn't purchased Macromedia....FlashPaper had such promise...

Sklyarov? (4, Funny)

Speare (84249) | more than 6 years ago | (#20898921)

The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?

"computers with Internet Explorer 7 installed" (1)

Yurka (468420) | more than 6 years ago | (#20898999)

Just in time for the forced update from MS then? Perfect.

Please recommend a good non-adobe reader (1)

Maxo-Texas (864189) | more than 6 years ago | (#20899021)

All I do is read pdf's.

Just like Openoffice is immune to Word virus's--- is there a recommended non-adobe pdf reader folks would recommend?

I'm getting tired of the "Please upgrade to version 7" warnings anyway.

Re:Please recommend a good non-adobe reader (3, Informative)

Lisandro (799651) | more than 6 years ago | (#20899151)

The only one i've heard of (for Windows) is Foxit PDF reader [foxitsoftware.com], which is about 2mb - never tried it myself though. On linux, Evince [gnome.org] works great, and had no issues with everything i've thrown at it.

Re:Please recommend a good non-adobe reader (0)

Anonymous Coward | more than 6 years ago | (#20899233)

I'm getting tired of the "Please upgrade to version 7" warnings anyway.
Don't worry, you won't get those any more...

They're at version 8 now.
Foxit Reader [foxitsoftware.com]

Re:Please recommend a good non-adobe reader (1)

DrVomact (726065) | more than 6 years ago | (#20900263)

I'm getting tired of the "Please upgrade to version 7" warnings anyway.

Obviously, you've been wise enough not to do this. That's a good thing, because in addition to more bloat, V7 of Reader also enables all your Adobe applications (like PhotoShop and FrameMaker) to call home. Both at work and at home, those two apps started trying to contact the Adobe mothership every time they started. (I believe this is due to a new "feature" Adobe calls "Adobe Online".)

At first I backed out V7 and tried Foxit. It's pretty good, but I quickly found some inconveniences. I wound up reinstalling an old version of Adobe Reader I had lying around, and it hasn't given me any problems.

Re:Please recommend a good non-adobe reader (1)

olyar (591892) | more than 6 years ago | (#20901011)

I've used Brava Reader [bravaviewer.com] for a while now. It views PDF's and lets you print a region of a page, as well as "calibrate" a measurement tool against a known dimension on the page.

Useful if you're working with PDF's of house plans, which I frequently am.

It's free, but the software expires periodically and you have to download and install a newer version.

kpdf (1)

ChrisMaple (607946) | more than 6 years ago | (#20901921)

kpdf under Linux is decent. It has some rendering problems, but it usually works. Scrolling is instantaneous, whereas acroread re-renders each time you hit the down arrow. Expect to lose a lot of functionality, but if what you need is speed on a slow computer, kpdf wins.

Stop external links? (1)

140Mandak262Jamuna (970587) | more than 6 years ago | (#20899047)

I always disable javascript and open external links in the PDF reader. Is is enough protection? Or am I still vulnerable? Is it possible to write a NoScript like extension to acroreader?

Re:Stop external links? (1)

wizardforce (1005805) | more than 6 years ago | (#20899339)

you mean you didn't set noscript to block other plugins too? or did you mean an update for noscript much like the one that protects against that cross site scripting mess?

Re:Stop external links? (1)

140Mandak262Jamuna (970587) | more than 6 years ago | (#20899417)

NoScript runs inside FireFox. I am thinking of a way a third party could write code and give it to me and that runs inside acroreader and block it from doing things I don't want it to do. In fact I would like some kind of code that will sandbox any application given to it. Something like "sandbox acroreader" should run acroreader and allow it to make all kinds of calls to the registry and disk etc etc. But none of these commands get past the sandbox environment. When I close I can examine all the changes acroreader (or anything else) tried to make to the OS and selectively allow/deny some changes to persist. Pipe dream?

Re:Stop external links? (1)

wizardforce (1005805) | more than 6 years ago | (#20900057)

sigh... it's been a while since I actually toyed with windows but surely there is a way to run single programs under a different user account... other than that I'd suggest you try sourceforge and see what there is on sandboxed environments. then there is the option to use alternate programs to view PDFs, foxit seems like a good one from prior posts. there are others but I don't know which ones have been ported to windows. though I wonder what happens if you were to run programs like PDF reader under a VM under another OS... any code that can execute in a particular OS probably won't run under another one. so what would happen if you ran one OS inside of another and tried this? linux running throug ha VM shouldn't be affected by the security hole in a PDF reader... unless it is OS agnostic then we have a problem.

Hackers ? (0, Flamebait)

kjhambrick (111698) | more than 6 years ago | (#20899323)

"Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

Uhhh ... WTF is a hacker ?

Interesting (1)

trifish (826353) | more than 6 years ago | (#20899707)

Note to all saying that there's no difference between Vista and XP:

The official Adobe advisory [adobe.com] states: "Vista users are not affected".

Now let the downplay begin.

Re:Interesting (2, Funny)

Anonymous Coward | more than 6 years ago | (#20899895)

That's because no ones figured out how to install Acrobat on Vista yet.

They are lying (1)

SmallFurryCreature (593017) | more than 6 years ago | (#20900409)

Vista is just as much affected, the bug is there, just that Vista by default with UAC ON it can't do much more then write to the tmp folder. IF UAC is turned off, you are vulnerable to whatever somebody can cook up.

Since UAC is one of the more hated elements of Vista I would guess that a lot of people got it switched off. So the bug is still there, just that it can do less direct harm (do you really want a malicious coder to be able to write anything at all to your HD?)

too security too dangerous (1)

syedelyas (1159799) | more than 6 years ago | (#20899949)

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D." there most preferable thing that most users seems having big trustworthy in having PDF "protected document file" but if there such a hell mess in this thing, to many things can be dump just like that. as we know if a little of vulnerability is got on this, there'll be many "good users" will try to find more and more hole in this things.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...