Adobe Acrobat JavaScript Execution Bug

QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched.

Foxit?

[phalse+phace]

Does this also affect Foxit reader, or is this just exclusive to Acrobat?

Which Versions?

[born4fun]

The story doesn't tell which versions are hit. Is it the latest version (8)?

I don't like PDF

[LiquidCoooled]

I recently signed up for the "send your name to wherever" thing pointed out on slash (its in my comment history somewhere)
The PDF was formed with parameters linking to a second pdf base document.

From Firefox on Windows with internet explorer disabled the pdf opened inside acrobat then proceeded to display the resulting PDF file in internet explorer.

I haven't seen IE now for ages and that made me nervous as hell.

Re:The whole architecture is fatally flawed

[abigor]

It was addressed back in the '90s. It's called client-side Java. The VM was slow to start up (it still is), and it faced hostility from Microsoft. But security was an uppermost concern, and the whole architecture is pretty nice. Maybe if the start-up problems in the VM are addressed, client-side Java will return (it's wholly server-side now, except for a few standalone apps here and there) and we'll see an end to this silly Ajax stuff.

Re:Let's be clear: bug is in Reader

[trianglman]

From what I have been reading on this it is a bug in how the browser and the reader integrate, not just with the browser and not just with the reader. And I agree, it pains me to say it but it seems that IE handles this correctly (tested myself just to be sure), but I do have to wonder why.

Re:The whole architecture is fatally flawed

[Heembo]

OMG you are smoking Java crack there boy. Client side Java has more vulnerabilities than... Javascript. I love Java, but keep it on the server where it belongs. MySpace is getting ready to consider migrating from .NET to Java, it's solid on the server. But on the client... nope.

Take this from the LAST sunsolve weekly report:

Newly Released Sun Alert Notifications

Sun Alert ID: 102729 (RESOLVED)
Synopsis: Security Vulnerabilities in the Java Runtime
                              Environment may Allow Untrusted Applets to Elevate
                              Privileges and Execute Arbitrary Code
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006

To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetke y=1-26-102729-1

Sun Alert ID: 102731 (RESOLVED)
Synopsis: Security Vulnerabilities Related to Serialization
                              in the Java Runtime Environment may Allow Untrusted
                              Applets to Elevate Privileges
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006

To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetke y=1-26-102731-1

Sun Alert ID: 102732 (RESOLVED)
Synopsis: Security Vulnerabilities in the Java Runtime
                              Environment may Allow an Untrusted Applet to Access
                              Data in Other Applets
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006

To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetke y=1-26-102732-1