Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-day Exploit in PDF With Adobe Reader

Posted by CowboyNeal on from the be-on-alert dept.

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

3 of 188 comments (clear)

  1. Re:The vulnerability is in Reader not the PDF form by Nimey · · Score: 5, Informative

    Foxit Reader is the canonical 3rd-party viewer for Windows: http://www.foxitsoftware.com/pdf/rd_intro.php

    Macs have Preview, Linux has Evince and others.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  2. Re:xpdf etc by eggnoglatte · · Score: 5, Informative

    what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.
  3. This was never a 0Day... by JRHelgeson · · Score: 5, Informative

    This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.

    The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.

    This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.