Zero-day Exploit in PDF With Adobe Reader

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

The vulnerability is in Reader not the PDF format

[NevarMore]

It's still a big effing deal, because Reader is the most accessible and widely used PDF viewer out there.

So in the interest of the public, what alternative PDF readers can people use?

In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else. The last time I installed it under XP on my office workstation it wanted to shovel a bunch of crap into the tray and seemed to have a lot more cruft than it needed to. This is different from what I remember it being in High School where it was a simple viewer so the customers who paid for Acrobat had an easy way to tell their readers how to open the PDFs. It has since morphed into a product instead of just a utility.

Re:Foxit reader is a good substitute.

[Arkaic]

That may not be much better. According to a follow up comment by the discoverer of the exploit.

"Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

Re:xpdf etc

[kebes]

Lacking features can be a good thing.

I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.

Re:xpdf etc

[cortana]

DRM, execution of JavaScript code and selective toggling of layers.

Re:xpdf etc

[zCyl]

at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set.

An intentional defect is not a feature.

Re:xpdf etc

[Yvan256]

I was a sysop of my own BBS, back in 91. we didnt have pdf back then, but most people could understand how to reply to a text application just fine.

And back then, people who used computers knew how computers work.

This is 2007, where people don't even know the differences between .txt, .rtf, .doc, .pdf or .html