Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-day Exploit in PDF With Adobe Reader

Posted by CowboyNeal on from the be-on-alert dept.

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

2 of 188 comments (clear)

  1. Re:Foxit reader is a good substitute. by Arkaic · · Score: 5, Insightful

    That may not be much better. According to a follow up comment by the discoverer of the exploit.

    "Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

  2. Re:xpdf etc by kebes · · Score: 5, Insightful

    Lacking features can be a good thing.

    I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

    So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.