Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms Unpatched PDF Backdoor

Posted by CmdrTaco on from the machines-wide-open dept.

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

7 of 170 comments (clear)

  1. Re:Impossible by Anonymous Coward · · Score: 1, Insightful

    Hello??? What does IE7 have to do with this? The summary clearly states the problem affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3. This is an Adobe problem. Damn Microsoft bashers. Keep off of my lawn!

  2. Dear Industry: by Anonymous Coward · · Score: 1, Insightful

    Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange? Thanks.

  3. Microsoft shares the blame, Apple blindly copies. by argent · · Score: 3, Insightful

    URI and MIME type handling in both Windows and OSX is profoundly broken. It's second only to ActiveX in the opportunity for exploits... the basic problem is that when apps register handlers for local use (eg, 'help:' or '.chm') they are available to untrusted content by default. The fix is to have separate registries or separate flags that allow applications to explicitly register as handlers for internal use, or for use on untrusted documents.

  4. Re:If it's only a problem on XP by JoelKatz · · Score: 5, Insightful

    From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.

  5. Re:Microsoft shares the blame, Apple blindly copie by Anonymous Coward · · Score: 1, Insightful

    I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

    My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".

  6. Re:plus about running into this on Vista by AeroIllini · · Score: 2, Insightful

    First Rule of Internet Security:

    People will install anything if it promises naked pictures.

    --
    For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
  7. Re:What About Foxit? by msuarezalvarez · · Score: 4, Insightful

    I'm wondering who I should report it to? HP or foxit?

    To Microsoft. If a PDF reader can crash the OS, it's their bug.