Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms Unpatched PDF Backdoor

Posted by CmdrTaco on from the machines-wide-open dept.

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

6 of 170 comments (clear)

  1. Unsupported workaround? by techpawn · · Score: 2, Interesting

    In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers
    So they want me to do what with my what? Isn't that like your mechanic telling you to do something but "if they ask, [they] didn't tell you"
    --
    Ask not what you can do for your country. Ask what your country did to you
  2. What About Foxit? by Lagged2Death · · Score: 4, Interesting

    I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader, which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?

    1. Re:What About Foxit? by Anonymous Coward · · Score: 1, Interesting

      No, people just like foxit and wonder why Adobe would be used.

      I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).

    2. Re:What About Foxit? by Hatta · · Score: 2, Interesting

      I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?

      --
      Give me Classic Slashdot or give me death!
  3. Re:Microsoft shares the blame, Apple blindly copie by jonwil · · Score: 3, Interesting

    Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder.
    RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
    There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)

    Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.

    I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

  4. Re:Microsoft shares the blame, Apple blindly copie by Fweeky · · Score: 2, Interesting

    Grr, that link should be opera:config#Trust%20Server%20Types -- Slashdot ate my #