Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms Unpatched PDF Backdoor

Posted by CmdrTaco on from the machines-wide-open dept.

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

10 of 170 comments (clear)

  1. What About Foxit? by Lagged2Death · · Score: 4, Interesting

    I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader, which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?

    1. Re:What About Foxit? by darkmeridian · · Score: 4, Informative

      Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    2. Re:What About Foxit? by msuarezalvarez · · Score: 4, Insightful

      I'm wondering who I should report it to? HP or foxit?

      To Microsoft. If a PDF reader can crash the OS, it's their bug.

  2. plus about running into this on Vista by dioscaido · · Score: 4, Informative

    If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.

  3. Not a backdoor by Anonymous Coward · · Score: 5, Informative

    From the information available, this is just yet another security vulnerability.

    A backdoor is an intentional feature that one puts so that they can take over you computer.

  4. Sklyarov? by Speare · · Score: 4, Funny

    The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

    Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?

    --
    [ .sig file not found ]
  5. Re:If it's only a problem on XP by JoelKatz · · Score: 5, Insightful

    From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.

  6. Re:solution by Victor+Antolini · · Score: 5, Informative

    Oh, I missed to point out what you missed. From http://www.foxitsoftware.com/pdf/rd_intro.php

    Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:

    * View or print PDF document
    * Basic PDF form operations i.e. filling out PDF forms and printing them out
    * Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
    * View PDF as text
    * Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc

    The followings are several examples of non-free, advanced add-ons:

    * Foxit Reader Pro Pack is not free. It includes the following functions:
    o Annotation
    o Text viewer and text converter
    o Form filler
    o Spell checker
    o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more

    Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.

  7. Welcome... by sakdoctor · · Score: 5, Funny

    ...to hyphen hell! The rules - of style that apply to dashes - and hyphens - have evolved to support ease of reading in complex constructions; editors - often accept deviations - from them that will support, rather than --- hinder, ease of reading.

  8. Re:Welcome... by Anonymous Coward · · Score: 4, Funny

    Shatner? Is that you?