Critical Vulnerability In Adobe Reader

← Back to Stories (view on slashdot.org)

Critical Vulnerability In Adobe Reader

Posted by timothy on Wednesday November 5, 2008 @09:32AM from the see-attachment dept.

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

160 comments

Min score:

Reason:

Sort:

For the uninformed: by Joe+Snipe · 2008-11-05 09:33 · Score: 5, Informative

Foxit FTW

--
Sometimes, life itself is sarcasm...
1. Re:For the uninformed: by BrennanM3 · 2008-11-05 09:36 · Score: 1, Insightful
  
  That might work on some or most files, but there still is no replacement for Acrobat.
2. Re:For the uninformed: by Ethanol-fueled · 2008-11-05 09:36 · Score: 4, Informative
  
  Hey, that's my line. By the way,
  
  While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug.
  Foxit users: don't panic. Though Foxit Reader v2.3 build 2825 is vulnerable, 2.3 builds 2912 and later are patched. Build 3309 is the current version available for download.
  
  ...with the privileges of a user running the Adobe Reader application.
  Which strongly implies that those affected will be Windows users with Administrator access.
3. Re:For the uninformed: by JustinOpinion · 2008-11-05 09:38 · Score: 5, Informative
  
  Another option for PDF reading on Windows is Sumatra PDF (if you prefer open-source).
4. Re:For the uninformed: by nine-times · 2008-11-05 09:42 · Score: 4, Insightful
  
  ...with the privileges of a user running the Adobe Reader application.
  Which strongly implies that those affected will be Windows users with Administrator access.
  It seems fair to worry even if you aren't running as admin. If a trojan PDF can run arbitrary code with privileges of the user running Adobe Reader, that's still enough to screw with that user's documents even if the user isn't an admin.
5. Re:For the uninformed: by Zonk+(troll) · 2008-11-05 09:43 · Score: 5, Informative
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  True, but we're getting closer. OpenOffice 3 now has a PDF Import extension, and of course for Windows there's PDFCreator (Gnome/KDE and OS X natively support printing to PDF).
  
  --
  "The Federal Reserve is a fraudulent system."--Lew Rockwell
  End The FED. -
6. Re:For the uninformed: by JustinOpinion · 2008-11-05 09:45 · Score: 5, Insightful
  
  Perhaps, but you can have multiple PDF readers installed. And in terms of security, it's usually best to use the simplest application that will work.
  So basically you could use FoxIt or Sumatra PDF to open most PDFs. And then for the rare one that uses some advanced stuff, you can fire up Acrobat. The fact is that most of the stuff that Acrobat supports that other PDF readers don't involves some kind of scripting. And really you shouldn't be running any scripts (even those that are, in principle, sandboxed) unless you have reason to trust them.
  So a sensible strategy would seem to be that you open 99% of PDFs with a simpler reader, and only use Acrobat on the few that really need it, and only if the source of the PDF is trustworthy in your estimation.
  (Yeah, I know... it's a bit of a pain to have multiple programs that do the same thing. In principle you "shouldn't have to" in the sense that your PDF reader should be secure. But in reality it seems like a reasonable precaution.)
7. Re:For the uninformed: by Anonymous Coward · 2008-11-05 09:47 · Score: 0
  
  Last time someone here suggested Foxit here I installed it and saw a nag, minibanner or some other promotion. Can't remember the specifics but Foxit lasted about 5 seconds.
  Same deal with Acrobat reader. It nagged me with stupid promotions to download Acrobat Professional from pirate bay, which I eventually gave in to.
8. Re:For the uninformed: by IngeniousCognomen · 2008-11-05 09:48 · Score: 2, Informative
  
  Sure, Foxit is fine as far as it goes, but it runs slower than Adobe Reader on my PC. Plus Adobe lets me save as text, where Foxit expects me to pay for that functionality.
9. Re:For the uninformed: by onitzuka · 2008-11-05 09:50 · Score: 1
  
  OpenOffice has had the ability to export to PDF since OpenOffice 2.x.
10. Re:For the uninformed: by Anonymous Coward · 2008-11-05 09:51 · Score: 3, Informative
  
  I knew some guy would chime in recommending Foxit, but I'm surprised and glad to see a recommendation for Sumatra.
  Foxit is suffering from its own feature-creep and bloat-up issues (on a much smaller scale than Adobe's software, but still), so Sumatra is really what I _think_ everyone who chimes in with "Foxit" really means to recommend. It accurately renders PDFs. THAT'S IT.
11. Re:For the uninformed: by internerdj · 2008-11-05 09:51 · Score: 5, Funny
  
  Slower than Adobe Reader? What does it do, steal all the cycles from neighboring computers as well?
12. Re:For the uninformed: by bcrowell · 2008-11-05 09:55 · Score: 3, Informative
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  
  Huh? I create PDFs all the time, and don't own a copy of Acrobat. I use pdftex and inkscape, but there's scads of other software that can do it, e.g., Scribus if you want GUI desktop publishing. This is all on linux, but there's tons of PDF-creating software on Windows as well.
  
  --
  Find free books.
13. Re:For the uninformed: by Ephemeriis · 2008-11-05 10:01 · Score: 1
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  Depends on what you need Acrobat for...
  If all you want to do is view a PDF, you certainly don't need Adobe Reader (which is what the story talks about). There are plenty of perfectly good alternatives out there, and Foxit is one of them.
  If you want to create a PDF, you frequently don't actually need Adobe. We've got tons of clients who basically just want to email a simple word/text/whatever document to someone with relative certainty that they'll be able to open it, view it, and print it - but not make changes. These clients are often under the impression that the only software that can possibly do what they want is Adobe. In fact, Foxit and PDFCreator often do what they need.
  Sure, if you're looking to embed all sorts of flashy graphics and movies and stuff... Make an editable form... Embed keywords or something... Adobe is the way to go. But for basic stuff, why bother?
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
14. Re:For the uninformed: by the_womble · 2008-11-05 10:02 · Score: 1
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  I have had one PDF file so far this year that failed to open in KPDF - and I have not tested if that opens in Acrobat either.
  I have never used Foxit, but there are certainly perfectly good, reliable, PDF readers other than Acrobat.
  This may not be true if you need a particular feature that is only implemented by Acrobat, for most people the alternatives are as good or better.
15. Re:For the uninformed: by Joe+Snipe · 2008-11-05 10:06 · Score: 1
  
  I wasn't familiar with sumatra untill you posted, and I have now installed and will give it a run. Thanks for the recommendation!
  
  --
  Sometimes, life itself is sarcasm...
16. Re:For the uninformed: by Anonymous Coward · 2008-11-05 10:06 · Score: 5, Funny
  
  I know you're trying to look smart but export and import aren't the same thing.
17. Re:For the uninformed: by spud603 · 2008-11-05 10:07 · Score: 3, Insightful
  
  This is exactly what I do in Mac OS X. Virtually always, I just open the PDF with Preview.app (part of the basic OS distribution). On the rare occasion that it won't open or is a form or something, I'll right-click>open with>Acrobat.app. Not much of a pain.
  I think it makes good sense to have a different app depending on what you need done. For instance, reading articles in PDF in Preview or Acrobat is a pain, and I'll use Skim.app for those.
18. Re:For the uninformed: by Beardo+the+Bearded · 2008-11-05 10:12 · Score: 4, Informative
  
  there's tons of PDF-creating software on Windows as well.
  PDFCreator from sourceforge:
  http://sourceforge.net/projects/pdfcreator/
  It's a Windows printer that prints out your documents as PDFs.
  It's that easy.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
19. Re:For the uninformed: by initdeep · 2008-11-05 10:13 · Score: 3, Informative
  
  if you rtfa, you would note that the current build of adobe reader isn't vulnerable either.
20. Re:For the uninformed: by Tubal-Cain · 2008-11-05 10:14 · Score: 1
  
  Are the Adobe SpeedLauch apps running in the backgroud? That is the only way I can imagine the 200MB Adobe Reader 9 launching faster than Foxit.
21. Re:For the uninformed: by SleepingWaterBear · 2008-11-05 10:19 · Score: 3, Insightful
  
  The real solution is to open 100% of PDFs in a simpler reader, and refuse to tolerate PDFs that require scripting.
  Really, there's no good reason for a document viewer to have the bloat of Acrobat, and we shouldn't encourage Adobe by doing what they want.
22. Re:For the uninformed: by Thaelon · 2008-11-05 10:26 · Score: 1, Redundant
  
  Foxit FTL.
  Sumatra PDF Viewer FTW.
  Foxit is about as bloated and irritating as Acrobat Reader was in version 5.0 (which was much better, but still terrible).
  Sumatra is to Foxit as Foxit is to Adobe Acrobat Reader.
  I realize being a .info site makes it very suspicious, but if you don't trust me or it, Google it yourself
  
  --
  Question everything
23. Re:For the uninformed: by Curmudgeonlyoldbloke · 2008-11-05 10:28 · Score: 1
  
  So what? Adobe Reader is where the vulnerability is.
24. Re:For the uninformed: by Anonymous Coward · 2008-11-05 10:43 · Score: 0
  
  Ghostscript for the win. It reads PDF files, too, after all.
25. Re:For the uninformed: by c0p0n · 2008-11-05 11:34 · Score: 2, Informative
  
  Actually, well before that. But the parent said import.
  
  --
  
  Your head a splode
26. Re:For the uninformed: by Anonymous Coward · 2008-11-05 11:51 · Score: 0
  
  True. Of course, if they're using Vista, (and haven't turned off UAC - you leave that on right?) the privleges will not include Admin access.
  The dodgy code will have to bring up a UAC prompt and convince the user to accept it. Other than that its only the users files affected - the same as any other OS....
  - "Please open a terminal window and type 'su '" works just as well.... the only difference is the education of the user.
  </STIRRING-SLASHDOT>
27. Re:For the uninformed: by 5865 · 2008-11-05 11:58 · Score: 1
  
  Sumatra PDF did a good job porting the freaking ass slow rendering experience from Linux to Windows. Have you even tried Foxit before you bash it?
  
  Quick test: Load a hundred pages+ PDF and drag the scroll bar across the pages. You should expect Foxit to keep up with your maniacal scrolling followed by Adobe's sub second lag and Sumatra's "Please wait - Rendering...."
  
  But if you mean Foxit under Linux, it's noticeably slow. Just like all the other PDF viewers for Linux.
28. Re:For the uninformed: by Gazzonyx · 2008-11-05 12:00 · Score: 1
  
  Especially when someone figures out that the adobe update has to run as an admin...
  
  --
  If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
29. Re:For the uninformed: by Spit · 2008-11-05 12:20 · Score: 1
  
  The unprivileged exploit has access to launch further exploits against other system vulnerabilities, which do give privilege.
  
  --
  POKE 36879,8
30. Re:For the uninformed: by Anonymous Coward · 2008-11-05 13:11 · Score: 0
  
  So my options are to get pwnt by a cracker or get pwnt by Adobe? I'll take my chances with the cracker.
31. Re:For the uninformed: by westyvw · 2008-11-05 13:50 · Score: 1
  
  For the enlightened: Okular FTW
32. Re:For the uninformed: by access.name · 2008-11-05 14:09 · Score: 2, Interesting
  
  Paradoxically, this vulnerability was found in Foxit first :) http://secunia.com/advisories/29941/
33. Re:For the uninformed: by Anonymous Coward · 2008-11-05 14:47 · Score: 0
  
  If you rtfa or the summary you will see nothing specifying that this is a windows exploit. Not that I use Acrobat or Reader on my mac anyway. Most of the pdf's I get are made from 3D AutoCad files and Reader chokes when trying to print them anyway. Apple's Preview opens and prints them just fine though.
34. Re:For the uninformed: by ZosX · 2008-11-05 14:47 · Score: 1
  
  I second that. Print to PDF is so amazingly handy it makes you wonder why nobody thought if it sooner. It should also be a good workaround for the people that have problems with how open office tends to drop fonts in pdfs.
  
  --
  zosxavius photography
35. Re:For the uninformed: by tsa · 2008-11-05 19:32 · Score: 1
  
  But who uses the current build of AR? AR 8.0 is a disaster and the reason I switched to Foxit. I guess the versions after 8.0 are not better.
  
  --
  -- Cheers!
36. Re:For the uninformed: by steelcaress · 2008-11-05 20:20 · Score: 1
  
  Yeah, I've hated Acrobat since about 5.0, and then I found Foxit. :) Foxit even opens multiple PDFs in tabs, and does support some pretty advanced stuff (to my surprise). Life's good.
37. Re:For the uninformed: by Dr_Barnowl · 2008-11-05 21:10 · Score: 1
  
  ECHELON? Isn't that where the government searches for words like bomb, plutonium, assassinate, and anarchy?
  It's also triggered by laundering black-bag fissionable toffee for Bugs Bunny.
38. Re:For the uninformed: by Krneki · 2008-11-05 22:36 · Score: 1
  
  I agree, and it's damn fast too.
  
  --
  Love many, trust a few, do harm to none.
39. Re:For the uninformed: by Anonymous Coward · 2008-11-06 00:16 · Score: 0
  
  Thanks a lot, it's what I've been looking for when working on Windows.
40. Re:For the uninformed: by Anonymous Coward · 2008-11-06 00:17 · Score: 0
  
  depending on what you are doing, you may want to be able to respect the color profiles embedded in the pdf... ... and afaik only acrobat can reliably use them.
41. Re:For the uninformed: by LittleGuy · 2008-11-06 03:14 · Score: 1
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  Paper printout?
  
  --
  Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
42. Re:For the uninformed: by atamido · 2008-11-06 07:03 · Score: 1
  
  This is exactly what I do in Mac OS X.... I'll right-click...
  There is a good joke in there somewhere.
43. Re:For the uninformed: by Ash+Vince · 2008-11-06 07:29 · Score: 1
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  Why not? Foxit works treat for me. I have not yet found a PDF that it cannot open, even the encrypted ones I have been sent. It is also smaller and faster than the adobe software so runs better on old PC's like mine.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
44. Re:For the uninformed: by spud603 · 2008-11-06 10:32 · Score: 1
  
  heehee. fair enough.
  but with the advent of the new portables there's no Apple computer made anymore that doesn't easily and natively support right click.
  (but in Apple's you-don't-ever-need-a-second-mouse-button world, they expect you to use File>Open with>Acrobat or just drag the icon to acrobat somewhere. Matter of preference, I guess)
45. Re:For the uninformed: by Anonymous Coward · 2008-11-06 16:01 · Score: 0
  
  Why is the post by c0p0n posted at 3:34 marked as informative, while the post by Tubal-Cain half an hour previous is marked redundent?
  Normally the redundent would make sense the other way around..... unless the person marking redundent is referring to the +5 funny post by AC, but Tubal-Cain's post is only a minute after the AC, so him and the AC would have been writing their posts at the same time and unaware of one another.
  Somebody fix this.
46. Re:For the uninformed: by c0p0n · 2008-11-07 00:13 · Score: 1
  
  Dude, you take slashdot way too seriously...
  
  --
  
  Your head a splode
47. Re:For the uninformed: by RockDoctor · 2008-11-08 01:37 · Score: 1
  
  But who uses the current build of AR? AR 8.0 is a disaster and the reason I switched to Foxit. I guess the versions after 8.0 are not better.
  Substitute "5.05" for "8.02 and you'll be getting closer to my experience.
  Once Acrobat removed the capability for me to export the text of a PDF to a text file without having to pick up a mouse and plug it in, then I stopped downgrading to newer versions. Now that I'm occasionally (under 1%) seeing PDFs generated with image types that aren't recognised, then I'm having to look at other programs. FoxIt solved that particular problem, but I don't know if I'll replace AR 5.05 with FoxIt in my re-install set, yet.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Structural Issues by Anonymous Coward · 2008-11-05 09:35 · Score: 2, Funny

Critical Vulnerability In Adobe
You see, if you mix too much water into the mixture before it hardens, it is brittle and your dwelling will collapse on you ...
1. Re:Structural Issues by Anonymous Coward · 2008-11-05 09:41 · Score: 0
  
  I don't understand your building analogy. Please use a software architecture instead.
2. Re:Structural Issues by azgard · 2008-11-05 09:58 · Score: 1
  
  In terms of software architecture, it's like mixing of too much Turing completeness into this particular DSL.
3. Re:Structural Issues by Homr+Zodyssey · 2008-11-05 10:03 · Score: 1
  
  It's kind of like a car...
4. Re:Structural Issues by Anonymous Coward · 2008-11-05 11:25 · Score: 0
  
  Nonono, we use car analogy here.
Symptoms you've been attacked by Anonymous Coward · 2008-11-05 09:36 · Score: 3, Insightful

Adobe Reader is very slow to load and freezes your browser. Yes, it's very difficult to tell.
Single-purpose tools are good by davidwr · 2008-11-05 09:37 · Score: 5, Insightful

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
If not, it should.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Single-purpose tools are good by Roland+Piquepaille · 2008-11-05 09:45 · Score: 5, Insightful
  
  Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.
  This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.
2. Re:Single-purpose tools are good by Rary · 2008-11-05 09:48 · Score: 1
  
  Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
  If not, it should.
  Agreed. And the same goes for every other application primarily designed to read documents (images, media files, whatever).
  On the one hand, I find some of the functionality that is being embedded in various document types useful, but on the other hand I find it ridiculous that data can attack us.
  
  --
  "You cannot simultaneously prevent and prepare for war." -- Albert Einstein
3. Re:Single-purpose tools are good by zalas · 2008-11-05 09:48 · Score: 2, Interesting
  
  They've already developed a lite version of their PDF renderer for their Digital Editions product, so they really should just distribute the renderer in that as a standalone product or something.
4. Re:Single-purpose tools are good by bcrowell · 2008-11-05 09:50 · Score: 5, Informative
  
  Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
  
  To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
  Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.
  Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.
  If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.
  People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.
  
  --
  Find free books.
5. Re:Single-purpose tools are good by nine-times · 2008-11-05 09:50 · Score: 1
  
  And it should also be the default mode, IMO.
  But I guess I never got the memo that explained why Acrobat Reader was doing anything more than reading plain/static PDFs in the first place. Didn't they do something in new versions to allow Flash and movies, or something?
  The only reason I use PDFs is when I want to make a document with a very controlled layout, both in print and on a display, without any expectation of editing. Honestly I'm willing to pay money to Adobe to get Acrobat if it's going to help me do that in a way that's proven, robust, and configurable. I can also understand the desire for things like comments and digital signatures, but anything much more than that and I feel like it's just shoehorning extra bloat in the form of features that relatively few people will use, probably at the expense of security and possibly at the expense of sanity.
6. Re:Single-purpose tools are good by jmulvey · 2008-11-05 09:55 · Score: 1
  
  "they really should just distribute the renderer in that as a standalone product or something."
  Yes. Because we should soon expect the renderer installer alone to consume an entire 4 GB DVD. Adobe Acrobat is the pinnacle of bloatware. No wonder vulnerabilities like these are discovered. It must be easy to poke holes in the 17 gajillion lines of code it takes Adobe to render text.
7. Re:Single-purpose tools are good by HTH+NE1 · 2008-11-05 10:03 · Score: 0, Troll
  
  To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
  Under Edit : Preferences I just have General, Comments, Full Screen, and Weblink.
  Help : About Acrobat Reader says it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
8. Re:Single-purpose tools are good by bcrowell · 2008-11-05 10:33 · Score: 1
  
  it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.
  You're running an extremely old version. The current version is 9.
  
  --
  Find free books.
9. Re:Single-purpose tools are good by Randle_Revar · 2008-11-05 10:52 · Score: 2, Informative
  
  JS in PDFs is silly IMO, but I have to point out that PS (but not PDF) is a Turing-complete language.
  http://www.tinaja.com/post01.asp
  
  --
  Climate Progress - Hell and High Water
10. Re:Single-purpose tools are good by Thundersnatch · 2008-11-05 11:04 · Score: 4, Interesting
  
  Sure, JavaScript is pointless in a PDF viewer and should be disabled, but it is worth noting that PostScript itself is a programming language. It has conditionals, functions, loops, etc. I myslef once hand-coded a PostScript program to draw a high-res graph of a particular function for a class back in college. This 1K file basically owned the imagesetter in the print lab for about 45 minutes while it rendered at 1200 dpi.
  If I recall correctly, there were even a couple of postscript exploits back in the 1990s that could "brick" Apple LaserWrtiers.
11. Re:Single-purpose tools are good by erikdalen · 2008-11-05 11:26 · Score: 2, Informative
  
  Postscript is a stack based programming language. PDF was afaik originally designed to be a simpler format for just describing page layout. But then they've extended it to be able to include javascript for programming and embedding videos, flash and all sorts of stuff (sounds like HTML...).
  http://en.wikipedia.org/wiki/PostScript
  
  --
  Erik Dalén
12. Re:Single-purpose tools are good by HTH+NE1 · 2008-11-05 11:46 · Score: 1
  
  it's Acrobat Reader 5.0, x86 linux 5.0.10 Nov 8 2004 13:14:17.
  You're running an extremely old version. The current version is 9.
  You think that's old? You should look up xemacs 19.13. Also, the installed mozilla version:
  % /usr/lib/mozilla-1.2.1/mozilla-bin --version Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225, build 2003022516
  I can't even run Firefox 3 on my work system. I have to run it on the only Linux machine here that can, displaying to my screen, and even then it keeps spitting out Gdk- and Gtk-CRITICAL assertion errors.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
13. Re:Single-purpose tools are good by Anonymous Coward · 2008-11-05 12:12 · Score: 0
  
  maybe they should give sumatra pdf a go instead http://blog.kowalczyk.info/software/sumatrapdf/
14. Re:Single-purpose tools are good by Anonymous Coward · 2008-11-05 22:08 · Score: 0
  
  Why use forms in PDF? Why not host the forms in HTML format on a centralized server? Or on a laptop running an AMP stack for people doing door to door customer hunting?
  I believe there are solutions to avoid passing around documents with embedded scripts.
15. Re:Single-purpose tools are good by de+Siem · 2008-11-05 23:00 · Score: 1
  
  hold shift, when launching reader, it disables all plugins on launch.
  
  --
  Beating up people in little rooms, if you do it for a good reason you do it for a bad one.
16. Re:Single-purpose tools are good by Anonymous Coward · 2008-11-06 00:41 · Score: 0
  
  Hey, why don't you go and assume you know about our business and what we should be doing. Fuck off.
17. Re:Single-purpose tools are good by hyc · 2008-11-06 01:27 · Score: 1
  
  Bricking a laserwriter wasn't hard at all.
  I remember when someone posted their implementation of John Conway's "Life" to usenet. That was a fun way to tie up a printer and waste a ream of paper. (Basically you could prepend it to any document and it would iterate off the document's first page. Each generation printed on a separate page.)
  
  --
  -- *My* journal is more interesting than *yours*...
18. Re:Single-purpose tools are good by Geoff-with-a-G · 2008-11-06 01:57 · Score: 1
  
  People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader.
  Well, being the first one to find and fix the vulnerability is still a pretty good endorsement. Few useful software products out there have zero flaws. You should put your trust in those that find, disclose, and resolve their flaws in a speedy and reliable manner.
Which again... by slapout · 2008-11-05 09:49 · Score: 4, Insightful

...begs the question "Why Does Adobe Reader Need Javascript"??

--
Coder's Stone: The programming language quick ref for iPad
1. Re:Which again... by andrewd18 · 2008-11-05 09:55 · Score: 4, Informative
  
  I create PDF order forms for my company that our salesmen e-mail to customers; these javascript-enabled PDF order forms dynamically enable or disable options as the user customizes an order. For example, if the user picks option A, sub-options A1 -> A5 are automatically enabled, while B1 -> B5 are disabled. And that's why you might want javascript in a PDF.
2. Re:Which again... by TrekkieTechie · 2008-11-05 09:56 · Score: 1
  
  Because there's really no more efficient way of introducing security exploits which necessitate expensive upgrades to the latest version.
  
  I'm sorry, did I say 'expensive'? I meant 'profitable' -- Freud strikes again!
3. Re:Which again... by Anonymous Coward · 2008-11-05 09:57 · Score: 0
  
  for the same reason why God needs a starship
4. Re:Which again... by TimeTraveler1884 · 2008-11-05 09:58 · Score: 2, Interesting
  
  "Why Does Adobe Reader Need Javascript"??
  I've written scripts for Adobe Acrobat Professional to interleave PDFs of scans from my single-duplex, automatic document feeder scanner. Can you believe that there are companies out there that charge $100 or so to do the same task with a plugin? Took me 15 min to write it in JavaScript myself.
  
  As far as Reader though, I've seen some web-fill state tax forms that use Javascript for field validation.
5. Re:Which again... by Anonymous Coward · 2008-11-05 10:03 · Score: 0
  
  Hence the source of a simple solution ... I disable it, along with a bunch of other plugins that are useless to me.
  One of the followup replies notes that Javascript is useful to embed logic in forms. That's great, and a justifiable use. It makes sense.
  So, if I ever do encounter one of those forms rather than a plain document, I'll temporarily re-enable it. (Hasn't happened yet)
  The real question is, why is Javascript turned on by default when most documents don't need it?
6. Re:Which again... by betterunixthanunix · 2008-11-05 10:14 · Score: 1
  
  ghostscript for the win. I can do this in even less time using ghostscript and reasonably advanced shell. The best part is not having to pay for Acrobat pro.
  
  --
  Palm trees and 8
7. Re:Which again... by Anonymous Coward · 2008-11-05 10:22 · Score: 5, Insightful
  
  You are part of the problem.
8. Re:Which again... by Nimey · 2008-11-05 10:26 · Score: 5, Informative
  
  It raises the question, godsdamnit. Here's what "begging the question" actually means:
  http://en.wikipedia.org/wiki/Begging_the_question
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
9. Re:Which again... by Randle_Revar · 2008-11-05 10:54 · Score: 1
  
  Thank you!
  
  --
  Climate Progress - Hell and High Water
10. Re:Which again... by __aawkdb2598 · 2008-11-05 10:59 · Score: 1
  
  I twitch almost every time I see "begs the question" but I've given up on saying anything. I applaud your enthusiasm :D
  
  Go team!
11. Re:Which again... by ZERO1ZERO · 2008-11-05 11:25 · Score: 2, Interesting
  
  Yeah. I noticed that. I understand when not to use 'begging/begs the question' when meaning 'raises the question' . But I have read that wiki page before, and I just read it again, but it still makes no sense to me. Can someone please explain in plain english when one *would* use the phrase begging the question?
  "That begs the question" is an appropriate reply when a circular argument is used within one syllogism. That is, when the deduction contains a proposition that assumes the very thing the argument aims to prove; in essence, the proposition is used to prove itself, a tactic which in its simplest form is not very persuasive.
  I mean, what the fuck?
12. Re:Which again... by Anonymous Coward · 2008-11-05 12:00 · Score: 0
  
  Assume Adobe would not suck. They would not deliver a buggy, intrusive and horribly bloated software as a document reader. Software without bloat and bugs is good. Therefore Adobe does not suck.
  That begs the question.
13. Re:Which again... by Nimey · 2008-11-05 12:14 · Score: 1
  
  Another way of putting it is "circular logic". You start off by making an assumption, then use logic to prove that assumption, which is vacuous because you didn't prove it, you instead used circular logic.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
14. Re:Which again... by Anonymous Coward · 2008-11-05 12:43 · Score: 0
  
  even when i couldn't see your reply, somehow i knew what it would say.
15. Re:Which again... by syousef · 2008-11-05 13:25 · Score: 2, Insightful
  
  It raises the question, godsdamnit. Here's what "begging the question" actually means:
  Originally you're correct. The common idiom has changed to reflect a more intuitive meaning. Language changes over time. YOU are the one failing to deal with it.
  
  --
  These posts express my own personal views, not those of my employer
16. Re:Which again... by Anonymous Coward · 2008-11-05 16:14 · Score: 0
  
  Simple English wikipedia to the rescue?
17. Re:Which again... by ZERO1ZERO · 2008-11-05 17:12 · Score: 1
  
  Well knock me down with a feather.....
18. Re:Which again... by noidentity · 2008-11-05 23:30 · Score: 1
  
  It needs Javascript because PDFs include Javascript code. Duh! Now, let's see what this "begging the question" is on that Wikipedia page...
19. Re:Which again... by MyLongNickName · 2008-11-06 01:23 · Score: 2, Insightful
  
  From your link:
  "More recently, to beg the question has been used by some to mean "to raise the question", or "the question really ought to be addressed". [7] An example of such a use would be, "This year's budget deficit is half a trillion dollars. This begs the question: how are we ever going to balance the budget?" Although proponents of the traditional meaning will criticize this formally incorrect usage, it has nonetheless come into widespread use and in informal contexts may actually be the more common use of the term. The phrases circular reasoning, circular logic, and circular arguments have come to be used in places where logicians would tend to use "beg the question"."
  So, it would appear that language changes over time.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
20. Re:Which again... by Anonymous Coward · 2008-11-06 02:34 · Score: 0
  
  Incorrect usage by the ignorant does not constitute "language change".
21. Re:Which again... by Just+Some+Guy · 2008-11-06 03:12 · Score: 1
  
  The example that made sense to me was the question: "do you still beat your wife?" The question itself presumes that you did in fact beat your wife at one time.
  
  --
  Dewey, what part of this looks like authorities should be involved?
22. Re:Which again... by Anonymous Coward · 2008-11-06 06:32 · Score: 0
  
  Here here! :)
23. Re:Which again... by Anonymous Coward · 2008-11-06 16:01 · Score: 0
  
  Incorrect usage by the ignorant does not constitute "language change"
  Yes it does. You think the only way languages change is by Royal decree???
You can have it, hackers by Sneftel · 2008-11-05 09:49 · Score: 4, Funny

Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader.

The main privileges being the privilege of waiting thirty seconds to view text, followed closely by the privilege of a crashed web browser.

--
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
1. Re:You can have it, hackers by QuantumG · 2008-11-05 09:59 · Score: 1
  
  hehe, people use to say that about the overflow in the default php install for apache. "oh, you can only get access to the 'anonymous' account on the web server". There's always a dozen different local exploits you can use to escalate from these accounts. And that's on a platform which actually takes security seriously.
  
  --
  How we know is more important than what we know.
2. Re:You can have it, hackers by Sneftel · 2008-11-05 10:07 · Score: 1
  
  Er, yes, I got that. And there's no need for escalation, as the user most likely has pretty good system privileges, not to mention access to all his own documents.
  'twas a joke, you see.
  
  --
  The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
3. Re:You can have it, hackers by QuantumG · 2008-11-05 10:16 · Score: 1
  
  A lot of people sandbox Acrobat Reader on Linux and IE7 does it too I think.
  Oh, and I meant the 'nobody' account. Wow, it has been years.
  
  --
  How we know is more important than what we know.
4. Re:You can have it, hackers by jonaskoelker · 2008-11-05 10:42 · Score: 1
  
  Or >90% usage of mem and swap. Happens to my office mate's box. She is not happy, but she managed to run top on it once to identify the culprit. I think she's switching to kpdf [she doesn't like the ubuntu orange].
5. Re:You can have it, hackers by CamD · 2008-11-05 17:04 · Score: 1
  
  You mean you are actually able to view text? And I thought it was a privilege to wait thirty seconds for a partial interface of some sort to display, followed by a crashed web browser.
Out of curiosity... by vishbar · 2008-11-05 09:51 · Score: 1

Why in the world does Adobe Acrobat include a Javascript engine in the first place? Why add a structured programming language to a document? HTML is different since it's being used as a new platform for applications...but a PDF file? Maybe I'm missing something. Have any of you ever used Javascript in a PDF document (other than when you're trying to access a remote machine)?

--
Ride the skies
1. Re:Out of curiosity... by Anonymous Coward · 2008-11-05 09:52 · Score: 0
  
  PDF supports forms among other things, and javascript can be used in the same way it is used in HTML.
2. Re:Out of curiosity... by avandesande · 2008-11-05 10:03 · Score: 1
  
  But why? It would have been a great and ubiquitous tool if it had stuck with being a wrapper for postscript- anything else 'extra' that acrobat does is done better some other way.
  
  --
  love is just extroverted narcissism
3. Re:Out of curiosity... by Randle_Revar · 2008-11-05 10:57 · Score: 2
  
  I guess after they took Turing-completeness out of PS to make PDF, they wished they hadn't, and somehow thought JS was better than PS.
  
  --
  Climate Progress - Hell and High Water
4. Re:Out of curiosity... by janwedekind · 2008-11-05 11:08 · Score: 1
  
  Don't know why they included it. However I've seen PDF documents with buttons and forms. There's even a style file for pdflatex called pdfanim which allows you to do animations with Javascript in your PDF document. However I noted that it behaves slightly different under GNU/Linux and Microsoft Windows.
Adobe 8.1.2 is old by Anonymous Coward · 2008-11-05 09:55 · Score: 0

This version is from February of this year and there have been numerous releases since, including version 9 - which are not vulnerable.
Yep. by Shade+of+Pyrrhus · 2008-11-05 10:00 · Score: 1

This was discussed previously, as well - the difference is that a specific vulnerability has been found at this point.

As usual, take precautions to ensure you're not automatically opening PDFs in your browser - Save by default instead, so you can scan it and actually make the decision to open it yourself.
For Firefox users:

Tools->Options->Applications. Change actions for PDFs to Save.
Just disable javascript by Anonymous Coward · 2008-11-05 10:14 · Score: 0

That's what I did from the start. The thing is, Acrobat doesn't seem to like that, because it prompts me to enable it, twice, every time I open a document. It's pathetic, really.
1. Re:Just disable javascript by ewhac · 2008-11-05 18:03 · Score: 1
  
  Since when did it start prompting you to turn on JavaScript? (Mind you, I haven't upgraded past Acrobat Reader 6.0, since I didn't see the point.)
  Schwab
  
  --
  Editor, A1-AAA AmeriCaptions
Noscript by glop · 2008-11-05 10:21 · Score: 1

Hey,
I can't believe nobody mentioned that noscript prompts you before showing a PDF file.
It can be tedious but it's useful apparently.
1. Re:Noscript by Randle_Revar · 2008-11-05 10:59 · Score: 1
  
  when I click on a pdf, SeaMonkey asks me what to do, and I either save it or open it in evince
  
  --
  Climate Progress - Hell and High Water
How soon we forget best practices by richrumble · 2008-11-05 10:30 · Score: 3, Informative

98% of virii/malware etc need ADMIN to succeed... and very few application on windows, save a very small percentage actually need admin. The User Group is good enough for the wife/kids and my sales staff, lowers TCO even for M$. We don't use installed AV clients, we scan remotely nightly, run proxy+av along with snort, no issues. Users can use runas http://xinn.org/RunasVBS.html if need be, but they probably won't need to. Anti-Admin VS Anti-Virus, and AA wins! http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html -rich
1. Re:How soon we forget best practices by Joe+The+Dragon · 2008-11-05 10:45 · Score: 1
  
  No live AV scanning there is stuff out there that does not need admin to take over the system.
  Just wait for your kids to play games with DRM, auto updating, online play, mods and more that needs admin to work.
2. Re:How soon we forget best practices by richrumble · 2008-11-05 10:57 · Score: 1
  
  Not much, BHO's like Vundo(virus) only work against IE, we don't use IE. There is very little. I've got 2000+ users who are never infected, again no IE. -rich
3. Re:How soon we forget best practices by cbhacking · 2008-11-06 12:05 · Score: 1
  
  So true. Nonetheless, I find running my main account on XP as a standard user to be a real pain sometimes. There are things, like the control panel, that are... awkward... to start as a limited user.
  For things like this, Vista's UAC - say what you will about it training people to click OK or whatever (you can configure it so it demands your password every time, like Linux or OS X, if that's preferable) is really actually quite handy. After a few months of running XP as a standard user, UAC was an incredibly wonderful feature.
  You can't secure a stupid user who owns the computer, but you can make things a LOT less irritating for a smart user who wants to run securely. Runas is a bloody pain.
  
  --
  There's no place I could be, since I've found Serenity...
HATE Adobe by Forty+Two+Tenfold · 2008-11-05 10:38 · Score: 2, Interesting

What I hate about them most is their labeling the file types in windows: "Adobe PDF, Adobe SVG, Adobe PNG". WHAT THE FUCK! This should be prosecuted.

--
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
1. Re:HATE Adobe by Ed+Avis · 2008-11-05 11:12 · Score: 1
  
  There's precedent: look for 'Microsoft HTML Document'.
  
  --
  -- Ed Avis ed@membled.com
Is this hole cross platform compatible? by Biff+Stu · 2008-11-05 10:38 · Score: 2, Insightful

Adobe is one of the best when it comes to cross-platform compatibility and the hole is based on Javascript...
And yes, I did RTFA.
1. Re:Is this hole cross platform compatible? by Anonymous Coward · 2008-11-05 23:10 · Score: 0
  
  Most of the reader javascript codebase will be shared. I'd say most probably yes, the bug will affect adobe pdf reader versions on all platforms. However, exploitation techniques are different on different platforms.
  If there is no way to bruteforce offsets, then an attacker has only 1 shot (unless the user keeps reopening a crashed pdf file). Note that it might in fact be bruteforceable if the adobe pdf reader fails safe after a failed exploit attempt.
2. Re:Is this hole cross platform compatible? by Anonymous Coward · 2008-11-06 07:50 · Score: 0
  
  Adobe sucks. Macromedia was the best. PDF and also Java (sans 'script') are the worst software packages ever designed in the world.
Comment removed by account_deleted · 2008-11-05 10:40 · Score: 3, Informative

Comment removed based on user account deletion
An alternative? by ArchieBunker · 2008-11-05 10:42 · Score: 1

Can you suggest an alternative for creating and using interactive forms?

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:An alternative? by slapout · 2008-11-05 10:49 · Score: 1
  
  Perhaps an interactive form program. But not one called Adobe _READER_
  
  --
  Coder's Stone: The programming language quick ref for iPad
2. Re:An alternative? by cparker15 · 2008-11-05 11:17 · Score: 3, Informative
  
  Web page?
  
  --
  Have you driven a fnord... lately?
  You must wait a little bit before using this resource; please try again later.
3. Re:An alternative? by slimjim8094 · 2008-11-05 11:23 · Score: 1
  
  How about not a display format? PDF is PostScript without the logic...
  Just use a website if that's what you want your form to act like.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
4. Re:An alternative? by erikdalen · 2008-11-05 11:40 · Score: 1
  
  A HTML page using javascript?
  Probably doable in a spreadsheet as well.
  
  --
  Erik Dalén
5. Re:An alternative? by Geoff-with-a-G · 2008-11-06 02:05 · Score: 1
  
  Web page?
  Yeah, those never have javascript.
  Starting off with the requirement of having customers fill out customized forms, we have explored two options:
  1. Send them PDFs with some javascript, have them fill it out and send back
  2. Build a secure Internet facing website which incorporates the same business logic as the javascript from the PDFs.
  In theory we're trying to avoid adding unnecessary complexity and possible security vulnerabilities to a simple application. You really think option 2 meets that goal better than option 1?
6. Re:An alternative? by Just+Some+Guy · 2008-11-06 03:06 · Score: 1
  
  In theory we're trying to avoid adding unnecessary complexity and possible security vulnerabilities to a simple application. You really think option 2 meets that goal better than option 1?
  Yes, since web browsers were designed with the explicit goal of doing this sort of thing. Quoth Einstein: "Make things as simple as possible, but not simpler." It appears as though your system is too simple.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Note to Adobe... by JAZ · 2008-11-05 10:49 · Score: 1

You're doing wrong.

--

"Karma can only be portioned out by the cosmos." -- Homer Simpson
So what? by Anonymous Coward · 2008-11-05 11:03 · Score: 0

Who runs this app as root anyway?
Yes by WD · 2008-11-05 11:32 · Score: 1

Yes, it affects Adobe Reader on all supported platforms.
Adobe is taking the piss by Anonymous Coward · 2008-11-05 12:06 · Score: 0

I know this has either already been said, or will never be seen, both due to Slashdot's advanced "post in the first 30 seconds or no one will ever read your shit" moderation system but PDF exploits are starting to take the piss. It seems that every month there's a new PDF exploit in the wild and if my virus checker throws up a blocked object while I'm surfing 9 times out of 10 its a PDF.
I wonder how many people have been rootkited by a PFD exploit while surfing the net only to proclaim "OMGWTF windows / IE sucks balls" Adobe needs to pull its fucking finger out, and I need to install an OSS PDF reader.
Scripting is useful, but.... by Anonymous Coward · 2008-11-05 12:17 · Score: 2, Informative

Scripting is great, as it allows you to generate dynamic content, perform validation, etc. It enables better PDF presentations and forms and cute little tools. In short, javascript benefits PDF in the same ways it benefits (X)HTML.
However, like macro languages in word processors & like javascript in webbrowsers, scripting in PDF viewers needs to be hardened against unintended consequences.
"No javascript in PDF" is a very poor solution. Few people disable javascript in their browsers. Even the fairly paranoid will just run "noscript" & will then decide (for themselves and on a case-by-case basis) when scripting is desired and trustworthy.
1. Re:Scripting is useful, but.... by Obfuscant · 2008-11-05 14:30 · Score: 3, Insightful
  
  "No javascript in PDF" is a very poor solution.
  No javascript in pdf is an excellent solution. It's a DOCUMENT, not a video game or word processor or anything else. You don't get javascript on a paper printout; you don't need javascript in the electronic version of a paper printout.
  Few people disable javascript in their browsers.
  I do. Most javascript in web pages is useless and needless and a waste of computer cycles. If you want to calculate something, do it on YOUR SEVER and send me the result.
  It's a crutch used by poor web designers to add glitz to content-less pages.
  I caught a major cell-phone company using javascript to provide log-in security for their account access web pages. Since I had javascript turned off, I had access to anyone's account I wanted. I told them what I was doing and they didn't believe it, until I started telling the account manager I was talking to what his minute balance and last payment was. THEN he got interested.
  ... scripting in PDF viewers needs to be hardened against unintended consequences.
  Much better that pdf authors spend the time properly identifying their documents with title and author information. I have US Government produced pdfs where the "title" of the document is "Microsoft preview -- C:\some\file\name\that\is\meaningless.doc" and the author is even stupider. Leave out the fancy crap until you can properly identify your documents, ok?
  You need evidence that javascript on web pages is useless? Try Yahoo. I go to my Yahoo mail page and a big, time-wasting page tells me that I have javascript turned off, click here for the OLD version of mail -- which is exactly where I was trying to get to in the first place, damn it!
  And get off my lawn...
2. Re:Scripting is useful, but.... by lahvak · 2008-11-05 23:38 · Score: 1
  
  No javascript in pdf is an excellent solution. It's a DOCUMENT, not a video game or word processor or anything else. You don't get javascript on a paper printout; you don't need javascript in the electronic version of a paper printout.
  Except that PDF document is not always an electronic version of a paper printout. Many use it that way, but I think that's actually pretty dumb. It is an electronic document, not an electronic version of a paper document. That makes a lot of differences. If a document is primarily intended for reading on screen, you want to design it differently than one thats intended for print. Page size, font, etc. And there is nothing wrong about giving the reader an option to interact with the document in some way, for example give them a way to emphasize certain parts of an illustration, manipulate a 3d CAD object etc.
  I agree with you that 99% of web pages use javascript in a totally stupid way. I also browse with javascript off. However, as a math teacher I like the possibility to embed a Java applet in a page, and give user the possibility to interact with it using elements on the page.
  
  --
  AccountKiller
3. Re:Scripting is useful, but.... by inline_four · 2008-11-06 03:23 · Score: 1
  
  Do you use Google Maps? Do you find AJAX use in that situation unnecessary?
  
  --
  Alexey
4. Re:Scripting is useful, but.... by CrazedSanity · 2008-11-06 04:01 · Score: 1
  
  Javascript, or scripting of any other sort, should be BANNEd in PDF documents. PDF means Portable Document Format. Not dynamic. Not editable. Sure, it is nice to be able to edit a PDF directly and save it, but scripting within the document is too much feature creep. Almost as retarded as having a router hijack the user's internet connection to sell software.
  I'll admit, the ability to view a 3D image within a document (turning it and such) has very cool possibilities... but don't call it PDF. Don't bloat something with more than it needs. Use something that matches those goals more closely, or come out with a new document type so users aren't confronted with something they're not prepared for...</soapbox>
  
  --
  Sanity is like a condom: rather have it and not need it, than need it and not have it.
5. Re:Scripting is useful, but.... by Anonymous Coward · 2008-11-06 13:35 · Score: 0
  
  i'm with you, gramps
6. Re:Scripting is useful, but.... by easyTree · 2008-11-07 04:47 · Score: 1
  
  Javascript, or scripting of any other sort, should be BANNEd in PDF documents. PDF means Portable Document Format. Not dynamic.
  Paraphrasing 'We fear change' *
  * Disclaimer: Abode Arcobat sucks because it's maximum-strength bloatware (so bloated it warps the space-time continuum) and so *it* should be banned; not javascript or any kind of productivity enhancer.
  
  --
  Requiem for the American Dream
Re: For the ones who did not RTFA by Anonymous Coward · 2008-11-05 13:31 · Score: 0

Quote from the article: "While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug."
Adobe? Kemosabe? Eh tu Brutus-Tonto? by ImitationEnergy · 2008-11-05 15:16 · Score: 0

I don't believe anyone has a hack free computer system so this Adobe vulnerability (main article) doesn't surprise me. I don't have the bucks rigth now to update my antivirus but I cranked it up in Task Manager to a higher level than other files. It seems to be doing a good job. Sometimes I'll go to a website and Internet Explorer freezes. When I close it all the open IE windows ar shut down with it, so I suspect it's the antivirus clampling them all down so I have to start fresh. I can't update the IE either since Windows stopped doing that. I'm planning to get a separate Linux Asus Eee in a couple months, take this one offline more. The big monitor uses way too much electricity. The Eee will pay for itself in about 10 months of reduced electric bill vouchers.

--
Industrial Age 2 + How-to Stop Malignant Cancers.
Miserable Retards by ewhac · 2008-11-05 18:15 · Score: 4, Insightful

Frankly, this should be actionable. There is no excuse for this stupidity any longer.
When I install a new piece of software, the first place I go is to the preferences panel to see if there are any stupid/broken settings that need to be fixed (or, too often, fixed again after an upgrade). I can't remember which version it originally showed up in, but when I saw the checkbox for JavaScript in Acrobat Reader, my jaw hit the floor.
"Are you people fscking morons? Did you learn nothing from the exploits and problems caused by JavaScript in Web browsers? Hell, forget Web browsers; Microsoft Word became a virus/trojan platform because the Special-Needs Children who apparently design all their software thought it would be tEh k00l to embed macros in what is fundamentally a static document."
Every time some would-be clever person adds a macro language or other executable logic to a document format, the result is "unexpected" worms, viruses, and security breaches. Every God-damned time.
This is not an honest mistake. This is negligent engineering, and someone needs to lose a lot of money over it before the lesson sinks in.
Schwab

--
Editor, A1-AAA AmeriCaptions
1. Re:Miserable Retards by lahvak · 2008-11-06 01:18 · Score: 1
  
  There is nothing wrong with the concept of scriptable document. The main difference between an electronic document and a paper document is that an electronic document is viewed on the screen, which gives you a lot of possibilities. Having an option to interact with the document, for example to highlight or hide certain part of an illustration or a diagram, etc.
  There is, or *should* be, a fundamental difference between document macros as found for example in MS Office, but also used by other software into some extent (e.g. vim modelines), and a scripting language embedded in a document reader. Macros are supposed to help editing and creating the document. For that they usually have access to everything your wordprocessor, spreadsheet or editor can access, including your filesystem. A scripting language in a document viewer should be able to modify the way the document is displayed. That's it, there is no reason for it to access the filesystem or the network. That is where Adobe messed up big time.
  
  --
  AccountKiller
2. Re:Miserable Retards by Anonymous Coward · 2008-11-06 02:17 · Score: 0
  
  "I can't remember which version it originally showed up in, but when I saw the checkbox for JavaScript in Acrobat Reader, my jaw hit the floor.
  "Are you people fscking morons? Did you learn nothing from the exploits and problems caused by JavaScript in Web browsers? Hell, forget Web browsers; Microsoft Word became a virus/trojan platform because the Special-Needs Children who apparently design all their software thought it would be tEh k00l to embed macros in what is fundamentally a static document."" - by ewhac (5844) on Thursday November 06, @02:15AM (#25657293) Homepage
  Which is why I have been recommending that folks turn off javascript in Adobe Acrobat Reader here:
  ----
  HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):
  http://www.tcmagazine.com/forums/index.php?s=04c738547f09da1b78b5dcf5c4241e56&showtopic=2662&st=25&start=25
  ----
  On that page of that guide, specifically? It shows other exploits in the past taking advantage of this & via the same mechanisms that 95% of today's exploits use in webbrowsers &/or email programs as well: JAVASCRIPT (the "bane of the internet" (yes, it can be useful, but it is also a 'double-edged sword' that can work against you & anyone looking over @ SECUNIA.COM or SECURITYFOCUS.COM can easily verify this statement of mine, as for the past 1-4 yrs. now or so, 95% of the attacks out there today use javascript to do their dirty deeds...)
  ====
  
  "This is not an honest mistake. This is negligent engineering, and someone needs to lose a lot of money over it before the lesson sinks in." - by ewhac (5844) on Thursday November 06, @02:15AM (#25657293) Homepage
  Agreed... today's browser makers speeding up javascript processing, prior to securing it is, also - they're only speeding up how fast you can be infected via javascript misuse really is why I state that. Facts (such as the infection vector used in 95% of today's attacks online use javascript after all, & just going to SECUNIA.COM &/or SECURITYFOCUS.COM can show anyhow, that much, easily... to bear my statement out as fact, I recommend anyone do so in fact!)
  Personally?
  As far as webbrowsers &/or email programs go??
  It boggles the MIND that devs of those tools haven't yelled to high heck about the vulnerable/weak DOM behind javascript, because of all the exploits being put on others via its usage on "every site under the sun a user goes to". They should default it to off, & when a user needs it?? Websites usually let them know to turn it on, anyhow. I only use javascript on banking &/or shopping (commerce) sites online, where it IS needed + required mostly & that is it - I also have not been infected/infested by any form of malware because of it (& other points in the guide above) in more than 15 yrs. online now.
  Not too long ago here, when devs were discussing scripting? I noted this & was modded down for it (wtf?) here:
  http://developers.slashdot.org/comments.pl?sid=994291&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25362703
  & all I was doing was telling the truth + how it is... but, also, how to stay safe vs. it, there... blew my mind, being "modded down" for just telling the truth & also for telling others how to stay safe(r) vs. its misuse.
  You also get another "bonus" (for speed this time) in turning off javascript usage in webbrowsers (not just for security) - more speed, by not processing its scripts & also loading in data from yet more servers to do so (as in the case of adbanners, which also have been attack mec
??Bogosity alert? by lpq · 2008-11-05 20:52 · Score: 1

So why would I want javascript running in my Adobe Reader? I've never had it enabled by default in any browser -- and only enable it in a per-site basis when needed. Adobe Reader...that's something I use to read static "Portable Documents" (like books) that are formatted in "Portable Document Format". I've never needed javascript enabled in any book I've ever read. Am I missing something? I just say 'no' to javascript being 'on' as a 'default' option (or activeX, or 'java'). Wasn't there some rich guy who said if you let untrusted others run programs on your computer then its not your computer anymore?
Re:For the uninformed: there is an "off" switch by lpq · 2008-11-05 21:06 · Score: 2, Interesting

Why complicate your life with multiple readers....sure, if you really want to -- especially if you _like_ their interface better, but for the supposed sake of security? On a feature that should be off most of the time anyway? With more readers on your system, you have more 'active code' that your computer is regularly exposed to -- isn't there a risk with an increased code base? Sure, Adobe Reader would be more likely to be attacked than other pdf readers, but it's probably 'tested' by a few more users every day.
But um,..."portable documents"...they are like books -- why would you turn "on" scripting in the 1st
place in adobe reader? I've never found a need for it. Ever. Then again maybe I'm not downloading gyrating pdf's either....? *shrug*...dunno.
Not surprised. by janopdm · 2008-11-05 21:48 · Score: 1

To clarify, we are talking about a freaking document reader whose updates include a photo album, a electronic book organizer, photography online services, media player, form designer, electronic cards, javascript engine , autoupdater, quicklaunch agent, and probably a dozen fetures that I don't know because I uninstalled the damn thing the moment it asked for .5Gb of updates.
This had to happen because it is bloated software made by people with a bloated mindset. A tool should do one thing and do it well. I'll update you if I need something else.
Re: Microsoft HTML by lahvak · 2008-11-05 23:25 · Score: 1

Actually, that makes sense. What Microsoft software produces is not HTML. Calling it Microsoft HTML makes a clear distinction. Although "garbage" may be more appropriate.

--
AccountKiller
Seriously by hesaigo999ca · 2008-11-06 01:49 · Score: 1

Again...another one...seriously??
seriously????
All you have to do with this tool is read a file in one format....come on people.
We aren't asking you to create a new operating system. Get right already!
simple online pdf by IsaacD · 2008-11-06 03:53 · Score: 0

print to postscript, then visit http://ps2pdf.com/ easy as pie, and free
Re:OOo PDF import plugin For the uninformed: by denis-The-menace · 2008-11-06 03:55 · Score: 1

The Sun's OOo PDF import plugin does not import in to writer, only Impress and Draw.
IOW: you can only do small changes. If you want to add a paragraph and push everything down, sorry. You'll have to move the content from page to page, manually!

--
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
ergh by revxul · 2008-11-06 04:25 · Score: 1

"Critical Vulnerability In Adobe Reader" Yeah it's called horrible, horrible programming.

--
Truth, Just Us, And Hatred For All Mankind!
Figures by Anonymous Coward · 2008-11-06 05:41 · Score: 0

Two things that have continually fucked up my computer, consistently, time after time after time for decades: PDF and Java
Two of the biggest piece of shit software packages in the world.
Core Security Vulnerability Advisory by CoreSecurity · 2008-11-06 07:19 · Score: 1

Here's a link to the actual Core Security vulnerability advisory on the CoreLabs homepage: http://www.coresecurity.com/content/adobe-reader-buffer-overflow .
WHICH macros? by argent · 2008-11-17 10:57 · Score: 1

Macros are supposed to help editing and creating the document. For that they usually have access to everything your wordprocessor, spreadsheet or editor can access, including your filesystem
Macros that are provided from OUTSIDE the document, yes.
Macros EMBEDDED IN a document must NOT be granted any rights to modify any state outside the currently in-memory copy of that document... and a saved copy IF you choose to save it.