Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerability In Adobe Reader

Posted by timothy on from the see-attachment dept.

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

19 of 160 comments (clear)

  1. For the uninformed: by Joe+Snipe · · Score: 5, Informative

    Foxit FTW

    --
    Sometimes, life itself is sarcasm...
    1. Re:For the uninformed: by Ethanol-fueled · · Score: 4, Informative
      Hey, that's my line. By the way,

      While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug.

      Foxit users: don't panic. Though Foxit Reader v2.3 build 2825 is vulnerable, 2.3 builds 2912 and later are patched. Build 3309 is the current version available for download.

      ...with the privileges of a user running the Adobe Reader application.

      Which strongly implies that those affected will be Windows users with Administrator access.

    2. Re:For the uninformed: by JustinOpinion · · Score: 5, Informative

      Another option for PDF reading on Windows is Sumatra PDF (if you prefer open-source).

    3. Re:For the uninformed: by Zonk+(troll) · · Score: 5, Informative

      That might work on some or most files, but there still is no replacement for Acrobat.

      True, but we're getting closer. OpenOffice 3 now has a PDF Import extension, and of course for Windows there's PDFCreator (Gnome/KDE and OS X natively support printing to PDF).

      --
      "The Federal Reserve is a fraudulent system."--Lew Rockwell
      End The FED. -
    4. Re:For the uninformed: by IngeniousCognomen · · Score: 2, Informative

      Sure, Foxit is fine as far as it goes, but it runs slower than Adobe Reader on my PC. Plus Adobe lets me save as text, where Foxit expects me to pay for that functionality.

    5. Re:For the uninformed: by Anonymous Coward · · Score: 3, Informative

      I knew some guy would chime in recommending Foxit, but I'm surprised and glad to see a recommendation for Sumatra.

      Foxit is suffering from its own feature-creep and bloat-up issues (on a much smaller scale than Adobe's software, but still), so Sumatra is really what I _think_ everyone who chimes in with "Foxit" really means to recommend. It accurately renders PDFs. THAT'S IT.

    6. Re:For the uninformed: by bcrowell · · Score: 3, Informative

      That might work on some or most files, but there still is no replacement for Acrobat.

      Huh? I create PDFs all the time, and don't own a copy of Acrobat. I use pdftex and inkscape, but there's scads of other software that can do it, e.g., Scribus if you want GUI desktop publishing. This is all on linux, but there's tons of PDF-creating software on Windows as well.

      --
      Find free books.
    7. Re:For the uninformed: by Beardo+the+Bearded · · Score: 4, Informative

      there's tons of PDF-creating software on Windows as well.

      PDFCreator from sourceforge:
      http://sourceforge.net/projects/pdfcreator/

      It's a Windows printer that prints out your documents as PDFs.

      It's that easy.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    8. Re:For the uninformed: by initdeep · · Score: 3, Informative

      if you rtfa, you would note that the current build of adobe reader isn't vulnerable either.

    9. Re:For the uninformed: by c0p0n · · Score: 2, Informative

      Actually, well before that. But the parent said import.

      --

      Your head a splode
  2. Re:Single-purpose tools are good by bcrowell · · Score: 5, Informative

    Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

    To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

    Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.

    Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.

    If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.

    People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.

    --
    Find free books.
  3. Re:Which again... by andrewd18 · · Score: 4, Informative

    I create PDF order forms for my company that our salesmen e-mail to customers; these javascript-enabled PDF order forms dynamically enable or disable options as the user customizes an order. For example, if the user picks option A, sub-options A1 -> A5 are automatically enabled, while B1 -> B5 are disabled. And that's why you might want javascript in a PDF.

  4. Re:Which again... by Nimey · · Score: 5, Informative

    It raises the question, godsdamnit. Here's what "begging the question" actually means:

    http://en.wikipedia.org/wiki/Begging_the_question

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  5. How soon we forget best practices by richrumble · · Score: 3, Informative

    98% of virii/malware etc need ADMIN to succeed... and very few application on windows, save a very small percentage actually need admin. The User Group is good enough for the wife/kids and my sales staff, lowers TCO even for M$. We don't use installed AV clients, we scan remotely nightly, run proxy+av along with snort, no issues. Users can use runas http://xinn.org/RunasVBS.html if need be, but they probably won't need to. Anti-Admin VS Anti-Virus, and AA wins! http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html -rich

  6. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  7. Re:Single-purpose tools are good by Randle_Revar · · Score: 2, Informative

    JS in PDFs is silly IMO, but I have to point out that PS (but not PDF) is a Turing-complete language.

    http://www.tinaja.com/post01.asp

    --
    Climate Progress - Hell and High Water
  8. Re:An alternative? by cparker15 · · Score: 3, Informative

    Web page?

    --
    Have you driven a fnord... lately?

    You must wait a little bit before using this resource; please try again later.

  9. Re:Single-purpose tools are good by erikdalen · · Score: 2, Informative

    Postscript is a stack based programming language. PDF was afaik originally designed to be a simpler format for just describing page layout. But then they've extended it to be able to include javascript for programming and embedding videos, flash and all sorts of stuff (sounds like HTML...).

    http://en.wikipedia.org/wiki/PostScript

    --
    Erik Dalén
  10. Scripting is useful, but.... by Anonymous Coward · · Score: 2, Informative

    Scripting is great, as it allows you to generate dynamic content, perform validation, etc. It enables better PDF presentations and forms and cute little tools. In short, javascript benefits PDF in the same ways it benefits (X)HTML.

    However, like macro languages in word processors & like javascript in webbrowsers, scripting in PDF viewers needs to be hardened against unintended consequences.

    "No javascript in PDF" is a very poor solution. Few people disable javascript in their browsers. Even the fairly paranoid will just run "noscript" & will then decide (for themselves and on a case-by-case basis) when scripting is desired and trustworthy.