Critical Vulnerability In Adobe Reader

← Back to Stories (view on slashdot.org)

Critical Vulnerability In Adobe Reader

Posted by timothy on Wednesday November 5, 2008 @09:32AM from the see-attachment dept.

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

5 of 160 comments (clear)

Min score:

Reason:

Sort:

For the uninformed: by Joe+Snipe · 2008-11-05 09:33 · Score: 5, Informative

Foxit FTW

--
Sometimes, life itself is sarcasm...
1. Re:For the uninformed: by JustinOpinion · 2008-11-05 09:38 · Score: 5, Informative
  
  Another option for PDF reading on Windows is Sumatra PDF (if you prefer open-source).
2. Re:For the uninformed: by Zonk+(troll) · 2008-11-05 09:43 · Score: 5, Informative
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  True, but we're getting closer. OpenOffice 3 now has a PDF Import extension, and of course for Windows there's PDFCreator (Gnome/KDE and OS X natively support printing to PDF).
  
  --
  "The Federal Reserve is a fraudulent system."--Lew Rockwell
  End The FED. -
Re:Single-purpose tools are good by bcrowell · 2008-11-05 09:50 · Score: 5, Informative

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.
Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.
If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.
People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.

--
Find free books.
Re:Which again... by Nimey · 2008-11-05 10:26 · Score: 5, Informative

It raises the question, godsdamnit. Here's what "begging the question" actually means:
http://en.wikipedia.org/wiki/Begging_the_question

--
Hail Eris, full of mischief...

E pluribus sanguinem