Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Vulnerability In Adobe Reader

Posted by timothy on from the see-attachment dept.

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

4 of 160 comments (clear)

  1. Single-purpose tools are good by davidwr · · Score: 5, Insightful

    Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

    If not, it should.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Single-purpose tools are good by Roland+Piquepaille · · Score: 5, Insightful

      Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.

      This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.

  2. Re:For the uninformed: by JustinOpinion · · Score: 5, Insightful

    Perhaps, but you can have multiple PDF readers installed. And in terms of security, it's usually best to use the simplest application that will work.

    So basically you could use FoxIt or Sumatra PDF to open most PDFs. And then for the rare one that uses some advanced stuff, you can fire up Acrobat. The fact is that most of the stuff that Acrobat supports that other PDF readers don't involves some kind of scripting. And really you shouldn't be running any scripts (even those that are, in principle, sandboxed) unless you have reason to trust them.

    So a sensible strategy would seem to be that you open 99% of PDFs with a simpler reader, and only use Acrobat on the few that really need it, and only if the source of the PDF is trustworthy in your estimation.

    (Yeah, I know... it's a bit of a pain to have multiple programs that do the same thing. In principle you "shouldn't have to" in the sense that your PDF reader should be secure. But in reality it seems like a reasonable precaution.)

  3. Re:Which again... by Anonymous Coward · · Score: 5, Insightful

    You are part of the problem.