Critical Vulnerability In Adobe Reader

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

Re:Single-purpose tools are good

[zalas]

They've already developed a lite version of their PDF renderer for their Digital Editions product, so they really should just distribute the renderer in that as a standalone product or something.

Re:Which again...

[TimeTraveler1884]

"Why Does Adobe Reader Need Javascript"??

I've written scripts for Adobe Acrobat Professional to interleave PDFs of scans from my single-duplex, automatic document feeder scanner. Can you believe that there are companies out there that charge $100 or so to do the same task with a plugin? Took me 15 min to write it in JavaScript myself.

As far as Reader though, I've seen some web-fill state tax forms that use Javascript for field validation.

HATE Adobe

[Forty+Two+Tenfold]

What I hate about them most is their labeling the file types in windows: "Adobe PDF, Adobe SVG, Adobe PNG". WHAT THE FUCK! This should be prosecuted.

Re:Single-purpose tools are good

[Thundersnatch]

Sure, JavaScript is pointless in a PDF viewer and should be disabled, but it is worth noting that PostScript itself is a programming language. It has conditionals, functions, loops, etc. I myslef once hand-coded a PostScript program to draw a high-res graph of a particular function for a class back in college. This 1K file basically owned the imagesetter in the print lab for about 45 minutes while it rendered at 1200 dpi.

If I recall correctly, there were even a couple of postscript exploits back in the 1990s that could "brick" Apple LaserWrtiers.

Re:Which again...

[ZERO1ZERO]

Yeah. I noticed that. I understand when not to use 'begging/begs the question' when meaning 'raises the question' . But I have read that wiki page before, and I just read it again, but it still makes no sense to me. Can someone please explain in plain english when one *would* use the phrase begging the question?

"That begs the question" is an appropriate reply when a circular argument is used within one syllogism. That is, when the deduction contains a proposition that assumes the very thing the argument aims to prove; in essence, the proposition is used to prove itself, a tactic which in its simplest form is not very persuasive.

I mean, what the fuck?

Re:For the uninformed:

[access.name]

Paradoxically, this vulnerability was found in Foxit first :) http://secunia.com/advisories/29941/

Re:For the uninformed: there is an "off" switch

[lpq]

Why complicate your life with multiple readers....sure, if you really want to -- especially if you _like_ their interface better, but for the supposed sake of security? On a feature that should be off most of the time anyway? With more readers on your system, you have more 'active code' that your computer is regularly exposed to -- isn't there a risk with an increased code base? Sure, Adobe Reader would be more likely to be attacked than other pdf readers, but it's probably 'tested' by a few more users every day.

But um,..."portable documents"...they are like books -- why would you turn "on" scripting in the 1st
place in adobe reader? I've never found a need for it. Ever. Then again maybe I'm not downloading gyrating pdf's either....? *shrug*...dunno.