Adobe Flaw Heightens Risk of Malicious PDFs

What about Foxit? by PotatoFarmer · 2009-02-20 04:02 · Score: 2, Insightful

TFA doesn't mention whether or not Foxit is affected. If not, it's just one more reason to avoid the bloatware that is Reader.

Re:What about Foxit? by jetsci · 2009-02-20 04:08 · Score: 4, Informative

This is Slashdot. Right so far. We are mostly alternative OS users, i.e., Linux, *BSD, OSX, etc(sorry OS2 users). Right again. These articles are annoying in that they are so very broad. Its like the typical American-slashdotter who assumes the "Government" refers to the U.S. only in any context. This article presumes the user base is that of Windows users. Why not specify this is a ****OS NAME HERE***** issue? The article says this is a Windows XP SP3 issue. Great, that's nice to know, but I shouldn't be presented with an article that makes me think I need to go and update/remove Adobe from my Debian machine. Pure FUD. FUD' beyond belief! /rant

--
Bored at work? Play Game!
Re:What about Foxit? by InsertWittyNameHere · 2009-02-20 04:12 · Score: 5, Funny

Foxit has compatibility problems because it doesn't have all of the features of Adobe Reader 9.
For example it doesn't open the specially crafted PDFs our clients send us at work, which are thoughtfully secured with AntivirusXP2009
Re:What about Foxit? by pipatron · 2009-02-20 04:28 · Score: 4, Funny

I use AmigaOS, you insensitive clod.

--
c++; /* this makes c bigger but returns the old value */
Re:What about Foxit? by Anonymous Coward · 2009-02-20 04:28 · Score: 5, Informative

The problem is a buffer overflow + using javascript to fill the overflow with shell code (which is OS/CPU specific). I just did a test on x86 linux and acrobat reader for linux is affected as well.
Re:What about Foxit? by jetsci · 2009-02-20 04:31 · Score: 3, Funny

I left you guys out on purpose...

--
Bored at work? Play Game!
Re:What about Foxit? by Anonymous Coward · 2009-02-20 04:35 · Score: 0, Redundant

I use Haiku, you insensitive clod.
Re:What about Foxit? by sexconker · 2009-02-20 04:44 · Score: 1

Is that a joke?
Antivirus XP 2009 is a particularly nasty piece of malware.
I wouldn't accept anything from anyone who had that, regardless of whatever esoteric operating system I had.
Re:What about Foxit? by A.+B3ttik · 2009-02-20 04:49 · Score: 4, Informative

Sumatra PDF Reader is Open Source, less than half the size of Foxit (1/15th the size of Acrobat) and has search, text-read, copy-paste, and plenty of keyboard shortcuts. It's very quick and streamlined and makes Foxit look bloated in comparison.

Right now it's windows only, unfortunately.

http://blog.kowalczyk.info/software/sumatrapdf/index.html
Re:What about Foxit? by horza · 2009-02-20 04:51 · Score: 3, Informative

Where in the article does it say this is a WindowsXP SP3 issue? The Adobe official site clearly states "Platform: All platforms". The shadowserver site says they tested it works with WindowsXP SP3, not that it's restricted to this.
Phillip.

--
Property for sale in Nice, France
Re:What about Foxit? by staryc · 2009-02-20 04:52 · Score: 2, Funny

Since we're obviously over-generalizing a typical slashdot reader's reading/interpreting habits, isn't it safe to assume that most of us skip ahead and read the article ourselves anyway?

--
The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments. - Nietzche
Re:What about Foxit? by jetsci · 2009-02-20 04:53 · Score: 1

I have no funny/clever/whimsical retort for you sir.

You may pass.

--
Bored at work? Play Game!
Re:What about Foxit? by jetsci · 2009-02-20 04:55 · Score: 1

RTFA! Seriously, CTRL + F "Windows" will show that it specifies XP SP3. A poster above has stated he reproduced the issue on Linux but the article states XP SP3.

--
Bored at work? Play Game!
Re:What about Foxit? by PotatoFarmer · 2009-02-20 04:58 · Score: 4, Informative

On the other hand, the actual advisory from Adobe states that the issue affects all platforms. You'd think they'd be the ones to know best, right?
Re:What about Foxit? by stewbacca · 2009-02-20 05:01 · Score: 1

I agree with your post, except for FUD isn't what you think it means, evidently. That's a common problem here on slashdot, and that's my rant for today.
Re:What about Foxit? by benjamindees · 2009-02-20 05:01 · Score: 1

Acrobat 9 doesn't exist for *nix. That should have been a clue.

--
"I assumed blithely that there were no elves out there in the darkness"
Re:What about Foxit? by jetsci · 2009-02-20 05:08 · Score: 1

What are you implying sir? That I followed my own advice and RTFA/followed the links? Don't tread on me!

--
Bored at work? Play Game!
Re:What about Foxit? by stonewallred · 2009-02-20 05:11 · Score: 5, Informative

the "nice" feature on this is that you can copy and paste protected documents.
Re:What about Foxit? by Anonymous Coward · 2009-02-20 05:11 · Score: 2, Funny

Strange, I saw a pretty good review of this AV software on PCMag...
Re:What about Foxit? by F�an�ro · 2009-02-20 05:23 · Score: 1

even better sumatra pdf does not lock the file while it is displayed, so you can edit it with pdflatex while keeping it open in sumatra pdf, and it will automatically update the display.
Memory useage can get a bit high though
Re:What about Foxit? by Anonymous Coward · 2009-02-20 05:31 · Score: 0

The application size is of little consequence when Sumatra PDF consumes hundreds of megs of memory just by scrolling through a moderate sized PDF. Foxit has no such memory bug and loads faster.
Re:What about Foxit? by FishWithAHammer · 2009-02-20 06:02 · Score: 1

We are mostly alternative OS users, i.e., Linux, *BSD, OSX, etc(sorry OS2 users).
Really. You have numbers to back up that wild-ass claim? Because this poll would kind of disagree with you. (No, it's not scientific, but if anything the GNUtards are more likely to jump on that as a chance to proclaim how they don't use Windows than Windows users are to respond!)

--
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Re:What about Foxit? by NeverVotedBush · 2009-02-20 06:03 · Score: 1

I wonder how many people will get that. At least one did that had mod points.

Good show!
Re:What about Foxit? by popo · 2009-02-20 06:05 · Score: 1

I don't know what stats you're looking at, but most Slashdotters use Windows.

--
------ The best brain training is now totally free : )
Re:What about Foxit? by Jerry+Smith · 2009-02-20 06:05 · Score: 1

Is that a joke? Antivirus XP 2009 is a particularly nasty piece of malware.
I wouldn't accept anything from anyone who had that, regardless of whatever esoteric operating system I had.
WHOOOOOOOSH!!

--
All those moments will be lost in time, like tears in rain. Time to die.
Re:What about Foxit? by operator_error · 2009-02-20 06:17 · Score: 1

most Slashdotters use Windows
Citation requested.
Re:What about Foxit? by Draek · 2009-02-20 06:21 · Score: 1

I use Linux as my main desktop, I watch movies, edit photos, listen to music and etc on it, but I have a Windows VM for .NET development, and a separate Windows partition for gaming. I tried the Win7 beta and liked it, so if somebody asks me "are you going to upgrade to Win7?", what do you think I'd answer?
Yet as I read books on Linux using Evince instead of Windows and the turd called Adobe Reader, this doesn't affect me at all.
The problem with trying to deduce slashdotters' OS usage from that poll is that even leaving aside the multiple problems with the numbers themselves (noted by Slashdot itself below it), it doesn't even ask the right question for that purpose.

--
No problem is insoluble in all conceivable circumstances.
Re:What about Foxit? by sexconker · 2009-02-20 06:30 · Score: 1

Antivirus XP 2009 has fooled many, many people, and it is quite possible that the poster actually does deal with clients that are unknowingly sending him files that are trashed beyond belief.
I asked if it was a joke because telling your boss / a client that you won't open their files because they're broken/infected/corrupted/immoral is often met with "just open it" or "we can resend the file" or "the deadline is tomorrow!".
It may very well be the case that the poster DOES in fact have to try to open up borked files from these clients. If so, I was merely commenting on the fact that Antivirus XP 2009 is particularly nasty and that I wouldn't touch it with a 10 foot clown pole.
The "compatibility problems", "features", "specially crafted", and "thoughtfully secured" lines may scream "joke" to you, but they could just as easily be thick, delicious sarcasm from a IT worker who is dying on the inside.
There is no whooshing.
Re:What about Foxit? by Anonymous Coward · 2009-02-20 06:39 · Score: 0

TFA doesn't say that it affects *only* XP SP3.
It's idiots like you who give Linux a bad name.
Re:What about Foxit? by Digana · 2009-02-20 06:49 · Score: 1

Why do you use Adobe Reader in Debian? This is an honest question. I work all the time with PDFs, and I've been very happy with Evince, sometimes see what Okular is up to. Why do you need Adobe Reader? For forms?
Re:What about Foxit? by terrahertz · 2009-02-20 06:59 · Score: 1

Based on the FoxIt and Sumatra support forums, it appears you're correct. Of course, a quick read of the FoxIt forum tells me it has major problems with creating freakishly large print jobs and taking its sweet ole time even when printing a few simple pages. So neither is ready for primetime business use, and I still have to decide which anvil I'm going to drop on my foot come Monday morning.

--
Slashdot? Oh, I just read it for the articles.
Re:What about Foxit? by Grishnakh · 2009-02-20 07:13 · Score: 1

It's elsewhere in this thread: someone pointed to a poll Slashdot ran recently asking if they'd upgrade to Windows 7. Only about 32% said "I don't use Windows". That leaves almost 70% who do use Windows, clearly a majority.
As a Linux user, I don't like it either, but it doesn't help things to ignore reality, and the reality is that Slashdot is filled with Windows fans and users. You always have to watch out any time you badmouth MS on here, because some MS fanboy will bash you for it. And as the poll shows, these fanboys aren't some tiny, fringe element, they're quite numerous.
Re:What about Foxit? by krbvroc1 · 2009-02-20 07:24 · Score: 1

On the other hand, the actual advisory from Adobe states that the issue affects all platforms. You'd think they'd be the ones to know best, right?
Well, maybe the programmer who wrote the advisory and who signed off on the original 'overflow free' code are one in the same?
Re:What about Foxit? by terrahertz · 2009-02-20 07:57 · Score: 2, Interesting

Except that breaks the ability to use chapter-like bookmark links from one PDF to another, which are frequently used in business contexts. So another reminder: Lock your corporate user accounts down as far as you can, because they are going to need every stupid little feature in the world, even if it kills them (and you).

--
Slashdot? Oh, I just read it for the articles.
Re:What about Foxit? by Opyros · 2009-02-20 08:18 · Score: 1

Right now it's windows only, unfortunately.
I've had no trouble running it under Wine, though (and ditto for Foxit).
Re:What about Foxit? by Anonymous Coward · 2009-02-20 08:32 · Score: 0

ok let's forget OS/CPU wars for a second and focus on the fact that most people don't use Adobe reader to read pdfs, at least not in these forums.
Re:What about Foxit? by EponymousCustard · 2009-02-20 09:35 · Score: 1

i know you asked about debian, but this is my reason in ubuntu : https://bugs.launchpad.net/ubuntu/+source/evince/+bug/44989
Re:What about Foxit? by smoker2 · 2009-02-20 10:35 · Score: 1

despite comments further down, I agree. Windows is not the only OS on the planet,and as such (bearing in mind almost every attack has been windows based in the past) it would be nice if the MEDIA could recognise us as part of the fucking blogosphere ! (excuse me while I wash my mouth out.) Windows & Fedora
Re:What about Foxit? by innocent_white_lamb · 2009-02-20 10:50 · Score: 1

Acrobat Reader is the only PDF reader that works with all PDF files. I don't like that fact either.
Here is an example that renders properly only with acroread:
https://bugzilla.redhat.com/show_bug.cgi?id=220983

--
If you're a zombie and you know it, bite your friend!
Re:What about Foxit? by FishWithAHammer · 2009-02-20 11:46 · Score: 1

So you're not a Linux user, you're a user of multiple OSes. Thank you for helping me prove my original point: that Slashdot users are not merely "alternative OS users" and that Windows stories are germane. :)

--
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
Re:What about Foxit? by jim_v2000 · 2009-02-20 11:53 · Score: 1

How does it compare to Evince in Ubuntu?

--
Don't take life so seriously. No one makes it out alive.
Re:What about Foxit? by narcberry · 2009-02-20 14:18 · Score: 1

WOOOOOSH!!!

--
Modding me -1 troll doesn't make me wrong.
Re:What about Foxit? by Anonymous Coward · 2009-02-20 14:42 · Score: 0

It was them who fucked up and caused the issue, so it's not like they are very credible
Re:What about Foxit? by Mozk · 2009-02-20 15:15 · Score: 1

I'll Upgrade + I'm Happy With Vista + I'm Happy With XP = 15843 = 35%
I Don't Use Windows = 14684 = 32%
No Way It'll Happen Next Year + Still Waiting for NealOS = 33%
I don't get 70% Windows users from that, considering that the last two could split either way, and I could see people voting I'll Upgrade as meaning that they will test it or switch from another OS.
I use both Linux and Windows, and at times other OSes. I'm a fanboy of none of them.
Anyway, the original parent said that "[w]e are mostly alternative OS users". I wouldn't question that most users here are indeed at least users of alternative OSes, that is, they have used OSes other than Windows. I would assume that users that have only ever used one OS and have no experience with another are not in the majority here, so the point is that it's foolish to have an article featured here like this without specifying what OS it affects.

--
No existe.
Re:What about Foxit? by eihab · 2009-02-20 20:15 · Score: 1

ok let's forget OS/CPU wars for a second and focus on the fact that most people don't use Adobe reader to read pdfs, at least not in these forums.
Users of Slashdot, sure... maybe, but let's not forget that a lot of people here could be and probably are administering networks where people _do_ use Adobe's reader for one reason or another.
Get off your high horse, quit trolling and honestly if you don't like an article just skip it and spare us the useless posts.

--
If you can't mod them join them.
Re:What about Foxit? by dangitman · 2009-02-20 21:48 · Score: 1

I use AmigaOS, you insensitive clod.
Well, you should have had the Intuition to realize that there was a problem, without being told.

--
... and then they built the supercollider.
Re:What about Foxit? by GPLHost-Thomas · 2009-02-20 22:18 · Score: 1

+1 !!! I am also one of the guys very annoyed by people writing here "the Government" and "the country" and the like. Especially: even though I'm not a native of it, I live in the most populated country in the world (China, to name it), and the 300M compared to the 1.6T seems quite ridiculous. "the country" should NOT be USA.
Re:What about Foxit? by Anonymous Coward · 2009-02-21 01:45 · Score: 0

[Shrug] The first thing I do with Adobe Reader is disable Javascript and all the other irrelevant fluff.
What works for browser security works for Reader.
Re:What about Foxit? by Anonymous Coward · 2009-02-25 06:36 · Score: 0

Thanks for that tip.
Re:What about Foxit? by Anonymous Coward · 2009-03-05 03:45 · Score: 0

well aren't you fancy?

ps. shut the fuck up
Re:What about Foxit? by Anonymous Coward · 2009-03-05 07:39 · Score: 0

To Adobe, "all platforms" means Microsoft and Mac.

Yeah! by Anonymous Coward · 2009-02-20 04:02 · Score: 0

The joy of patching all our machines. Sure we aren't going to just have to move to 10 and download the yahoo! toolbar to make that work?

Re:Yeah! by jetsci · 2009-02-20 04:49 · Score: 1

...I see what you did there. I still don't understand the appeal of those awful toolbars. They do nothing of consequence in my mind but sure do take up a lot of browser real estate. My girlfriend likes to run the google and yahoo toolbars together on her Vista machine*cringe*. Let me know when they come out with a toolbar with features worth giving up my browser space.

--
Bored at work? Play Game!
Re:Yeah! by daveime · 2009-02-20 09:12 · Score: 1

Yahoo are like encylopedia salesmen. Or possibly drug pushers. Or possibly just horribly deluded that anyone would want their spyware^H^H^H^H^H^H^Htoolbar at all ?
You try to install Yahoo Messenger, "wanna toolbar ? uncheck box to NOT install it"
You sign up for a Yahoo Mail account, "wanna toolbar ? uncheck box to NOT install it"
You join a Yahoo Group, "wanna tollbar ? uncheck box to NOT install it"
Ad nauseum.

I was worried for a moment... by anss123 · 2009-02-20 04:04 · Score: 1

...then I remembered that I use Sumatra PDF

Well.. by phrackwulf · 2009-02-20 04:04 · Score: 3, Insightful

Guess I'm going back to Adobe 5.1 again. And yes, I still have the install.

--
What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!

Re:Well.. by Samschnooks · 2009-02-20 04:13 · Score: 1

Guess I'm going back to Adobe 5.1 again. And yes, I still have the install.
Ewww! The older ones where such pigs! They took up more memory than they should and they took a long time to come up. I have 9.0 and it sure comes up so much faster than previous version!
I guess I'll just be careful about whose PDFs I open.
Re:Well.. by andymadigan · 2009-02-20 04:23 · Score: 2, Informative

It comes up faster because it's always running.

--
The right to protest the State is more sacred than the State.
Re:Well.. by just_another_sean · 2009-02-20 04:26 · Score: 1, Redundant

Maybe this is a good time to try an alternative like Foxit?

--
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Re:Well.. by DrVomact · 2009-02-20 06:49 · Score: 1

Guess I'm going back to Adobe 5.1 again. And yes, I still have the install.
I did this back a couple of years ago, when Adobe used an Acrobat update to introduce a "feature" that causes all other installed Adobe software (FrameMaker and Photoshop for sure) to phone home every time you start them (http://slashdot.org/~DrVomact/journal/180759). I don't understand why nobody else got upset about this.
By the way, have you figured out how to disable the annoying prompt that reminds you that your version of Acrobat Reader is out of date, and you may not be able to see all the nifty new features in the document you are opening? Clicking the "Don't tell me again" box does no good—the dialog still pops up every time. 5.1 works fine in every other respect.

--
Great men are almost always bad men--Lord Acton's Corollary
Re:Well.. by Allicorn · 2009-02-20 10:39 · Score: 1

http://www.oldversion.com/ have installers for a whole bunch old stuff, including Acrobat Readers right back to version 2.

--
OMG!!! Ponies!!!
Re:Well.. by Anonymous Coward · 2009-02-21 01:57 · Score: 0

This version is full of even more vulnerabilities. Adobe's programmers don't need a Javascript enabled version, to make mistakes, causing malicious pdf's to compromise your user accout.
Re:Well.. by BattleApple · 2009-03-05 04:25 · Score: 1

They also loaded a pile of useless plugins on startup. You could move them from the plugins directory to another directory that would load them as needed. It would start up a lot faster if you did that.

Sigh... still no basic sandboxing by Ed+Avis · 2009-02-20 04:04 · Score: 5, Interesting

And why exactly does Adobe Reader run with full permissions to all the user's files? Surely by now Adobe would have learned to run it in a sandbox. For example, the code that reads and renders the PDF could run in a separate process (a la IE8 or Google Chrome) and just send image data back to the main window.

More generally, the OS needs to make it completely easy to sandbox applications, so even the stupidest application developer can do it with little effort. Indeed, the default should be that it has no access to write files anywhere except those chosen by the user with the Save As box. I'm not holding my breath though...

--
-- Ed Avis ed@membled.com

Re:Sigh... still no basic sandboxing by billcopc · 2009-02-20 04:18 · Score: 4, Insightful

You seem to blindly believe that Adobe is even remotely competent at writing code. If you've ever used Acrobat, you would realize it is a barely-usable resource-thrashing mess.
Does Ghostview need 150mb of libraries to render a PDF ? No.
Just because a company is a market leader, does not necessarily mean they know what they're doing. They just know how to sell.

--
-Billco, Fnarg.com
Re:Sigh... still no basic sandboxing by blueg3 · 2009-02-20 04:30 · Score: 1

The latter is actually much more important. There is some application-level sandboxing that can be done, but the majority of it is functionality that needs to be supported by the operating system.
Re:Sigh... still no basic sandboxing by sexconker · 2009-02-20 04:47 · Score: 1

Adobe is horrible when it comes to being secure or efficient.
They are the kings of bloat, license roulette, and version spam.
Re:Sigh... still no basic sandboxing by bcrowell · 2009-02-20 05:01 · Score: 5, Informative

And why exactly does Adobe Reader run with full permissions to all the user's files? Surely by now Adobe would have learned to run it in a sandbox. For example, the code that reads and renders the PDF could run in a separate process (a la IE8 or Google Chrome) and just send image data back to the main window.

You're proposing to attack the problem in the least efficient possible way. This is yet another in a long series of exploits in AR that use the fact that in its default configuration it executes JavaScript embedded in PDFs. The right way to approach this, as a matter of design, would be not to embed a Turing-complete language in a file format that doesn't need it. Once you embed a Turing-complete language in the format, you're giving the bad guy the ability to run any code he wants on the user's machine. The moral of Turing's theorem is that it's essentially impossible to have any automated check that determines what a piece of code will actually do when you execute it. So yeah, you can try to sandbox it, but that's a last resort.
You're comparing with a web browser. A web browser is qualitatively different. In a web browser, the user (a) wants to be able to run javascript code, and (b) expects that such a thing will happen. In a PDF reader, there is typically no reason for the reader to want it to run JS, and the reader has no sane reason to expect it to run JS. Actually, the reason Adobe made AR execute JS by default was that it wanted to be able to do things that are inherently inimical to the user's interest. JS allows the creator of the PDF to determine who's reading the document, and also provides a mechanism for DRM. Lots of people who create PDFs want to believe in the DRM fable that they can give a document to other people, but then control the use of the document after that. As with all DRM, it's inherently impossible to make it work right as long as the user has hardware that they're really allowed to use as a general-purpose PC. E.g., to remove the DRM from a PDF on a linux box, you can do this: gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=b.pdf a.pdf -c '.setpdfwrite'
As a user, there are basically two sane things you can do. (1) Don't install AR on your machine. Use something else, such as evince on linux, or foxit on windows. They're faster anyway. (2) If there really is extra functionality in AR that you need, turn off JS. To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

--
Find free books.
Re:Sigh... still no basic sandboxing by ratboy666 · 2009-02-20 06:07 · Score: 2, Informative

In fact, Adobe Reader is really not the issue -- the issue is that the OS doesn't impose MAC (mandatory access controls). MACs should control exactly which resources an application can use, and this can be as restrictive as desired.
Of course, it is difficult to come up with the necessary rules, and to "retrain" the user base, which is why (for example) SELinux MAC was phased in gradually on Fedora.
It took Fedora quite a few releases to fully implement MAC - Fedora Core 2 introduced SELinux (with strict policy as default), Fedora Core 5 was the first version to use modular policies, but was not running in strict mode, Fedora Core 6 introduced the Policy Editor, Fedora 7 a GUI admin tool, Fedora 8 a GUI Policy Creation tool and user lock-down (and, some Adobe plugins would no longer run), and Fedora 9 and 10 offer fine-tuning.
"When SELinux was initially introduced in Fedora Core, it enforced the NSA strict policy. For testing purposes, this effectively exposed hundreds of problems in the strict policy. In addition, it demonstrated that applying a single strict policy to the many environments of Fedora users was not feasible. To manage a single strict policy for anything other than default installation would require local expertise.
At this point, the SELinux developers reviewed their choices, and decided to try a different strategy. They decided to create a targeted policy that locks down specific daemons, especially those vulnerable to attack or which could devastate a system if broken or compromised. The rest of the system runs exactly as it would under standard Linux DAC security."
So, it took version 2 through 8 (or 9, arguably) for Fedora to introduce MAC to a largely technical community. This was done over 4 years.
It will take much longer than 4 years to get equivalent security provisions in Windows, given the user base. Given the convenience of "plug-in" architectures, it is very difficult to tell if a program is actually misbehaving! MAC is really the only way that I am aware that behavior can be monitored. For example, code can be introduced as a plug-in (or, via exploit), but that code isn't dangerous until it tries doing something bad. The definition of "bad" is what is in question -- it could mean sending email, or sending LOTS of email, or modifying files it didn't create. If none of THAT is happening, it may simply have been an automatic installation of some "fun cursors" desired by the user.

--
Just another "Cubible(sic) Joe" 2 17 3061
Re:Sigh... still no basic sandboxing by Anonymous Coward · 2009-02-20 06:09 · Score: 0

If you've ever used Acrobat, you would realize it is a barely-usable resource-thrashing mess.
Er... compared to what, exactly? I'm using Acrobat 8 on this older home machine because trying to scroll though multipage PDFs in Evince, KPDF, and KGhostView is impossibly slow. A8 has no trouble.
Ubuntu 8.04 Duron 1100 MX440SE. It's a night and day difference on that hardware.
Re:Sigh... still no basic sandboxing by ianare · 2009-02-20 06:44 · Score: 1

You seem to blindly believe that Adobe is even remotely competent at writing code.
Sure they are. Just not for PDF viewing ;-)
Re:Sigh... still no basic sandboxing by arminw · 2009-02-20 07:03 · Score: 1

....to remove the DRM from a PDF on a linux box...
To do this on a Mac, simply "print" for any program including a PDF reader. If the DRM locked PDF file allows printing, then the printed PDF file will no longer be locked. The user may then use it as any unlocked file.

--
All theory is gray
Re:Sigh... still no basic sandboxing by Anonymous Coward · 2009-02-20 08:54 · Score: 0

You seem to blindly believe that Adobe is even remotely competent at writing code. If you've ever used Acrobat, you would realize it is a barely-usable resource-thrashing mess.
Does Ghostview need 150mb of libraries to render a PDF ? No.
Just because a company is a market leader, does not necessarily mean they know what they're doing. They just know how to sell.
+5 Insightful? I thought this stance would be obvious to us here on /.
s/Adobe/Microsoft
s/Acrobat/Windows
s/IE/Konqueror
s/PDF/webpage
Re:Sigh... still no basic sandboxing by Ed+Avis · 2009-02-20 11:22 · Score: 1

You are quite right that Javascript in PDFs is a lame idea, and executing it automatically is even lamer. However, even without Javascript or any other embedded programming language, the PDF viewing code (as a very popular program, presumably written in an unmanaged language, which needs to read a complex binary file format) still ought to be sandboxed to reduce the damage caused by future exploits.

--
-- Ed Avis ed@membled.com
Re:Sigh... still no basic sandboxing by petermgreen · 2009-02-21 04:00 · Score: 1

gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=b.pdf a.pdf -c '.setpdfwrite'
NICE! unlike other unlock recipies i've seen this one doesn't seem to ruin the pdf. That is bookmarks were still present bookmarks and text was still copypasteable/searchable.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register

JavaScript... by Anonymous Coward · 2009-02-20 04:05 · Score: 3, Insightful

Remind me why my digital document format needs JavaScript again?

Re:JavaScript... by vtcodger · 2009-02-20 04:17 · Score: 3, Funny

Because Javascript is the greatest thing since sliced bread and ... and ... and ... well you just need it damn it. Never mind that running stupid little programs that you download from unknowable sources is possibly the dumbest idea ever from a security and reliability point of view ... YOU NEED JAVASCRIPT!!! Got it?

--
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Re:JavaScript... by Anonymous Coward · 2009-02-20 04:21 · Score: 0

First thing that comes to mind are the PDF files that let you fill in the blanks and have drop down boxes. You select something from the drop down and it populates part of the form. Fill in the blank with some numbers and have it do some math.
It was some government form. They also had an Excel spreadsheet version if you wanted to save the completed file and didn't have the full version of Acrobat.
Re:JavaScript... by Seakip18 · 2009-02-20 04:33 · Score: 1

PDF's use it for form validation and other nitpicky things. I don't know much more than that since I just started learning how the heck pdf's get generated.

--
import system.cool.Sig;
Re:JavaScript... by FrostDust · 2009-02-20 05:18 · Score: 2, Insightful

While that may be useful for some situations (I came across an RPG character sheet that did that, you plug in stats and it populated the appropriate fields that derived from those stats), it is really outside the scope of what a PDF is supposed to be.
A PDF is what you use when you want to disseminate information, and it's important that you can guarantee the recipient is seeing the exact same document you are. A .doc, for instance, can look different from computer to computer, based on what program (or even version of the program) they're using, what formatting rules they have applied (margin spacing, preferred fonts etc.), and the user might accidentally hit "delete" and erase a good part of the document without realizing something went missing.
Re:JavaScript... by PeeAitchPee · 2009-02-20 05:30 · Score: 2, Interesting

Because you need some way to describe the logic used in PDF-encapsulated forms. We are not talking about multi-tiered apps which adhere to MVC, mind you -- we're talking about forms which are completely self-contained in a PDF file, such as those created with Adobe's LiveCycle Designer. In LiveCycle Designer's case, you can either use Adobe's proprietary scripting language (which relatively few people already know), or you can use JavaScript (which lots of people already know). I've written a PDF order form, for example, which automatically recalculates the order's total on-the-fly for the customer filling it out in the browser, right on the form and without requiring an Internet connection. Among other things, this cuts down significantly on the volume of sales support calls and increases order accuracy. So, yes, there's really a use case for having a way to express logic in a PDF.
Re:JavaScript... by narcberry · 2009-02-20 14:25 · Score: 1

That's today.
Tomorrow, after prices have changed by 0.2% you now get more sales support calls.

--
Modding me -1 troll doesn't make me wrong.
Re:JavaScript... by ProKras · 2009-02-20 18:21 · Score: 1

So that you can fill in forms that don't let you save what you type.
Re:JavaScript... by Anonymous Coward · 2009-02-23 14:09 · Score: 0

Because people have forgotten that there is a perfectly good Turing-complete document description language: PostScript. This hasn't been helped by the lack of a postscript viewer on OEM Windows boxes.

I've experienced this by tygerstripes · 2009-02-20 04:05 · Score: 4, Funny

I just tried to open a .pdf in Reader 9, and it's completely locked up - I've been stuck on the splash screen for 20 minu--

Oh wait, it's opened now. False alarm, sorry.

--
Meta will eat itself

uninstall.exe by jbeaupre · 2009-02-20 04:08 · Score: 2, Funny

Does that count as a patch?

--
The world is made by those who show up for the job.

How bad is it? by bflong · 2009-02-20 04:10 · Score: 1

Shadowserver wrote that the flaw could be exploited on systems running Microsoft's Windows XP SP3.
Yawn...

--
Why is it so hot? Where am I going? What am I doing in this handbasket?

Re:How bad is it? by Anonymous Coward · 2009-02-20 07:15 · Score: 0

Shadowserver wrote that the flaw could be exploited on systems running Microsoft's Windows XP SP3.
Yawn...
and Adobe said it affects all platforms. That includes Linux and OSX if you bother with Adobe Reader instead of Preview or GS View...

Patch by March something? by rjune · 2009-02-20 04:10 · Score: 5, Interesting

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.

Re:Patch by March something? by oldspewey · 2009-02-20 04:15 · Score: 3, Funny

Well, first they have to form a Selection Committee ...

--
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Re:Patch by March something? by BarryJacobsen · 2009-02-20 04:25 · Score: 2, Interesting

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.
Much work remains to be done before we can announce our total failure to make any progress!

--
Track your TV Shows with your iPhone - FREE
Re:Patch by March something? by Anonymous Coward · 2009-02-20 04:43 · Score: 1, Insightful

Well, they actually have it patched. They're just waiting for Acrobat to start up to see if it works, that takes 18 days after all.
Re:Patch by March something? by D+Ninja · 2009-02-20 05:22 · Score: 1

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.
Isn't it obvious? They are fixing it as fast as they can. The first 3 days are spent fixing the bug. The next 15 days is the start-up time of Adobe Reader so they can test their bug fix.
Re:Patch by March something? by Fallen+Andy · 2009-02-20 05:38 · Score: 1

It's worth comparing this response time with the recent (mere) 12 hours that "greeter" was b0rked on Ubuntu jaunty - and remember that's on an alpha of the next release...
Andy
Re:Patch by March something? by nedlohs · 2009-02-20 06:20 · Score: 1

No way!
You can release an update to alpha code faster than you can release an update to production code, who would have thought?
It's almost as if there's less QA to do or something.
Re:Patch by March something? by Anonymous Coward · 2009-02-20 06:37 · Score: 0

Why QA the fix? If the current version is so dangerous that nobody in their right mind can run it, how can the fixed version possibly be worse?
Re:Patch by March something? by Anonymous Coward · 2009-02-20 06:51 · Score: 1

Well, quality control has never been Ubuntu's strong point.
Re:Patch by March something? by Anonymous Coward · 2009-02-20 07:26 · Score: 0

Well first they have to get allocated a number from the Patent Office for the techniques used in the bug fix... then they have to work out how to pad the fix by a few megabytes...
Re:Patch by March something? by nedlohs · 2009-02-20 10:13 · Score: 1

By not actually fixing the problem.
By creating a bigger security problem.
This is Adobe, I doubt anyone would be surprised if they made it worse.

Adobe should separate pdf and acrobat more by goombah99 · 2009-02-20 04:10 · Score: 4, Interesting

PDF has become what it set out to be, the de facto truly portable document format.

The problem is acrobat keeps larding in new features all the time to the point where in a corprorate environment you get more and more pdfs that require acrobat to even see.

it's an embrace and extend approach.

the problem here is the problem microsoft occasionally runs into-- if you monocrop then their is huge exposure to the possibility that viruses can spread like wild fire.

But with microsoft we were always in that boat from the first day they introduced it. microsoft docs always went hand in hand with the application software environment creating a stable ecosystem for any potential virus. (I use the term virus liberally)

with pdf this was not the case. Pdf is a format. there are many readers.

but adobe's constant racheting of add ons is threatening this.

--
Some drink at the fountain of knowledge. Others just gargle.

Re:Adobe should separate pdf and acrobat more by fuzzyfuzzyfungus · 2009-02-20 04:45 · Score: 4, Insightful

There are, already, standardized subsets of PDF( PDF/A, PDF/X, PDF/E) which fulfill your request.

Trouble is, while Adobe does have an incentive to support those, they have no incentive to encourage them as defaults. There are two basic problems: Adobe has an incentive to spread PDF as widely as possible(which creates a strong pressure to tack on additional functions to address expanded use cases) and Adobe only makes money on PDF if you use their software. If, in practice, you can only be confident of being able to manipulate a given PDF with Acrobat, Adobe cashes in. Otherwise, not so much.
Re:Adobe should separate pdf and acrobat more by Permutation+Citizen · 2009-02-20 04:51 · Score: 5, Informative

- If you want a format ISO standardized.
- If you need long term archiving, being sure that after several years your document will be the same even if your computer and your printer have changed.
- If you don't need fancy new stuff, video, sounds.
- But you still want wide support PDF has for reading and printing everywhere.
Then use PDF/A.
This is a subset of PDF. It can be produced by Acrobat, but also a wide range of other vendors applications and scanners, including OpenOffice.
Re:Adobe should separate pdf and acrobat more by Anonymous Coward · 2009-02-20 06:02 · Score: 1, Interesting

"The problem is acrobat keeps larding in new features all the time..."
One I'm trying to figure out at the moment, is how you get Acrobat Reader to let you save a form (like the way an IRS 1040 works) through some F/OSS software. I spent some time looking through the file format specifications, and I've got to say, I don't see it in there. I bet there are other features like that too, maybe?
Re:Adobe should separate pdf and acrobat more by DrVomact · 2009-02-20 07:02 · Score: 1

PDF has become what it set out to be, the de facto truly portable document format.
Portable document format for those who are obsessed with print , you mean. HTML is more portable, and allows you to re-size and re-flow text to suit your preferences, eyesight, and screen size. The only advantage PDF offers is the ability to control how printed output looks. And of course it is the document author who exercises this control.
Nothing used to annoy me more than web sites that consist of nothing but PDF. Now there is something even more annoying: web sites that are nothing but one big Flash. And of course, Flash is owned by...Adobe. Coincidence? I think not.

--
Great men are almost always bad men--Lord Acton's Corollary

Who uses Adobe Reader anyway? by mcvos · 2009-02-20 04:15 · Score: 2, Interesting

Nowadays I read my PDFs with Preview.

Re:Who uses Adobe Reader anyway? by lenehey · 2009-02-20 06:52 · Score: 1

The day Foxit (or some other company) provides a browser plugin that allows me to view PDFs within my browser is the day I stop using Adobe Viewer. I'm just glad I am still using version 8.
Re:Who uses Adobe Reader anyway? by Anonymous Coward · 2009-02-20 08:08 · Score: 0

Why are you glad to be using version 8? Because it is vulnerable too and the patch for it will be out AFTER the patch for version 9...
Re:Who uses Adobe Reader anyway? by Rokewaju · 2009-02-20 23:22 · Score: 2, Informative

FoxIt does have a Firefox plugin. I don't use it myself as I prefer to read PDFs in a external application and not bloat my Firefox install.
No Opera, Safari, or Chrome plugin however.

--
No, I don't have anything planned for you, I promise...
Re:Who uses Adobe Reader anyway? by BattleApple · 2009-03-05 04:15 · Score: 1

The last time I installed Foxit, (on Win 7 beta) it enabled the browser plugin automatically. There may have been an option during installation, but I probably missed it. The Foxit plugin causes FF to lock up in Windows 7 beta. It's easy enough to disable though.

March 11? by Culture20 · 2009-02-20 04:21 · Score: 4, Insightful

That's three weeks away! One week from now, pdfs are going to be on every questionable web page and email attachment. Step up the cycle, Adobe.

try a non-Adobe PDF reader by macraig · 2009-02-20 04:25 · Score: 4, Informative

I'm using a non-Adobe PDF reader: Foxit Reader. It's commercial and not open source, but the non-Pro version is free to use; it's functionally far superior to the open source ones that were mentioned at Slashdot recently. I really hope the OSS projects can reach the level of sophistication of Foxit, because it's really my baseline of minimum PDF-reader functionality. The first OSS reader that can duplicate Foxit's sophistication will get a new convert.

Re:try a non-Adobe PDF reader by lordtoran · 2009-02-20 04:58 · Score: 1

Well... for most of us a reader is just a reader. It doesn't need dozens of advanced features besides navigation and bookmarks. I, for one, are happy with Okular (and KPDF before that). They are both not spartanic, but not bloated either.

--
Want to hear the voice of GOD? cat /boot/vmlinuz > /dev/dsp
Re:try a non-Adobe PDF reader by sa1lnr · 2009-02-20 05:05 · Score: 1

You forgot to mention that it is small and fast to load too. ;)
I've been using it for a couple of years now, wild horses wouldn't drag me back to adobe reader.
Re:try a non-Adobe PDF reader by macraig · 2009-02-20 05:10 · Score: 1

I might not have seen Okular in that earlier Slashdot review; it does look fairly polished at first glance. That won't work on my primary Windows box, though (at least not directly without virtualization). I have a laptop with PCLOS 2007 on it; I'll install Okular there and take it for a spin.
Re:try a non-Adobe PDF reader by macraig · 2009-02-20 05:12 · Score: 1

The WORST aspect of Adobe Reader is actually that god-awful browser plug-in! Jeezus!
Re:try a non-Adobe PDF reader by Anonymous Coward · 2009-02-20 05:50 · Score: 0

You can run Okular and KDE on windows I believe.
http://windows.kde.org/
Re:try a non-Adobe PDF reader by Thaelon · 2009-02-20 06:21 · Score: 1

Have you tried Sumatra?
IMHO, Sumatra is to Foxit what Foxit is to Adobe Bloatreader.
Even Foxit has annoying advertisements in it that wont' stay turned off.
It might be missing some of the features you're looking for (I don't know what you need), but Sumatra is tiny, extremely fast, and open source.

--
Question everything
Re:try a non-Adobe PDF reader by KermodeBear · 2009-02-20 06:39 · Score: 1

I hadn't heard of Sumatra before so I thought I would give it a try.
Works as advertised - starts up fast, pages quickly. I love it. Very minimal on the features, but if you're like me and just need to read PDFs, it works wonderfully. Thanks!

--
Love sees no species.
Re:try a non-Adobe PDF reader by Anonymous Coward · 2009-02-20 07:28 · Score: 0

It will work on your primary Windows box. I'm using Okular as my default PDF reader on Windows. you can get it as part of the KDE for Windows "graphics" package.
http://windows.kde.org/
Re:try a non-Adobe PDF reader by macraig · 2009-02-20 08:06 · Score: 1

Yeah, because of another comment here I just became aware of that project. I installed it all a few minutes ago. Ocular seems "good enough". That's a pretty amazing example of cross-platform development.

Good thing Adobe isn't in the medical business. by geekmux · 2009-02-20 04:27 · Score: 1

"...Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11."

Boy, good thing they're getting right on this. Of course, perhaps a fix would be a little easier and faster if they didn't manage to take a simple PDF program and turn it into the obscene bloatware that Reader has become.

Patched by March 11th... unless you're using v8 by myxiplx · 2009-02-20 04:28 · Score: 4, Informative

Great, I've got to wait 2-3 weeks for this to be patched.

Oh wait, Adobe have a 4 MONTH OLD bug that means we can't even run Acrobat 9 within our company:
http://www.adobe.com/go/kb404597

*seethes*

What's worse is that Autodesk hit this exact same bug with their beta of Design Review, and fixed it within a couple of weeks, so I know there's a fix for this.

Re:Patched by March 11th... unless you're using v8 by ColdWetDog · 2009-02-20 04:42 · Score: 1

Oh wait, Adobe have a 4 MONTH OLD bug that means we can't even run Acrobat 9 within our company:
I'm confused. You say that like it's a bad thing.

--
Faster! Faster! Faster would be better!
Re:Patched by March 11th... unless you're using v8 by Anonymous Coward · 2009-02-20 06:15 · Score: 0

There's some irony for you: I can't even view that KB article in Firefox unless I enable Javascript...
Re:Patched by March 11th... unless you're using v8 by Anonymous Coward · 2009-02-20 07:12 · Score: 0

We had this bug too. The only solution we could find was to backup, recreate, restore every windows user profile. The suggested steps in that article did not work and made things worse.
Re:Patched by March 11th... unless you're using v8 by internewt · 2009-02-20 11:39 · Score: 1

I think they are using JS to show otherwise hidden content. If you turn off the style on the page, it appears to show the details of the Adobe problem without having to turn on JS.
I ran into a 1337 overclocking-type site recently that did very similar. If you had JS disabled all the content was obscured by a big panel telling you to enable scripts, and that they weren't doing anything wrong with their JS. Well, they were trying to run scripts from many advertisers and tracking domains, but by simply turning off the page style I was able to see the content.
I left an inflammatory comment on the article, and the kid running the site flamed back and blocked my IP. Fortunately I had saved the content I was after before leaving the flame :)
Hah, actually, having a look from a different IP (in the same netblock, no less) it appears that they don't seem to have that annoyance any more!

--
Car analogies break down.
Re:Patched by March 11th... unless you're using v8 by Anonymous Coward · 2009-02-20 12:08 · Score: 0

That link has been /.'ed.

Do not allow pdf to follow links by 140Mandak262Jamuna · 2009-02-20 04:29 · Score: 3, Insightful

There are settings available to prevent pdf readers from executing javascript or following hypertext links. But when you do that the acrobat reader bitches and moans and gives you a head ache.

Acrobat reader is precisely in the same position as IE4. Widely used and insecure. Users who are security conscious, vendor lock conscious, portability issues aware are the minority. Precisely the conditions that allowed Firefox to come, but the users in control once again, and take a healthy bite out of the market share of the dominant browser. Impact of Firefox is more than its marketshare. It forced web site developers to be aware of portability issues and become standards compliant. I am very sure other readers like FoxIt or something would take a big bite out of Adobe.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact

Re:Do not allow pdf to follow links by geekmux · 2009-02-20 06:50 · Score: 1

There are settings available to prevent pdf readers from executing javascript or following hypertext links. But when you do that the acrobat reader bitches and moans and gives you a head ache.
Acrobat reader is precisely in the same position as IE4. Widely used and insecure. Users who are security conscious, vendor lock conscious, portability issues aware are the minority. Precisely the conditions that allowed Firefox to come, but the users in control once again, and take a healthy bite out of the market share of the dominant browser. Impact of Firefox is more than its marketshare. It forced web site developers to be aware of portability issues and become standards compliant. I am very sure other readers like FoxIt or something would take a big bite out of Adobe.
Hell, if they just got rid of the feature creep and offered a simple reader (Reader lite anyone?), I'm guessing 99% of users would be happy. Beyond cut and paste, I really didn't ask or need the other 471 features that are now included.

Alternatives... by burst017 · 2009-02-20 04:32 · Score: 1

Time to nano all my pdf files, and read them in binary...

Alternative? by Anonymous Coward · 2009-02-20 04:33 · Score: 0

Good alternative to Acrobat?

Does Data Execution Prevention stop the attack? by Myria · 2009-02-20 04:36 · Score: 4, Informative

Does hardware Data Execution Prevention stop it from happening, in that this exploit would crash Reader instead of cause an exploit if DEP is enabled? I wish companies would suggest that as a possible mitigation, even if not all computers support it.

I did dumpbin /headers and saw that the EXE header for AcroRd32.exe has the "NX compatible" bit set. This means that DEP will be automatically enabled for Reader on Vista.

However, that doesn't cover XP. XP 32 SP3 has an API call named SetProcessDEPPolicy to request enabling DEP for your process. Adobe should modify Reader to call this function if it exists. (It exists on Vista SP1 as well, but Vista SP1 will already enable it due to /NXCOMPAT.)

XP 32 SP2 and XP 64 SP2, even though they have DEP, don't have a way to enable it if the system-wide DEP setting is "opt in" - the default. And there's no way to opt in that these support. (Google Chrome has code to use an undocumented system call to enable it, but it actually has no effect.)

--
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager

Re:Can we fucking dump "C"??? by contra_mundi · 2009-02-20 04:37 · Score: 2, Funny

It's not a bug, it's a feature!

Foxit is missing (at least) one key feature by Inf0phreak · 2009-02-20 04:41 · Score: 0

It hit v3.0 recently and after all these versions it still doesn't support facing mode correctly. So when you have a magazine layouted for print it looks ridiculous on screen. Here's an example: http://www.dsu.dk/skakblad/sb2009/2009-01.pdf - it's in Danish, but just looking at the page layout (remember to put in Continuous-facing or facing mode) it should be obvious that it's wrong. This has been handled correctly in evince and kpdf for quite some time now.

--
________
Entranced by anime since late summer 2001 and loving it ^_^

Re:Foxit is missing (at least) one key feature by Verteiron · 2009-02-20 04:47 · Score: 1

View -> Page layout -> Show cover page during facing
Worked for me.

--
End of lesson. You may press the button.

Re:Can we fucking dump "C"??? by Anonymous Coward · 2009-02-20 04:46 · Score: 0

When was the last time you heard about a buffer overrun in Pascal?

When was the last time you heard about Pascal being used to make useful software, other than as a teaching language? That's not the greatest example you picked, as it has a lot of serious deficiencies. At least it's not Turing.

Static file reader -> Pwnage -> WTF?!? by zooblethorpe · 2009-02-20 04:48 · Score: 1

I'm rather dismayed and horrified that operating systems don't already do this -- but then, reading TFA, I notice that "the flaw could be exploited on systems running Microsoft's Windows XP SP3", and suddenly it all makes sense, in a depressingly mediocre sort of way. The very concept that a reader program, for what are supposed to be static files, could pwn the whole OS is both flabbergasting, and par for the Microsoft course.

OTOH, TFA doesn't mention if this is remotely possible on Linux -- am I correct in thinking that Linux *does* sandbox applications at least a bit more effectively than Windows? Simply thinking through the cleaner division of administrative rights, I would think it does, but can anyone more knowledgeable about buffer overruns confirm that Linux is safer?

Curious,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."

Re:Static file reader -> Pwnage -> WTF?!? by zooblethorpe · 2009-02-20 05:20 · Score: 1

So then the issue with a buffer overrun is that the intruder potentially gains access with the permissions of the running process, is that it? And XP is toast simply because Microsoft is brain-dead when it comes to understanding a proper division of access rights? What about Vista -- I know there's UAC, but I seem to recall reading about crackers finding automated ways to get around UAC...?
Again, I am baffled, horrified, but somehow not surprised that a static file reader apparently has access to *everything in the system* under Windows...
Cheers,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
Re:Static file reader -> Pwnage -> WTF?!? by zooblethorpe · 2009-02-20 05:43 · Score: 1

Presumably, this sandboxing is what SELinux is all about? I dabbled with it some in Fedora 9, enough to become quite frustrated with the minimal docs I was able to find. I may have to give it another good look-see...
Cheers,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."

Re:Can we fucking dump "C"??? by Anonymous Coward · 2009-02-20 04:51 · Score: 3, Insightful

There's a saying about C: "We don't prvent you from doing stupid things because that would also prevent you from doing clever things."

There's also a saying about you: "A poor workman blames his tools."

Re:Can we fucking dump "C"??? by Anonymous Coward · 2009-02-20 04:56 · Score: 0

just because we've got cycles doesn't mean we should waste them. Image if they got rid of all the SLOOOOW python in ubuntu would run considerably faster.

Actually Vista does comes with sandboxing support by benjymouse · 2009-02-20 04:57 · Score: 3, Informative

Google Chrome leverages this Vista feature. http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ The sandboxing feature in Vista is implemented with process integrity levels. A process with "low integrity" is severely restricted in what it can do on the system. Adobe could use this feature for Acrobat. They actually do use it (they have to) for Flash, as the Flash plugin in IE runs inside the sandbox. The crux is that a sandbox is often so severely restricted that you need a helper (called "broker") process to do the privileged stuff such as downloading/uploading files etc. Flash actually made their own broker process for Flash and left a stupid bug in there. That was the flaw which allowed Vista to be compromised in last years' pwn2own contest.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*

Re:Can we fucking dump "C"??? by chromas · 2009-02-20 05:03 · Score: 1

False.

Re:Static file reader - Pwnage - WTF?!? by lordtoran · 2009-02-20 05:05 · Score: 1

Linux is safer in that software installs onto the root partition, where normal user accounts have read-only access. A buffer overrun could still be able to affect/modify data in a user's /home, though.

--
Want to hear the voice of GOD? cat /boot/vmlinuz > /dev/dsp

Re:Can we fucking dump "C"??? by Anonymous Coward · 2009-02-20 05:07 · Score: 0

But, but, Adobe Reader is written prodominently in C++, and contains no C....

Whether NX will be effective depends by benjymouse · 2009-02-20 05:08 · Score: 1

on what exactly the flaw is. If the bug is that you can hijack JavaScript and leverage the built-in bindings/API (for saving documents, for example) NX will not be effective.

This is because interpreted JavaScript is regarded as data (to be read by the interpreter); NX is only effective against binary executable code.

Incidentally, this is a big difference between Java and .NET. Because Java typically uses hotspot VMs it will regard Java as data (byte code). Only if the hotspot compiler decides to compile the bytecode all the way to machine instructions will Java execute as binary code. Consequently Java will inherently be able to execute byte code. This means that for the processor the byte code is just data. If a buffer overflow can overwrite the bytecode or the Java stack, the interpreter is quite happy to keep on interpreting the bytecode.

.NET OTOH always compiles the IL (.NET bytecode) code to machine code before executing it. This means that the NX protection can actually protect .NET code but not Java code.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*

Comment removed by account_deleted · 2009-02-20 05:16 · Score: 4, Informative

Comment removed based on user account deletion

Fail by lord_sarpedon · 2009-02-20 05:28 · Score: 1

The fact that the compromise of a PDF reader leads to compromise of the entire user account is a failure of the operating system, and Linux/Mac/BSD/Windows all fail equally here.

--
"Strangers have the best candy" -Me

Re:Fail by smoker2 · 2009-02-20 10:54 · Score: 1

Don't say "a PDF reader" say "adobe acrobat" or are you a shill ?

Re:Static file reader - Pwnage - WTF?!? by blueg3 · 2009-02-20 05:32 · Score: 2, Informative

It's all quite possible under Linux. Realistically, a number of protection mechanisms (many of which started being routinely used in Vista) should prevent buffer overflow attacks. Certainly they should prevent arbitrary code from making OS-level hacks -- which is probably why it only works on XP. While Linux also can use these mechanisms, the only sandboxing it does by default is user/administrator separation (like Vista does, and like XP doesn't generally do). To get OS-level access, you'd need a privilege-escalation attack, which are reasonably hard to come by for both Vista and Linux (and can be very hard to make reliable under Linux). Alternately, the attacker could just steal your data from the one running Acrobat Reader process he gets, which Linux won't do anything about.

Proper application sandboxing is certainly possible, but not easy. (Your PDF viewer, for example, should have read-only access to its own code, read-only access to a single PDF file, write-only access to screen space for drawing, and read-write access to scratch memory space. That's it.)

Still having buffer overflows by Twillerror · 2009-02-20 05:33 · Score: 1

I've said it on here before and I'll say it again. Having access to the files or not there should not be a way in computers to inject code like this.

Shouldn't the no execute bit prevent this. Are we getting to the point where we should turn this on for everything. Can't Adobe ask windows
during the installation to add itself to the "I'm okay with DEP list".

Developers are going to make mistakes, I'm more mad that we still haven't fix the buffer overflow problem which to be is the core security flaw here...not Adobe.

Re:Still having buffer overflows by smoker2 · 2009-02-20 11:00 · Score: 1

That sentence alone makes me worry. Have you considered that by allowing these flaws to come to light, we are being "guided" towards "trusted computing" ? I'd rather bugs and hackers than MS domination.

Re:Can we fucking dump "C"??? by Curmudgeonlyoldbloke · 2009-02-20 05:35 · Score: 1

Yes, let's go back to BCPL!

Irony and opportunity... by TheNetAvenger · 2009-02-20 05:46 · Score: 3, Interesting

Disclaimer, this is an observation, but may seem a bit of a troll...

Once again we see market dominance and poor attention to security collide.

What makes this story interesting is the 'features' Adobe leaves enabled in PDF document features that even Microsoft knows better than to allow.

This creates the interesting aspect of Adobe losing touch and Microsoft actually getting it for once.

If you look at the MS XAML (XPS) document/display formats that compete directly with PDF, Microsoft got it right.

1) Less vulnerbilities - the lack of internal to external scripting of XAML and the sandbox nature of the XAML display and print formats dual sandbox the content inside a managed code environment.

2) XPS is void of scripting which more closely compares to PDF documents.

3) For print industry and press people, XPS/XAML is still turning heads even as new as it is compared to Postscript/PDF. This is not only in consistent print abilities, but speed as well.

4) Add all these together and then realize XAML/XPS can inherently draw and reproduce graphics that are outside the abilities of PDF and Adobe begins to have a reputation problem with companies like agfa, xerox, vari, etc.

(Yes PDF can display anything, but most advanced drawn graphics have to be rasterized because the language cannot inherently draw them. - This also increases the storage sizes and the processing times of high speed printers and presses.)

*A side note, because of OS X's dependence on Display PDF, it also has the same inherent drawing limitations when dealing with advanced graphics. Forcing applications to hack through the native drawing abilities of OS X, and in contrast developers on the Vista Windows side of the market are finding they no longer have to deal with limitations of GDI+ which is comparative to Display PDF on OS X.

Re:Irony and opportunity... by DrVomact · 2009-02-20 07:07 · Score: 1

(Yes PDF can display anything, but most advanced drawn graphics have to be rasterized because the language cannot inherently draw them.
That's a puzzling remark. You're saying there are graphics so complex that they can't be represented by a vector algorithm, but can be represented as a bitmap? Forgive me, perhaps you know what you are talking about, but I swear I just caught a whiff of bullshit.

--
Great men are almost always bad men--Lord Acton's Corollary
Re:Irony and opportunity... by wumpus188 · 2009-02-20 09:04 · Score: 1

There's no 'Display PDF' on OS X, you've probably mistaken it with Display Postscript from Classic Mac OS era. What are you saying might have been true for Display Postscript, but OS X's Quartz 2D is something completely different.
Re:Irony and opportunity... by benwaggoner · 2009-02-20 14:03 · Score: 1

There's no 'Display PDF' on OS X, you've probably mistaken it with Display Postscript from Classic Mac OS era. What are you saying might have been true for Display Postscript, but OS X's Quartz 2D is something completely different.
Display PostScript was from OpenStep. Display PDF is a nickname for the imaging model used in Quartz on Mac OS X.
http://en.wikipedia.org/wiki/Display_postscript#Modern_Derivatives

Apple's Mac OS X operating system uses a central window server (created entirely by Apple) that caches window graphics as bitmaps, instead of storing and executing PostScript code. A graphics library called Quartz 2D provides PostScript-style imaging using the PDF graphics primitives (a superset, plus tweaks, of the PostScript model), but this is used by application frameworks--there is no PostScript or PDF present in the Mac OS X window server. Apple chose to use this model for a variety of reasons, including the avoidance of high Adobe-imposed licensing fees for DPS, and more efficient support of legacy Carbon and Classic code; QuickDraw-based applications use bitmapped drawing exclusively. Adobe's copyright stipulations for the PDF standard are much less restrictive, granting conditional copyright permission to anyone to use the format in software applications, free of charge.

--

My video compression blog
Re:Irony and opportunity... by Anonymous Coward · 2009-02-20 22:39 · Score: 0

You're saying there are graphics so complex that they can't be represented by a vector algorithm, but can be represented as a bitmap?
Nope, he's saying there are graphics so complex that they can't be represented by PDF. (Or they can, but at a computation cost so high, it's cheaper to rasterise.)
Re:Irony and opportunity... by TheNetAvenger · 2009-02-21 17:35 · Score: 1

That's a puzzling remark. You're saying there are graphics so complex that they can't be represented by a vector algorithm, but can be represented as a bitmap? Forgive me, perhaps you know what you are talking about, but I swear I just caught a whiff of bullshit.
Well you can sit there and call it BullShit, or you can take 5 minutes and learn something...
I will even be charitable and give you a direction to head to learn...
Why do you think PDF's have to rasterize complex vector images or information is lost? Even look at Adobe Illustrator created files, the PDF relationship hurts both products, as AI is held back at times by the PDF language and for complex artwork, and AI cannot simply become a PDF, and the vector image has to be rasterized.
Next area to look...
Go back to Postscript and Display PDF technologies. Notice what they lack in things they inherently represent. Think in tersm of transparent vector masks upon layer with multi-point gradients. Not only are these concepts outside of Display PDF, but the more complex they get, they easily push out of the latest PDF specfications and even push beyond native AI file format understanding.
Even take a product like CorelDraw, it has inherent graphical concepts that cannot translate to PDF or AI formats, so they are either 'approximated' or rasterized when converted. Ask any Mac or PC graphic designer that works between the products.
Now go to the source language of PDF, the latest and greatest, and what graphic concepts are understood. Throw in even 3D spacial coordinates and multipoint blend and complex forms of color transparencies. PDFs have no mechanism to represent this.
Finally go read XAML and XPS and WPF specification from Microsoft. XAML is the format used from the application to the screen to the ptiner, etc, and encompasses XPS (static page) and WPF (dynamic) graphical constructs.
XAML on Vista and Win7 inherently understand very complex forms of graphics and layers of these in native vector form, and not only in static formats, but in full dynamic animation forms as well.
Here is a test, why do you think as vast as Adobe is and after buying Flash, that Flash itself is not based on any Adobe PDF or Postscript technologies and has to use the Flash constructs for the vector complexities?
And even with Flash, many times it must also rasterize as the complextity extends beyond's its inherent abilities - especially in translating them to a native drawing API of the OS it is running on.
I know I have more than given you a ton of things to consider and look up, but I am trying to really be fair here, so you maybe do take the time to look them up and learn a bit about graphics and the differences.
Right now, MS XAML is far more advanced than PDF, Flash, or any other display format technology out there.
And there lies the reason companies like Xerox have really paid attention and even helped in refining XAML as the future of graphics description...
-----
Now I am not going to say XAML or the forms that create WPS, XPS are perfect are the best at everything, nor fix everything for the future. However for a v1.0 specification and technology used as the backbone of display in an OS, it is pretty impressive.
And the OS point is important, as when you are using Vista or WPF inherent vector XAML drawing, the Aero/DWM composer understands it, lets rendering and redraws happen at the composer level in vector format, allowing for very complex and rich UI and animation concepts via XAML.
Re:Irony and opportunity... by TheNetAvenger · 2009-02-21 17:50 · Score: 1

but OS X's Quartz 2D is something completely different
Actually, no it isn't...
Quartz comes at it from another API set rather than pure page description, but in the end, produces Display Postscript/PDF.
The only way to draw on OS X and avoid Display PDF/Postscript is to go back to QuickDraw which only renders in bitmap forms and is more than a generation behind even GDI and GDI+ technologies that are 10 years old in the Windows world.
I don't want to anger anyone, but people should do some research on this. Developers that deal with high levels of rendering on OS X, hit ceilings all the time.
Microsoft was keeping up with OS X with GDI+ introduced in Win2k on some levels, but with Vista and the new display models introduced they jumped more than a generation ahead of OS X or anything else out there.
Microsoft's display model isn't the end all be all either, but it is a good step considering Microsoft's history of duct taping GDI and expecting it to get by with high end graphic representation.
Take Care and truly go compare these things. And if you are an OSS developer, there are things you can learn from both Apple and Microsoft and use to advanced the OSS world which is really weak in a any solid standards that even come close to these technologies.
This is why many people shiver when they see people say SVG is what MS should have used instead of XAML, the reality is, SVG can't even do 1/50th of the things XAML inherently is designed to do, even just in page or display rendering of complex vector images, let alone the protocol mechanism, animation technologies and programming event models that can trigger in XAML.

I don't understand why we're still seeing these... by Anonymous Coward · 2009-02-20 05:51 · Score: 0

This problem was already solved in 1995. Not just was that when Java first appeared, but Visual Basic also didn't have this problem. I think if software contains a buffer overflow, the creators should be charged with criminal negligence or something, because they knowingly allowed a preventable security bug to happen.

Re:Actually Vista does comes with sandboxing suppo by cbhacking · 2009-02-20 06:09 · Score: 1

Note: It is possible to exclude the Flash broker process from breaking through Protected Mode without a prompt, though it requires a registry hack.

--
There's no place I could be, since I've found Serenity...

Heresy! by Dystopian+Rebel · 2009-02-20 06:16 · Score: 1

It's because I'm burning up my employer's money reading Slashdot on an XP box! At home, it's Ubuntu through and through, I swear!

Well, except for Wine and VirtualBox.

--
Rich And Stupid is not so bad as Working For Rich And Stupid.

Critical? by PontifexMaximus · 2009-02-20 06:16 · Score: 2, Insightful

And a patch will be available on March 11? Boy, they sure are devoting all their resources toward getting a patch out.

Idiots.

--
Pax Vobiscum

Re:Critical? by myspace-cn · 2009-02-20 06:29 · Score: 1

Shit, you stole my thunder!

Thanks by Inf0phreak · 2009-02-20 06:36 · Score: 1

That only leaves the question of why the heck that is not the default? And why you can't enable this option from within the Firefox plugin?

--
________
Entranced by anime since late summer 2001 and loving it ^_^

Skim for Mac OS X by MisterSquid · 2009-02-20 06:43 · Score: 2, Informative

Here's a plug (from a satisfied user) for the open source but Mac-only Skim.

Skim is lightweight, fast, and scriptable. It allows for easy markup of PDFs either to the original file or separately. With Skim, one can convert annotations between its open format (written into the extended attributes) and Adobe's PDF standard. Combined with Apple's Preview.app, Skim can provides much of the functionality Adobe Acrobat.

--
blog

Re:Static file reader - Pwnage - WTF?!? by blueg3 · 2009-02-20 07:02 · Score: 1

To an extent, yes. "Sandboxing" on a live system really encompasses a wide variety of potential ways that code can influence the rest of the system. (On the other hand, sandboxing with virtual machines is a much more straightforward problem.) One of these is access control. SELinux is an access control mechanism that provides more powerful and finer-grained access control than Unix's user model.

SELinux is a good example of how this sort of thing is tough to do. It can take a substantial amount of work for a user who knows how to use SELinux and knows exactly what his applications will need to access to impose those restrictions.

reported to Kaspersky weeks ago. Adobe slow. by Anonymous Coward · 2009-02-20 07:26 · Score: 0

I reported this to Kaspersky weeks ago with payload. FWIW, e-mail exchange attached:

--snip--
Hello,

wdmaud.sys - Trojan.Win32.Agent2.agx

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

>Hi,
>
>This is a variant of Win32/Daonol.B as identified by Microsoft. It is
>loaded in HKLM..\Drivers32 by modifying "aux" and hijacks Google
>search results, appearing to come from 7.7.7.0.

Simple solution: by Doug52392 · 2009-02-20 07:34 · Score: 2, Insightful

Uninstall Acrobat, the most bloated software product I've ever used.

Actually, javascript in web browsers is a mistake. by tjstork · 2009-02-20 07:55 · Score: 1

The right way to approach this, as a matter of design, would be not to embed a Turing-complete language in a file format that doesn't need it.....You're comparing with a web browser. A web browser is qualitatively different

Actually, if you are going to be a purist about it, Javascript in a web browser is considered to be a security problem because it is a Turing machine. Active X, Flash, any sort of Turing machine in a web browser is always a client security problem and the safest way to deal with any of it is to block it. But users accept that the security risk is there, and now we have hoards of Russian botnets.

Society has spoken. End users are more interested in running code than they are either in anonymity and its time the internet change to reflect it. Security loopholes in any program are merely a reflection of the fact that the people choose features over the cost of having to be their own digital sheriffs, and its time to go hire real internet sheriffs, and go git those varmits.

--
This is my sig.

PDF is VIRUS BAIT by Latinhypercube · 2009-02-20 08:12 · Score: 0

I have noticed all sorts of weird pdf hacks happening, usually provoked by visiting torrent sites etc. I suggest installing the very light 6mb pdf reader fox-it, get it from download.com

Re:Actually, javascript in web browsers is a mista by bcrowell · 2009-02-20 08:15 · Score: 1

Actually, if you are going to be a purist about it, Javascript in a web browser is considered to be a security problem because it is a Turing machine.

I didn't say that JS in a web browser wasn't a security problem. It is. I said that a browser was qualitatively different from a PDF viewer because a user wants and expects a web browser to run executable code, whereas a user doesn't want or expect a PDF viewer to do so.

In both cases, a security-conscious user can disable JS. (I use NoScript with Firefox.) The difference is that it's not reasonable to disable JS by default in a browser (because less sophisticated users will just notice that everything seems broken), and it's not reasonable to enable JS by default in a PDF viewer (because users don't want or need it).

--
Find free books.

Re:Actually Vista does comes with sandboxing suppo by Anonymous Coward · 2009-02-20 08:17 · Score: 0

"leverages".
Oh really?

"Leverage" is a NOUN, not a verb...

Just because some business assholes decide to rewrite the language because they're too stupid to learn it properly, doesn't mean it has become officially changed...

Why didn't you write "Google Chrome USES this Vista feature"?

ASSHOLE!

Re:Actually Vista does comes with sandboxing suppo by daveime · 2009-02-20 09:22 · Score: 1

It would seem that Dictionary.com disagrees with you.

-verb (used with object)
5. to exert power or influence on.
6. to provide with leverage.
7. to invest or arrange (invested funds) using leverage.

Also Merriam-Webster Online

Main Entry: leverage
Function: transitive verb
Inflected Form(s): leveraged; leveraging
Date: 1957
1: to provide (as a corporation) or supplement (as money) with leverage ; also : to enhance as if by supplying with financial leverage
2: to use for gain : exploit <shamelessly leverage the system to their advantage -- Alexander Wolff>

Also Cambridge University Press Online

leverage (BORROWING)
verb [T] SPECIALIZED
to use borrowed money to buy a company

But I guess they're ALL ASSHOLES TOO EH ?????

Re:Static file reader - Pwnage - WTF?!? by smoker2 · 2009-02-20 10:46 · Score: 1

Is there an attack for linux >?
Why do people, focus on Microsoft ? Is this going to hurt me in the next 24 hours, or don't you care ? I use Gnomes PDF viewer or Gnomes xPdf. (why does Firefoxs spellchecker complain about linux ?)

Are windows users in charge of the internet too ?

Yes, I know you blue, are doing the right thing, but the thread was drifting dangerously into cronyism. Surely we're all in this together ?

Re:Actually, javascript in web browsers is a mista by smoker2 · 2009-02-20 10:49 · Score: 1

Fuck off.

Skim on Macs (was: What about Foxit?) by Anonymous Coward · 2009-02-20 11:02 · Score: 0

Skim is a reader that uses Apple's PDFKit and is so much better than Preview and Acrobat Reader that it is amazing. Faster, sensible, actively developed.

Just saw this yesterday by Anonymous Coward · 2009-02-20 14:41 · Score: 0

Think I had a close call with this yesterday. I went to one of the GCW mirrors (btw, some of these are booby-trapped with malware, others are perfectly clean, and if you don't know what GCW stands for I won't confirm or deny).

Anyway, went there with Firefox 3, lo and behold my Acrobat Reader opens up in the background. Firefox instantly goes to 100% cpu. I was able to kill both processes, with no apparent harm to my system. Malware scans come back clean. Nothing actually loaded in Acrobat, maybe because it's version 5, the last version that isn't chock full of bloat.

I also think FF3 going to 100% cpu is just a side effect of the same or different hack not working as it would have under IE.

I reported that particular mirror to the GCW admin. In the past they've actually been pretty responsive to these types of complaints. I once got a mirror removed for having those invisible click-anywhere ad links.

Re:Can we fucking dump "C"??? by narcberry · 2009-02-20 14:49 · Score: 1

Visual C++.

A c++ compiler will choke and die trying to compile that garbage. RIP little buddy.

--
Modding me -1 troll doesn't make me wrong.

A Javascript bug!? by flyingfsck · 2009-02-20 15:58 · Score: 1

Why is there Javascript in a document reader? Adobe holds the distinction as the only company that can write worse Windows software than Microsoft.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!

Favor free software PDF readers. by jbn-o · 2009-02-21 00:31 · Score: 1

I wouldn't steer people to a proprietary reader like foxit. If Adobe's PDF reader software were free software, we could fix it in any way we chose. The JS interpreter could be removed, or a less capable language interpreter could be put in, or a number of other changes could all compete for an audience. We could get the verifiable security one gets with Evince. By moving from one proprietary program to another, one merely moves from one master to another.

--
Digital Citizen

Re:Favor free software PDF readers. by bcrowell · 2009-02-21 04:53 · Score: 1

I wouldn't steer people to a proprietary reader like foxit. [...] By moving from one proprietary program to another, one merely moves from one master to another.

Is there an open-source reader for Windows that you like?

--
Find free books.
Re:Favor free software PDF readers. by jbn-o · 2009-02-21 09:54 · Score: 1

I'm told that SumatraPDF is available for Microsoft Windows users. SumatraPDF is licensed under the GNU GPL v2 and it runs with WINE. However I don't choose to use Microsoft Windows or any other proprietary software on my system at home. I use GNU/Linux with free software PDF readers.

--
Digital Citizen

Re:Actually, javascript in web browsers is a mista by Anonymous Coward · 2009-02-21 01:16 · Score: 0

Why so serious? Let's put a smile on that face!

Re:Can we fucking dump "C"??? by Anonymous Coward · 2009-02-21 01:36 · Score: 0

"A poor workman blames his tools."

True, but a good workman picks the right tool for the job.

I agree with the GP. C is used in far too many places where it does not belong. It is good for writing drivers, but that is it. If your application does not interface directly with the hardware, it should not be using C. Otherwise, you're just asking for a whole host of problems.

An even simpler solution by prakatmac · 2009-02-23 13:51 · Score: 1

There is an option to disable javascript in the preferences. That would probably do the trick as well.

Re:Actually Vista does comes with sandboxing suppo by Anonymous Coward · 2009-02-28 09:41 · Score: 0

PISS OUT MY ASS!!!

Forms aren't new. by Grendel+Drago · 2009-03-05 05:20 · Score: 1

PDF form support isn't a particularly new feature; it goes back to at least PDF 1.3 (section 7.6 of the standard), published in 2000.

The feature which you describe--saving filled-in forms rather than detached form data--is supported as of evince 2.24.1 and poppler 0.8.7. It's quite standardized; you just fill in the 'V' key in the field dictionary, which is empty in a blank form. (See table 7.44 in the PDF 1.3 standard.)

Was that what you meant?

--
Laws do not persuade just because they threaten. --Seneca

Optimization requires profiling. by Grendel+Drago · 2009-03-05 05:30 · Score: 1

Image if they got rid of all the SLOOOOW python in ubuntu would run considerably faster.

You don't actually know that. If you optimize without profiling things, you make a mess for yourself and don't actually improve anything.

Consider login time in GNOME. Your method would demand that gnome-settings-daemon be rewritten in assembler. Instead, consider that the login time was halved through careful profiling and algorithmic optimization--which is to say, nothing was rewritten in C.

As for slow performance of Python-based tools in general, note that the performance-critical libraries--cairo, GTK+, your video drivers--are all written in C. Rewriting the frontends isn't going to gain you much. If you disagree, go profile, and come back when you have more than simple kneejerking.

Heck, I just wrote a batch conversion process to move thousands of small XML files into one big XML file in another format. Time to execute xsltproc (in super-duper C!) a few hundred times for a test run? About a minute. Time to use a Perl interface to libxslt, along with parser hooks written as Perl subroutines? About four seconds, since I wasn't invoking xsltproc once for each input file.

Rewriting that project in C would have been time-consuming, error-prone, and utterly pointless.

--
Laws do not persuade just because they threaten. --Seneca

Slashdot Mirror

Adobe Flaw Heightens Risk of Malicious PDFs

193 comments