Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flaw Heightens Risk of Malicious PDFs

Posted by kdawson on from the driving-by dept.

snydeq writes "Security companies warn of a new flaw in version 9 of Adobe Reader and Acrobat that could compromise PCs merely by the opening of a malicious PDF. Although attacks are not yet widespread, hackers are exploiting the flaw in the wild, gaining control of computers via buffer overflow conditions triggered by the opening of specially crafted PDFs." Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11.

12 of 193 comments (clear)

  1. What about Foxit? by PotatoFarmer · · Score: 2, Insightful

    TFA doesn't mention whether or not Foxit is affected. If not, it's just one more reason to avoid the bloatware that is Reader.

  2. Well.. by phrackwulf · · Score: 3, Insightful

    Guess I'm going back to Adobe 5.1 again. And yes, I still have the install.

    --
    What would Richard Feynman do, if he were here right now? He'd do some math and he'd follow through!
  3. JavaScript... by Anonymous Coward · · Score: 3, Insightful

    Remind me why my digital document format needs JavaScript again?

    1. Re:JavaScript... by FrostDust · · Score: 2, Insightful

      While that may be useful for some situations (I came across an RPG character sheet that did that, you plug in stats and it populated the appropriate fields that derived from those stats), it is really outside the scope of what a PDF is supposed to be.

      A PDF is what you use when you want to disseminate information, and it's important that you can guarantee the recipient is seeing the exact same document you are. A .doc, for instance, can look different from computer to computer, based on what program (or even version of the program) they're using, what formatting rules they have applied (margin spacing, preferred fonts etc.), and the user might accidentally hit "delete" and erase a good part of the document without realizing something went missing.

  4. Re:Sigh... still no basic sandboxing by billcopc · · Score: 4, Insightful

    You seem to blindly believe that Adobe is even remotely competent at writing code. If you've ever used Acrobat, you would realize it is a barely-usable resource-thrashing mess.

    Does Ghostview need 150mb of libraries to render a PDF ? No.

    Just because a company is a market leader, does not necessarily mean they know what they're doing. They just know how to sell.

    --
    -Billco, Fnarg.com
  5. March 11? by Culture20 · · Score: 4, Insightful

    That's three weeks away! One week from now, pdfs are going to be on every questionable web page and email attachment. Step up the cycle, Adobe.

  6. Do not allow pdf to follow links by 140Mandak262Jamuna · · Score: 3, Insightful
    There are settings available to prevent pdf readers from executing javascript or following hypertext links. But when you do that the acrobat reader bitches and moans and gives you a head ache.

    Acrobat reader is precisely in the same position as IE4. Widely used and insecure. Users who are security conscious, vendor lock conscious, portability issues aware are the minority. Precisely the conditions that allowed Firefox to come, but the users in control once again, and take a healthy bite out of the market share of the dominant browser. Impact of Firefox is more than its marketshare. It forced web site developers to be aware of portability issues and become standards compliant. I am very sure other readers like FoxIt or something would take a big bite out of Adobe.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  7. Re:Patch by March something? by Anonymous Coward · · Score: 1, Insightful

    Well, they actually have it patched. They're just waiting for Acrobat to start up to see if it works, that takes 18 days after all.

  8. Re:Adobe should separate pdf and acrobat more by fuzzyfuzzyfungus · · Score: 4, Insightful

    There are, already, standardized subsets of PDF( PDF/A, PDF/X, PDF/E) which fulfill your request.

    Trouble is, while Adobe does have an incentive to support those, they have no incentive to encourage them as defaults. There are two basic problems: Adobe has an incentive to spread PDF as widely as possible(which creates a strong pressure to tack on additional functions to address expanded use cases) and Adobe only makes money on PDF if you use their software. If, in practice, you can only be confident of being able to manipulate a given PDF with Acrobat, Adobe cashes in. Otherwise, not so much.

  9. Re:Can we fucking dump "C"??? by Anonymous Coward · · Score: 3, Insightful

    There's a saying about C: "We don't prvent you from doing stupid things because that would also prevent you from doing clever things."

    There's also a saying about you: "A poor workman blames his tools."

  10. Critical? by PontifexMaximus · · Score: 2, Insightful

    And a patch will be available on March 11? Boy, they sure are devoting all their resources toward getting a patch out.

    Idiots.

    --
    Pax Vobiscum
  11. Simple solution: by Doug52392 · · Score: 2, Insightful

    Uninstall Acrobat, the most bloated software product I've ever used.