Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flaw Heightens Risk of Malicious PDFs

Posted by kdawson on Friday February 20, 2009 @04:00AM from the driving-by dept.

snydeq writes "Security companies warn of a new flaw in version 9 of Adobe Reader and Acrobat that could compromise PCs merely by the opening of a malicious PDF. Although attacks are not yet widespread, hackers are exploiting the flaw in the wild, gaining control of computers via buffer overflow conditions triggered by the opening of specially crafted PDFs." Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11.

2 of 193 comments (clear)

Min score:

Reason:

Sort:

Sigh... still no basic sandboxing by Ed+Avis · 2009-02-20 04:04 · Score: 5, Interesting

And why exactly does Adobe Reader run with full permissions to all the user's files? Surely by now Adobe would have learned to run it in a sandbox. For example, the code that reads and renders the PDF could run in a separate process (a la IE8 or Google Chrome) and just send image data back to the main window.
More generally, the OS needs to make it completely easy to sandbox applications, so even the stupidest application developer can do it with little effort. Indeed, the default should be that it has no access to write files anywhere except those chosen by the user with the Save As box. I'm not holding my breath though...

--
-- Ed Avis ed@membled.com
Patch by March something? by rjune · 2009-02-20 04:10 · Score: 5, Interesting

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.