Homemade PDF Patch Beats Adobe By Two Weeks

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

Registry hack

[coulbc]

We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

Re:Registry hack

[teridon]

what do you mean "group policy file"? Did you deploy via script or ADM file or what?

Share :)

I tried making a quick ADM file based on some ADMs I found here:
http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-9-for-windows

But apparently I didn't do it correctly, because JS was still on after I applied my setting.

Re:Registry hack

[initialE]

For myself I just used the REG.exe located inside the %system32% folder. in your logon script (assuming you have one), just add in the lines

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

YMMV. REG.exe is not included on Windows 2000. Because this applies to the current user registry there should be no permissions issue. And make sure your path does include the system32 directory as by default.

Re:Registry hack

for people who have only one machine to deal with, doesnt edit -> preferences -> javascript -> uncheck "enable acrobat javascript" end this problem? you can also enable the enhanced security thing i guess too.

Re:Registry hack

Why doesn't Adobe release something like "security hotfix for adobe reader" which just does the registry hack? It wouldn't take space/bandwidth too and their "Updater" is already capable of doing lot more. When actual fix is ready, release it and disable the hotfix hack. How hard is that? MS did similar things for years.

Re:Registry hack

If you had gone and released it then, you'd be famous. And we might believe you ;)

Re:Registry hack

what are these other keys?

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

my script shuts off bEnableJS, but some of the systems are reporting it still on --- what do you know about the others (bEnableGlobalSecurity, et al)

Re:Registry hack

[Zotdogg]

Looks like those Reg Edits might address the vulnerability on a lower level but I figured I'd throw the US-CERT steps up here for discussion\reference. Details at http://www.us-cert.gov/cas/techalerts/TA09-051A.html

Disable JavaScript in Adobe Reader and Acrobat

Prevent Internet Explorer from automatically opening PDF documents

Disable the display of PDF documents in the web browser

Re:Registry hack

[mnmn]

Since when has changing a registry entry become a 'hack'?

Next we'll hear of create-a-folder hack or waterfall screensaver hack.

Re:Registry hack

[initialE]

This only prevents pdfs from opening automatically within the browser window. The registry is in HKEY_CLASSES_ROOT, which is administrator-only access, and let's face it, if you need to open the pdf, you open the pdf. Only later do you find out it's borked.

Re:Patch

[Brian+Gordon]

Who cares?

Offensive

[Feminist-Mom]

From the article:

"This thing is so simple to use that you're grandmother could patch it."

As a 49 yo grandmother, c programmer and feminist, I find this offensive.

Re:Offensive

Thank you for letting the Slashdot community know what you find offensive... is this because you think it's interesting, or because you have no friends to talk with?

Re:Offensive

I'll go for the secret third option, "because she's a feminist". Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country. And by God, I wish they did.

Re:Offensive

[TriezGamer]

Your grandchildren are not likely to be browsing Slashdot. Furthermore, taking offense to something that is very clearly tongue-in-cheek is not befitting of someone of your age.

Re:Offensive

Grandma Nazi...

Re:Offensive

[bane2571]

So, you're saying your grandmother couldn't install the patch? Or are you trying to imply that your 13 year old or younger grandchildren are nerdy enough to read slashdot?

Re:Offensive

Yeah, you're right. It's terrible when people use an apostrophe when they mean "your".

Re:Offensive

Q: How many feminists does it take to change a lightbulb?
A: That is NOT funny.

Re:Offensive

Q: How many lightbulbs does it take to turn on a feminist?
A: That is truly funny!

Re:Offensive

Look, I've been a programmer for a lot of years and I'm sick and tired of this sexist crap. I could probably program most slashdot readers under the table, and yet at work I get treated like an idiot. IT articles treat women, especially older ones, like idiots. Enough already. People should be willing to step back and recognize the contributions that women in computer science have made.

F.M.

Re:Offensive

Q: How many male chauvinists does it take to change the lightbulb in the kitchen?
A: None, let the bitch wash the dishes in the dark.

Re:Offensive

Q: How many feminists does it take to change a lightbulb?
A: Trick question, feminists can't change anything.

Re:Offensive

[FlyingBishop]

Dude, you should really be careful. I don't think you realize who you're talking to.

Posting AC is only going to keep you safe for so long.

That also goes for everyone who modded her down.

Re:Offensive

[JorDan+Clock]

Q: How many feminists does it take to change a lightbulb?

A: Four. One to change the lightbulb, three to form a support group.

But really, it's a trick question because feminists can't change anything.

Re:Offensive

[jebrew]

Figures...whenever there's something I want to mod up, I never have the points for it.

Re:Offensive

[electrosoccertux]

Unrelated to the feminist jokes, but related to lightbulbs:

Q: How many psychiatrists does it take to change a lightbulb?
A: Only one, but the lightbulb has to want to change.

Re:Offensive

So to paraphrase....That is NOT funny!

Re:Offensive

[zippthorne]

That is .. awfully young to be both a grandmother and a feminist. Assuming you're telling the truth, though, don't you think it's a little self serving for a woman to be a feminist? I mean, I'm sure Louis XVI was a royalist, but is it really a virtue?

Re:Offensive

[thebigbadme]

Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country.

I'm a feminist, and am offended by this claim
(I am a feminist, but am going for funny with this...)

I think the feeling of entitlement that often leads to the bitching comes from something besides the ism/ist in question... at least I attribute it to a sense of entitlement. and by that I don't mean that anyone is not particularly entitled t... ah what's the use

Re:Offensive

[hack++slash]

Q: How many Vietnam vets does it take to change a lightbulb?
A: You don't know because you weren't there man!

Re:Offensive

please post pussy pics.

Re:Offensive

[jaxtherat]

Yes, but you certainly do not represent the majority of that demographic, so the analogy still stands.

Re:Offensive

Ahh, but since you read it, it applies to *your* grandmother...

Re:Offensive

That is .. awfully young to be both a grandmother and a feminist. Assuming you're telling the truth, though, don't you think it's a little self serving for a woman to be a feminist? I mean, I'm sure Louis XVI was a royalist, but is it really a virtue?

Louis was in it just for himself (most likely). Feminists (both male and female) are pursuing equality for all members of all genders (not just themselves). What is sad is that many people equate feminists with extremists and think they're all out to castrate Mankind.

Re:Offensive

Ada Lovelace, the first programmer.
http://en.wikipedia.org/wiki/Ada_Lovelace

Re:Offensive

Find me someone who calls themselves a feminist that isn't also an extremist.

Re:Offensive

The great-grandchildren could be 4 by now...

Re:Offensive

[The+End+Of+Days]

Considering the tendency to be extremely picky about the naming of things, you'd think those who subscribe to feminism would realize that the very word conjures up the image of empowering women to run everything. Something a little more inclusive-sounding might be in order to maintain that "all genders" image, no?

Not that I actually care. I laugh at the essential ironies of feminists. I find humor in anyone who takes themselves so seriously.

Re:Offensive

Q: How many feminists does it take to change a lightbulb? A: Two. One to change the bulb and one to SUCK MY COCK.

Re:Offensive

What is sad is that many people equate feminists with extremists...

That's because all the extremists keep referring to themselves as feminists. Hmmm. I think we have a synonym here. Somebody alert the thesaurus editors.

Re:Offensive

yes, but *his* grandmother is in a persistent vegetative state.

Re:Offensive

[Big+Hairy+Ian]

Wow is there anyone on this thread who is claiming to be a feminist actually female???

Re:Offensive

because they are out to do just that. It's got nothing to do with equal rights and everything to do with the genocide of men.

Feminists are only in it because they had a bad boyfriend that used to beat them. How many are in it for other reasons? None.

Re:Offensive

Gladly.

Re:Offensive

[JoCat]

Q: How many Freudians does it take to change a lightbulb?
A: Two. One to change the bulb, the other to hold the penis. Cock. Ladder. LADDER! I mean ladder.

Re:Offensive

[crodrigu1]

let me guess: you never had and never will have a girlfriend just reading your prose :)

Re:Offensive

I'm sick and tired of this sexist crap. I could probably program most slashdot readers under the table,

s/program/suck off/

Re:Offensive

What does a normal woman use as a contraceptive? The pill.
What does a feminist use? Their face :)

Re:Offensive

[smellsofbikes]

How many Marxists does it take to change a lightbulb?

None. The lightbulb contains the seeds of its own revolution.

Re:Offensive

[houghi]

One to change the light bulb and to post that the light bulb has been changed.

Fourteen to share similar experiences of changing light bulbs and how the light bulb could have been changed differently.

Seven to caution about the dangers of changing light bulbs.

Seven more to point out spelling/grammatical errors in posts about changing light bulbs.

Five to flame the spell checkers.

Three to correct spelling/grammar flames.

Six to argue over whether it's "lightbulb" or "light bulb" ... another six to condemn those six as stupid.

Fifteen to claim experience in the lighting industry and give the correct spelling.

Nineteen to post that this group is not about light bulbs and to please take this discussion to a lightbulb (or light bulb) forum.

Eleven to defend the posting to the group saying that we all use light bulbs and therefore the posts are relevant to this group.

Thirty six to debate which method of changing light bulbs is superior, where to buy the best light bulbs, what brand of light bulbs work best for this technique and what brands are faulty

Seven to post URLs where one can see examples of different light bulbs.

Four to post that the URLs were posted incorrectly and then post the corrected URL.

Three to post about links they found from the URLs that are relevant to this group which makes light bulbs relevant to this group.

Thirteen to link all posts to date, quote them in their entirety including all headers and signatures, and add "Me too"

Five to post to the group that they will no longer post because they cannot handle the light bulb controversy.

Four to say "didn't we go through this already a short time ago?"

Thirteen to say "do a Google search on light bulbs before posting questions about light bulbs"

Three to tell a funny story about their show dog and a light bulb.
One to reply almost immediately saying "First Post !!!!!!"

One to post an ASCII image of the lightbulb.

Three to ask "Wtf is that" because their clients didn't display it as fixed-width.

Seventeen to reply saying that their e-mail client is inadequate and suggest they get Mutt.

One to reply with a perfectly labelled scale diagram of how to change a light bulb correctly.

Thirty-three to reply telling them not to send HTML e-mails or attachments, and why don't they just use Mutt and ASCII art anyway.

Two to ask "but does it run Linux ?".

One to make a comment about the upcoming Microsoft Digital Lightbulb Management 2007 SP2 RGE.

Two to suggest that Apple lightbulbs are superior.

Seventy-five to start a massive off-topic Apple vs Microsoft flamewar.

Forty-two to continue it into a Python vs Perl flamewar.

One lonely poster to unsuccessfully try to start a HP-UX vs IRIX flamewar

One hundred and seventy-eight to respond at various times saying
"Troll!!"
"OMG WTF TROLL !!!!!!one
LOL" "Don't Feed Da Troll!!1", etc...

AND

One group lurker to respond to the original post 6 months from now and start it all over again

Re:Offensive

[dotancohen]

Q: How many Vietnam vets does it take to change a lightbulb?

A: You don't know because you weren't there man!

There was a huge stink on the php list a few years back because of some guy using this in his sig. I think that a few vets actually left the list.

Re:Offensive

[Just+Some+Guy]

People should be willing to step back and recognize the contributions that women in computer science have made.

Why? I don't care what contributions can be directly attributed to which race, sex, or nationality. Whether you're a WASP male or a lesbian in Singapore, if your work is good, it's good. If it's bad, your demographic status doesn't make it better.

I guess I don't get this "minority" hangup from either side of the debate. People who dismiss the contribution of women or treat them badly are ignorant jackasses. Others who want me to put a woman on a pedestal and give her a cookie because she managed to write a linked list with proper error handling are at least as mystifying. You can code? Great! Let's get back to work, shall we?

Re:Offensive

Maybe they should man up about it.

Re:Offensive

[El+Torico]

That's the funniest and most accurate characterization of the /. community I've seen. Too bad I don't have mod points.

Re:Offensive

[badkarmadayaccount]

Some mod got hit on a sore spot, huh?

Feature Request

[ewhac]

Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea, how about adding this feature:

When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.

Schwab

Re:Feature Request

[tkdrg]

When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

Do you think that the average user will read anything before clicking "Yes"?

Re:Feature Request

[BSAtHome]

Agreed, why would one want another programming language embedded in a programming language? Postscript already can do all you would want. It is a bit hairy programming, but it can be done (see f.x. http://www.physics.uq.edu.au/people/foster/postscript.html). The best way to mitigate security issues with embedded code is to eliminate the execution. That is, until some one writes a javascript interpreter in postscript.

Re:Feature Request

[klossner]

PDF is not PostScript. It shares some concepts (such as the imaging model and a good many keywords), but it is not a programming language. It has no control constructs, for example.

Re:Feature Request

I'm going to have to disagree...

Allowing some scripting in a document is great. For example, I'm writing a math textbook. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technically illiterate. For that matter, my working draft (not the one on the website) uses PDF attach to include the TeX source and the GFDL.

In conclusion, it's my opinion that that having a PDF scripting language as long as it can't, you know, do anything but modify that one file. The problem is that Adobe seems to be trying to include the kitchen sink...

Re:Feature Request

[klossner]

Adobe did add this dialog -- but it only appears if you have disabled Javascript! (Which you can do with Edit / Preferences, no need for the registry hack.)

Here's the exact dialog:

? This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled.

[ ] Don't show this message again until this document is reopened

[[Yes]] [[No]]

Re:Feature Request

[MMC+Monster]

How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

If they select No, the next dialog is: "Fine. I've just opened all the ports on the computer, deleted the last 10 documents you opened up, and loaded up a couple trojans. Are you sure you want to run the executable code in this PDF file now?" [Yes][No].

This way, the user won't be taught to always select the same confirmation box all the time.

Re:Feature Request

[Mr.+Roadkill]

Do you think that the average user will read anything before clicking "Yes"?

...of course they won't, which is why you turn it around to "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to block execution of this code? [Yes][No, I like to live dangerously]".

Re:Feature Request

[barzok]

And then you get thousands of calls from people screaming "but I clicked Yes, why doesn't it work? Yes means 'make it work'!"

Re:Feature Request

Sometimes you just can't win.

Re:Feature Request

[barzok]

Unless you opt not to play.

Re:Feature Request

[Ihmhi]

Feature request: a NoScript equivalent for Acrobat Reader.

Re:Feature Request

[DiegoBravo]

The language used by most software in those situations is a big culprit:

> The document may not behave correctly if they're disabled.

Should say:

"the document may not have the author's expected appearance, but your computer will be safe from viruses"

Re:Feature Request

Yes...I love running around to 50 desktops, opening AR 9, opening preferences, and disabling javascript.

What a waste of a day. Thanks for the registry fix.

Re:Feature Request

[Aragorn+DeLunar]

And this is why we need to get away from labeling dialog box buttons "Yes", "No", "Cancel", etc. We can label them anything we want, so why not be descriptive? Try "Safe", "Unsafe", "Really Stupid", "Don't click this -- ever!"

The same applies to the save dialogs. I like how OO.org 3.0 handles the "Do you want to save?" dialog when closing the program: The buttons are labeled "Save", "Discard", and "Cancel". Of course, "Cancel" could be better described as "Return to Program."

Re:Feature Request

[ion.simon.c]

Yanno, Okular runs on Windows and -IIRC- doesn't have all of these stupid issues.
See:
http://windows.kde.org/

Re:Feature Request

[Thinboy00]

There is NO SUCH THING as idiot proof. Why don't we all just get over it and MOVE ON? The idiots will only get more inventive if we try to outsmart them.

Re:Feature Request

No, no, no you got it all wrong, wouldn't do much good, read parent again! ;)

Fuck Adobe by the way and other lazy, greedy proprietary peddlers.

Re:Feature Request

[Thinboy00]

That is the user's problem, I'm afraid. If someone is seriously that stupid, they probably shouldn't be allowed near a computer anyway.

Re:Feature Request

[Thinboy00]

They didn't rename cancel since "Cancel" unambiguously means "stop whatever I'm doing [and go back]" in ~any GUI.

Re:Feature Request

[Idiomatick]

Wow they make it THAT horrible even after you opt out? I've said it hundreds of times. PDFs are garbage and should never be used in any situation. Its like a picture file that requires a 80MB ap to open, uses about that much ram while running and introduces dozens of security holes. Plus they don't natively open in your browser and they are larger that picture files. If you have ever purposefully inflicted PDFs on others I wish you a long walk off a short pier.

Re:Feature Request

[Idiomatick]

http://www.foxitsoftware.com/pdf/reader_2/reader-interstitial.html

Or just make google open all your pdfs so that you aren't forced too even if its ugly its fast and secure.

Re:Feature Request

We need to make pop-up boxes into flash games or youtube videos. Then people will pay attention to them.

Re:Feature Request

[Tubal-Cain]

How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

Yeah, that'll work.

Re:Feature Request

[oasisbob]

Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea [...]

PDF files supporting Javascript isn't the problem. In this exploit, Javascript is used to get executable code in the stack, but isn't the crux of the problem. A buffer overflow in Adobe's image processing code is.

In what world does it make sense that an untrusted website can execute javascript, but an untrusted PDF can't? Javascript can actually be useful for PDFs: think forms where the contents of one field are added to the contents of another, and placed somewhere else in the document.

You think executable code in a document format is new? Take a look at postscript ... (but sit down first)

Re:Feature Request

[Ravon+Rodriguez]

An old saying goes "Programming is a race between programmers building better idiot-proof software, and the Universe building better idiots. So far, the Universe is winning."

Re:Feature Request

PDFs are garbage and should never be used in any situation.

Eh? What would you suggest instead?

A Word document? OpenDocument? Postscript? DVI? Any of them would cause considerable difficulty for some fraction of the audience (which, we may assume, contains both clueless Windows users and people who run OpenBSD on their toasters.)

Raster images containing the complete text of a book would be gargantuan, and wouldn't allow the user to copy or search for text.

HTML isn't a document presentation format, and there's no good way to do math in it.

For what PDF is designed for, I cannot think of anything better. (It's true that PDF can be misused... so, come to think of it, can pretty much every other file format in existence.)

Re:Feature Request

[djce]

When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

Do you think that the average user will read anything before clicking "Yes"?

So make sure that pressing escape, space or return will all do the same thing: fail safe.

And/or maybe reword the question: "This file contains unsafe content which could harm your computer. Protect your computer against this threat?"

Or don't even make it a question: make it an alert box with only one option (ok), and you have to go elsewhere (dive into some menu) to turn on scripting.

Re:Feature Request

[JunkmanUK]

Swapping the position of the YES|NO boxes helps in these situations, it stops the crazy clicker from doing dumb things...

Re:Feature Request

Still won't work - people will get documents that will require Javascript in order to work properly (they SHOULDN'T, of course, but they WILL) and will just learn to click on whatever is required to make those documents work.

It's not necessarily because people are stupid, either - but faced with the choice between a very remote chance something catastrophically bad might happen and the very real impossibility to get your work done, most people will choose the former.

It's like crossing the street; you MIGHT get hit by a car, and doing so WILL be fatal (or at least nearly), but not doing so will not allow you to get your work done, and the chance that you'll get hit by a car is very small, anyway. Of course you'd prefer pedestrian bridges etc., but if none are present, you're still going to cross the street without them.

The only actual difference is that with streets, we're easily able to get a decent estimate of how dangerous they are. With computers, something that's mostly safe one day might suddenly not be anymore the next day, without us being able to tell in any way.

Re:Feature Request

[n1ckml007]

Foxit doesn't highlight text (no copy and paste) on their free version, I installed Adobe reader the other day as a result when I needed to proofread someone's PDF.

Re:Feature Request

Or:

"This file contains potentially dangerous code, Do you want to allow this? [No] [Not this time] [No and don't ask me again]"

Re:Feature Request

[silent_artichoke]

I'm sorry I don't have any mods points for you today. Would you accept some of my Diggs? I know they're pretty much worthless, but it's all I have to offer.

Re:Feature Request

[hesaigo999ca]

Ahhh, daniel-san, you forget, the most important lesson in life.....you will always get p0wned by me!

Your idea as simple as it is, is the greatest idea of all, yet we see this all the time.
Why does adobe need to run javascript inside itself? THERE IS NO GOOD REASON.
I see this as a conspiracy, to be able to add an attack vector to a software that claims
99% windows pc installation. With javascript, you can do ANYTHING.
You have now been p0wned just because you opened an adobe file....
and guess what the new mandatory standard for file sharing between companies is....yes pdf!

Welcome to our new adobe dark overlords!

Re:Feature Request

[Dog-Cow]

The Mac has been doing that since at least OS X. Once again, an OSS project steals, er copies, a (good) idea from a proprietary system.

Re:Feature Request

I've always thought cancel could be better described as "oops, nevermind", since that is practically the only thought I have when using it.

Re:Feature Request

[swilver]

I saved a copy of Adobe Reader 4.x or something. It still works. When it stops working, I'll upgrade to some open source solution. Why a product like a PDF reader needs constant upgrades is beyond me, and I will not subscribe to it.

Re:Feature Request

Of course, "Cancel" could be better described as "Return to Program."

I don't think so... that'd confuse me greatly personally.. a save dialog is part of the program.

          The one I liked, this picture viewer xv, the error dialogs... well, you know, most programs will be like "Could not save file" and the ONLY button is "OK". Well, no, it's NOT OK!! Well, xv, it's like "Could not save file" and the button says "That sucks". MUCH better.

Re:Feature Request

[badkarmadayaccount]

Why don't they write a JavaScript to PostScript compiler? It's not like the JavaScript is supposed to do anything outside the document anyway.

BTW, my consultant fee will be $15 000. Send the check to my assistant.

Lurene Grenier to Adobe

[inthedump]

Lurene Grenier to Adobe: Pay up! We solved your issue.

JavaScript?!

Seriously, JavaScript? In a PDF file? Why would you do that?

Re:JavaScript?!

[IceCreamGuy]

Uh, duh, to get on the front page of /.

Re:JavaScript?!

[eihab]

Seriously, JavaScript? In a PDF file? Why would you do that?

I believe Adobe Version Cue's PDF review system is one of the applications that uses it.

The idea is that any PDF file posted to Adobe Bridge (design files repository, think SVN-lite) can have a web review process.

An administrator logs to the web interface and starts a review process which sends links to the reviewers. Once a reviewer logs in, they can download a copy of the PDF and start commenting on it and marking it up. When they're finished Acrobat sends only the comments back to the server instead of re-uploading the entire PDF again.

That last piece (uploading comments back) appears to happen using JavaScript inside the PDF copy that the reviewer downloads.

Is it the best way to do this? Maybe not, but that's one thing I can think of that uses JavaScript inside PDFs.

Re:JavaScript?!

[TheRealMindChild]

PDF seems to be the poster child for "How to abuse a format in a way that is contrary to its nature". Clients send us PDF's FORMS now... that they want us TO EDIT! Not print out, hand write on, and perhaps fax back... but EDIT IT, like it is a Word Processor document. Explaining to these people why this is an abomination is like telling a hooker not to sleep with the guy with sores all over his body... it falls on deaf ears, and makes baby Jesus cry.

Re:JavaScript?!

[Penguinshit]

I actually used JavaScript in PDF to create interactive forms for the corporate intranet. It was pretty because I could use Photoshop to create the underlying image.

Then I quit drinking and realized Excel with tweaked permissions was far better suited to the task. It wasn't as smooth looking but it was easier for my staff to update.

Re:JavaScript?!

You've confused Bridge with Version Cue, and Version Cue with Acrobat reviews. Just sayin'

Re:JavaScript?!

[eihab]

You've confused Bridge with Version Cue, and Version Cue with Acrobat reviews. Just sayin'

You are absolutely right, thanks for catching that!

Re:JavaScript?!

[ChunderDownunder]

Well here's a use case:

The document contains a form from officialdom which can be printed out as usual. Alternatively the PDF viewer enables entering of data inline for online submission. Here the JavaScript may activate client-side validation or pop up contextual help.

The limitation here seems not the concept but a failure of sandboxing such as Java applets provide - suspicious activity is prevented by the applet security manager.

Re:JavaScript?!

[Thaelon]

I've had co workers email me a PDF of a requirements document that was originally a word document.

Because they didn't want me to edit it.

Seriously. I half expected the person to ask for the file back when I was done.

Re:JavaScript?!

[WiiVault]

I get this all the time from my shipping agent. Like you said, these are not forms meant to be printed and faxed, no they have 3 32-54 character strings of numbers and are submitted digitally. It kills me what a pain in the ass this is and is my main motivator for moving my business elsewhere.

Re:JavaScript?!

[Skuld-Chan]

A lot of companies actually use Acrobat/Reader for forms management - the code behind these forms is - you guessed it - javascript.

Re:JavaScript?!

I'm totally with you there. PDF is a document format - it's supposed to be and act like paper. And who in their right mind would put a FORM on paper and ask people to FILL IT OUT, thereby EDITING the paper document?

Verily, the mind boggles.

Re:JavaScript?!

[StuartHankins]

JDBC. Forms which connect to ODBC databases is one example.

Re:JavaScript?!

[lamapper]

Here the JavaScript may activate client-side validation or pop up contextual help.

You can do this WITHOUT JavaScript.

Re:JavaScript?!

[ChunderDownunder]

I'll take your word for it.

Another application may be to load contextual data using AJAX.

I'm not convinced that allowing JavaScript is a bad thing, if it enriches the experience. It needs to be sandboxed by the PDF Reader, as occurs in the web browser. Now in this case the reader was at fault, so they need to revisit their security model.

Re:JavaScript?!

[lamapper]

I'm not convinced that allowing JavaScript is a bad thing, if it enriches the experience. It needs to be sandboxed by the PDF Reader, as occurs in the web browser. Now in this case the reader was at fault, so they need to revisit their security model.

Its true that using JavaScript securely to enhance the user experience can be a plus. The problem comes with different coders definition of secure. Not to mention having additional security holes thrust upon you by an automatic updates that you have no control over.

Often times a simple solution, that might not be as elegant, will accomplish the objective fine without opening up additional security holes. Especially when the security holes only exist with JavaScript, (in or out of Adobe Reader PDF files) or Active X. or so many others for that matter.

Sandboxing will be great when it arrives, however at this time I believe only the Chrome browser is implementing this. Both I.E. and Firefox have talked about it and I am honestly unsure of Opera, Safari and Konqueror. And that is only a very small fraction of the browsers that are available to us to use to surf the Internet. Thank goodness there are many, many browser options available so that when one browser platform attempts to thrust JavaScript, Java, Active X or some other buggy layer on us we will have plenty of options to switch too. (Implement if you will, but give individual users the ability to TURN IT OFF for their user. If I can NOT turn it off, I will simply stop using it, as I have with any applications and desktop platforms.)

To be secure each user MUST have 100% control over their desktop and all the applications running on it.

While I.E. might have advertised that it is going to implement sandboxing, they are too far behind the standards curve to take seriously, perhaps in three or four years of good behavior they might regain enough TRUST to try again. Besides that based on their actions over the last decade and a half, any solution coming out of Redmond is suspect as having ulterior motives. For instance are they honestly interested in protecting the user or are they more interested in how they can manipulate the sandbag and/or plugin, spreading FUD, and implying the problem is with another software package, operating system or other vendor's hardware instead. This is their history and current track record.

Until we can sandbox them effectively, it might be a wise decision NOT to use them. It has the added advantage of avoiding allot of incompatibility issues by keeping it simple and not using them.

Any sandboxing that protects us, our privacy, while maintaining net neutrality and helping to protect us without censoring us is a huge plus.

Reply: Adobe to Lurene Grenier

[Lead+Butthead]

Lurene Grenier to Adobe: Pay up! We solved your issue.

Adobe to Lurene Grenier: You decompiled Acrobat in some way to create this fix, in violation of click-through license and DMCA (not to mention making us look incompetent.) We're suing you and we're going to make sure your government put you away in a pound-you-in-the-ass prison for a long long time.

Re:Reply: Adobe to Lurene Grenier

[AnonGCB]

Not even white collar resort prison? You cold hearted monster.

Re:Reply: Adobe to Lurene Grenier

yeah, and Samir Ackbarnaminijabob says you're a very BAD person!

Re:Reply: Adobe to Lurene Grenier

[Thinboy00]

He flipped a REGISTRY VALUE for fuck's sake! WTF kind of proof are they going to give to the judge? Or is this a SLAPP?

Re:Reply: Adobe to Lurene Grenier

[jonaskoelker]

Just like when Dmitry Sklyarov cracked the Rot-13 encryption? ;-)

Seriously, apparently Adobe is not above suing people for depicting the truth^W^W^W making adobe look stupid.

JavaScript in PDF a Bad Idea

JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.

Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever, but perhaps that particular job isn't one that a PDF should be doing.

PDFs started out as a portable means to deliver any arbitrary document to someone else with fair assurance that it would look pretty much identical to both parties. Now Adobe seems to be trying to turn it in to some kind of interactive content delivery platform (substitute your own buzzwords) or something. That's not a path I'd like to trod.

Here's how you turn out a patch *real* fast.

[fm6]

You skip all testing. Just the sort of thing I want to install in my system.

Re:Here's how you turn out a patch *real* fast.

[AngryNick]

Here's another way to do it... dump Adobe's bloated reader (if you can get it uninstalled) and pick up Foxit. I find it much more useful and a lot faster to load.

Re:Here's how you turn out a patch *real* fast.

[Kaboom13]

Just make sure you don't let it install that obnoxious ask.com browser bar (in IE and Firefox). I made the mistake of including it in a slipstreamed xp disk and the silent installer took all defaults (browser bar and all).

Re:Here's how you turn out a patch *real* fast.

[Ilgaz]

When will people understand that there are cases of all the "bloat" used in Adobe PDF documents (e.g. company wide) so people may actually need the bloatware to open it?

I keep using Adobe Reader since version 8 which Adobe showed some signs of respect/enhancements to all kinds of usage. Now the version 9 works faster than OS X preview in many cases (don't ask), I just disabled javascript (??!?!) and keep using it. Somehow, OS X quartz pdf renderer doesn't fit my needs and it is really goodly written core. It is just the interface.

I mean it is not like Adobe Reader users or companies installed it doesn't know the alternatives. Let me tell you the best performing and excellently rendering alternative on OS X? kpdf installed via Fink.

Re:Here's how you turn out a patch *real* fast.

Except if you did that and there was a flaw in Foxit, you could not fix it (even if you easily could) without breaking the contract you entered into by using Foxit.

Stupid EULA. I'll stick to the alternatives that allow me to use and munge the product anyway I see fit.

Re:Here's how you turn out a patch *real* fast.

[n1ckml007]

Foxit doesn't highlight text (no copy and paste) on their free version, I installed Adobe Reader the other day as a result when I needed to proofread someone's PDF.

Re:Here's how you turn out a patch *real* fast.

[jackbird]

Yes it does. It still chokes on PDF plots from AutoCAD, though, although it is significantly improved from 2.x

Re:Here's how you turn out a patch *real* fast.

Foxit no worky for some PDF's (I've encountered). BoA statements especially.

Re:Here's how you turn out a patch *real* fast.

[lamapper]

Other alternatives: Document Viewer 2.24.1; granted its a GNOME specific version, however I have loaded it on a KDE desktop. Nice that KDE and GNOME can pretty much run the same applications. While I do NOT have a preference, it is interesting to note that KDE works with over 60 languages and can be run in any of the following operating systems: Linux, BSD, Solaris, Windows and Mac OS X. (This is at least superior to MS Windows, try to run it in Linux, Unix or Solaris, much less Mac OS X; not that you would want to do that.)

Alternatives to Adobe Reader, many superior without the JavaScript problems. Many will even work in cough, cough Microsoft Windows.

Where's the Acrobat 7 Re-Activation patch?

Where is the F'ing 3rd party Acrobat 7 Pro "you need to reactivate" patch?
I upgraded my hard drive last week and since then my legit copy of Acrobat 7 Pro has been in re-activate Hell.
The office Adobe 7 patch has been as useless as tits on a bull!

I am thinking of applying a 3rd party patch I found on someplace called PirateBay. Seems to include the whole CS4 Master Suite.
Well I am sure Adobe'll have these DRM issues worked out. Won't want to make pirating a better experience than buying their product.

Wow

[ClosedSource]

You mean an individual who doesn't have a business to protect or any customers is able to come up with an un-QA'd version faster than the company that produced the product. Amazing!

Patch?

[noidentity]

So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!

Articles reading the future?

[Facegarden]

What i find more interesting is how slashdot is now able to tell the future!
The article boldly claims that something released yesterday has arrived two weeks before the official patch. Now, i know it's possible that the two weeks was taken from Adobe's projected patch fix date, but projections and fact are still different, and journalistic integrity requires a writer in this situation to indicate directly that this two weeks is not actually fact, as we couldn't know that yet. The headline is an outright lie, as far as i can tell, as it relies on future events being a certain way.

Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?
-Taylor

Re:Articles reading the future?

[gardyloo]

[...] journalistic integrity requires a writer in this situation [...]

Hahahahaha... *gasp* wait, wait, .... HAHAHAHAHAHHAHA!

Re:Articles reading the future?

Imma cockslap you so hard right now. What if Adobe provided an ETA to the patch? HUH? WHAT NOW?

An eye for an eye. Snark for snark.

If you click on the link in the summary to the old Slashdot article, you'll see this...
"Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11."

And then if you go that last article and click on the article link, you'll find "Adobe called the flaw "critical," it's most severe rating, and said it will release a patch for Reader 9 and Acrobat 9 by March 11."

No, I did not have to RTFA. Skimming is a valuable skill.

COCKSLAPPED!

Re:Articles reading the future?

Goddamnit, Slashdot! In the PREVIOUS Slashdot article, they already mentioned Adobe was going to release the patch on March 11th, or something like that.

It's kind of funny. You accuse the editors of sucking this time, but THEY JUST OWNED YOU.

Mod parent down.

Re:Articles reading the future?

[ion.simon.c]

*sigh* It's kdawson. What do you expect?

Re:Articles reading the future?

Yeah, and in this case, kdawson got it right. The patch will be released on March 11th, according to Adobe.

It's my policy to give credit where credit is due. I know kdawson normally SUCKS HORRIBLY, but he owned you and the grandparent here.

DOUBLE KILL!

Re:Articles reading the future?

[Facegarden]

Yeah, and in this case, kdawson got it right. The patch will be released on March 11th, according to Adobe.

It's my policy to give credit where credit is due. I know kdawson normally SUCKS HORRIBLY, but he owned you and the grandparent here.

DOUBLE KILL!

What are you talking about man? I made it very clear (for people who can't figure it out) that there is a big difference between prediction and fact. You cannot claim something as fact that hasn't happened yet. The headline should have taken that into account. "patch beats adobe's projected release by two weeks" for example.

But, you know, you could just ignore the basic stuff i said and spout of something stupid too, that works.
-Taylor

Re:Articles reading the future?

[Odin's+Raven]

[...] and journalistic integrity requires a writer [...]

Dude, this is /. - "journalistic integrity" means that the ext3 filesystem mounted cleanly. :-P

Re:Articles reading the future?

[jonaskoelker]

Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?

"Yes"

Re:Articles reading the future?

[Facegarden]

Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?

"Yes"

Haha, thanks!
-Taylor

There's a simple reason for that.

[thePowerOfGrayskull]

As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.

Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

and the score...

open source: 1
proprietary software: 0

well that is if this patch is open source

why even use adobe reader?

[ncohafmuta]

Any smart admin with the freedom and capabilities shouldn't even be deploying Adobe Reader. We can get into the details, but basically Adobe's reader is too bloated with unneeded features and memory usage problems to be useful, even on today's computers. People should be running something like Foxit's reader instead.

It's been Two Weeks since you made the patch ...

Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability ... beating Adobe Systems Inc. to the punch by more than two weeks.

What the fuck Adobe? What did you do for those extra two weeks?

it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

Oh ... I guess you were trying to make it work on all systems, and checking to make sure that it didn't royally fuck up the user's computer, or introduce another, potentially more serious vulnerability.

Really?

[tool462]

"caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees."

My boss will be pleased. I can push all my releases up at LEAST two weeks earlier now by adding this caveat on to all of my code. Thanks, Geritol.

Re:There's a simple reason for that.

[OFnow]

In large companies there is a tendency to ignore the departure of the real experts in a product and have no one left who knows it well enough to respond quickly & correctly to bugs. In this case it seems more like a different bad corporate decison though(letting a pdf embed another language). Wait. Maybe I really do want to embed my C code in a pdf? Adobe! Feature! Profit!

Why doesn't anyone think javascript is useful?

[UtucXul]

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

I've also seen lots of forms that do some math or validation. How do people think that happens?

Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

Re:Why doesn't anyone think javascript is useful?

[Tikkun]

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.

Please read the 10 immutable laws of security. The one you're looking for is the first one on the list:

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Re:Why doesn't anyone think javascript is useful?

Depends on the definition of a âoeprogramâ. In the context used in the MS article, it means executable code run by the OS, not by a limited interpreter.

Re:Why doesn't anyone think javascript is useful?

[XnavxeMiyyep]

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.
...
There are great ways to include animations directly in the pdf that use javascript.

Hmm.... I think I see a connection here.

Re:Why doesn't anyone think javascript is useful?

[guruevi]

I like the way Apple approaches that problem in their Quartz Composer tool. Basically you have JavaScript for all types of funky validations, requests and calculations you would like to do but the 'vulnerable' classes that would allow reading/writing local files, networking or creating annoying popups have been removed.

Re:Why doesn't anyone think javascript is useful?

[xiox]

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Is that referring to Bill Gates?

Re:Why doesn't anyone think javascript is useful?

[Skuld-Chan]

If you don't trust bill then no - isn't that what the article says?

Re:Why doesn't anyone think javascript is useful?

an ounce of prevention is worth a pound of cure

javascript is useless. you want movies, animations, validation, math .... don't use PDF.
PDF was created for
document exchange. PDF is used for representing two-dimensional documents in a manner independent of the application software, hardware, and operating system.
You want PDF with javascript .... don't call it PDF, don't extend PDF to become CRAP.

Re:Why doesn't anyone think javascript is useful?

[Abcd1234]

"If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

Where, in this case, "computer" equals a sandboxed JS interpreter.

Yeah. *Scary*.

Re:There's a simple reason for that.

[Malc]

And to prove the point, you have a mistake in your two line comment!

3rd-Party security fixes

[kuwan]

Yes, because we should all get our security patches from unknown 3rd-Party sources. Sounds like a plan for success to me.

BTW, I've got this great IE patch, it makes the Internet 10x faster!

Re:3rd-Party security fixes

[Ksevio]

Ah so you're an Opera user too?

Re:3rd-Party security fixes

[StuartHankins]

getfirefox.com ?

A better patch...

[Kazoo+the+Clown]

My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.

Good riddance.

Re:A better patch...

Hmm, the only problem is that Foxit also tries to change your browser settings. The only thing more annoying than that is the latest Firefox that auto-installs the gawddamn google crapbar that locks up Firefox until you accidentally figure out how to get out of the fscking thing and then you still have to go and uninstall it despite having clicked all the no buttons. That was enough to drive me to Opera.

Re:A better patch...

[sardaukar_siet]

Adobe Reader's flaws are more visible than Foxit's. Or do you think Foxit is perfect? It's not considered an attack vector due to its smaller user base, but rest assured it is flawed as well (MAYBE not as much).

paper is calm

Allowing some scripting in a document is great.

No, it isn't:

Paper is calm.

It looked for a while that paper could be augmented, calmly, with hypertext, which allowed cross-referencing, something paper wasn't very good at. But look at a typical corperate web-page now, it appears to be in a state of constant alarm, like a vietnam veteran running knife in hand, screaming, through the University Library.

[...] Saying that your wordprocessor is more like paper because it contains a white rectangle on which symbols appear is rediculous. Buttons appear from nowhere with bizzare brightly lit symbols on them, menus, status bars all kinds of things demanding to be pressed, pulled down, popped up, selected, and activated. This isn't calm paper, it's like walking up to a piece of paper and having to use it via the controls of a VCR-timer-from-hell.

[...] In any application there should be the minimum of interaction required to get a job done.

http://www.dcs.qmul.ac.uk/~andrew/paperiscalm.txt

Re:paper is calm

In terms of, as this essay calls it, calmness, I think the most important thing isn't whether there is interactive and moving qualities but whether they exist in such a way that someone who doesn't want to use them doesn't have to and isn't effected. For example, it isn't problematic if a diagram moves to illustrate a point when clicked on, just that it wasn't distracting (or illustrated as best it could with out moving) beforehand. Similarly, it wouldn't be a problem if a quiz in a textbook could check/show answer as long as it didn't do anything obnoxious that bothers a reader who doesn't want to use that feature.

IMHO, of course.

Re:paper is calm

[colinrichardday]

Except that it might not be paper. One can display LaTeX output as .dvi or .pdf (and Flying Spaghetti Monster knows what else).

I'll still rather do the active content in forms using MathML.

Enabling DEP for Acrobat Reader

[Branka96]

According to this Symantec blog turning on DEP for Acrobat Reader prevents this type of attack.
If you run Windows, I would recommend you run with "DEP for all programs and services" with no exceptions.

Use 3rd party PDF readers.

[Neanderthal+Ninny]

Why not use 3rd party viewers like CutePDF or Preview? Again these patches only fix part of the issue so you are still vulnerable to more dangerous part of the bug.

Re:There's a simple reason for that.

[AngryNick]

- the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

what's wrong with forms?

[Main+Gauche]

Pardon my ignorance, but exactly what other format should one use if one wants to use forms?

In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.

For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?

Re:what's wrong with forms?

[Korin43]

HTML? Just point them to a page on the corporate intranet, they put in their login, profit?

Re:what's wrong with forms?

[Lehk228]

if it's for electronic storage and retrieval, use plain text.

if it's getting printed out then hand filled, use PDF, if it's getting filled out on the computer then printed use wordpad

Re:what's wrong with forms?

InfoPath. Filling in forms and saving the results as a piece of XML is what it is designed to. Advantages of InfoPath include that fields can expand to hold what the user typed in and you can easily have repeating groups. The 'filled in' XML is easily redable (fairly simple to read, really.)

For extra credit, said XML can be automatically saved to a webservice, emailed, saved to sharepoint or whatever else.

(Disadvantage of InfoPath is that it doesn't look quite as slick as PDF when printed, and it does have its rough edges.)

Re:what's wrong with forms?

[Dare+nMc]

, if it's getting filled out on the computer then printed use wordpad

If you haven't modified the text of a form HR sent out for you to print, sign, fax. IE removing the not from "I will not browse porn at work." Then you need to turn in your geek card. PDF file that lets you fill in name, address, etc digitally. Print, and sign without a easily modified format begging for touch-up.

Re:what's wrong with forms?

[Lehk228]

If you haven't modified a protected PDF and done the same turn in yours.

Re:what's wrong with forms?

[Dare+nMc]

true, but the pdf can't be turned into a joke by anyone in the company without extra effort using IT approved applications.

Re:what's wrong with forms?

[WiiVault]

Am I missing something?

Yes, you have to pay to edit PDF's. Sure Word costs money too, but there are lots of good free alternatives, plus a lot of people buy Word anyway. If you only edit it once a year, that is a lot of money to be paying Adobe just to use their software a single time annually.

Re:what's wrong with forms?

[Bazzargh]

Well apart from anything else, they only work in Acrobat Reader. Which isn't the default PDF viewer on any platform except Windows.

This means that
(a) lots of people can't fill out the forms anyway, without installing additional software. Which may not even be an option on limited devices.
(b) if you publish eg feedback forms later, lots of people will wonder why you published a whole pile of identical blank forms
(c) if you used fdf forms (ie something compatible with older versions of Acrobat) the data and the pdf are not submitted together - fdf's are text files with an URL reference to the PDF that was filled. This means that if someone changes the pdf at that URL to a new version, then either the fdf will not work at all, or it'll have the form filled incorrectly.

This might be less of an issue in an intranet monoculture, but that's the excuse for IE6 as well. It /is/ a problem if you try to use those forms on the internet, and I've seen those issues cause customers pain in the Real World.

Re:what's wrong with forms?

Use HTML.

And out of curiousity: With that form-PDF, how do you extract the information they filled in later? You do actually use the information they filled in for something, right?

Re:what's wrong with forms?

[atamido]

My kingdom for mod points. Seriously, why are people so hell bent on PDF forms that are so much trouble to edit that it's almost as easy to just make a new one from scratch?

Re:what's wrong with forms?

[lamapper]

If you only edit it once a year, that is a lot of money to be paying Adobe just to use their software a single time annually.

Word and/or Office cost allot of money to do something once per year. Geez.

Create a form, validate input, and let users use their current login via their internal intranet and you do NOT need to pay anything beyond one person's time to create one form. Data output, if using open source, can be any format your company needs, even Microsoft Word format...not that I would recommend that.

When did paying in excess of $400 per desktop for a software package that is ONLY used once per year become a good idea? (Okay its cheaper if you update, now multiply that by the number of desktops / licenses you have to buy and we can talk...)

So, in that phrase using "de-fang":

[davidsyes]

"to de-fang the hack by disabling JavaScript"

I began to wonder if it will become the new defangto or new-fangled way of disable features and bugs of software...

So does anyone...

[hairyfeet]

Does anyone have a clue if the reg fix will work on Foxit? Or is Foxit vulnerable? Because myself and most of my customers have been avoiding the bloat that is Adobe PDF reader for awhile now and while Foxit is great usually anything that can infect Adobe works on Foxit too. So anybody know?

Re:So does anyone...

[Skuld-Chan]

Foxit supports javascript too now... I suspect the reason it hasn't been attacked is there isn't any blood in the water over some small company.

Open source "more secure" than closed source?

[commodore64_love]

So is this "user supplied" PDF fix an example of how Open Source is More Secure than Closed Source?

OSS users supplied a fix in less than a day, whereas a closed source programmer in some cubicle somewhere will take weeks to do the same. Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

Happened efore - BEWARE

This has happened before. Not with Acrobat, and I don't remember the details *it was about 19 years ago). I think it was eEye Digital Security - though that may be wrong. The company went around providing third party patches for vulns that other researchers identified. Eventually, the company included a backdoor in their patch. Shortly thereafter, the company dissapeared.

Be careful when you apply third party patches: you're extending your chain of trust. Normally, you have to trust the original company to do things right, and not backdoor your environment. If you use a binary patch from a third party, you're assuming that the third party (a) gets it completely right, quite possibly without the source and (b) doesn't create another vuln. What do you know about this third party? Why should you trust them?

Re:There's a simple reason for that.

I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

Oh? Well, when Adobe/Microsoft/whoever next put out a patch that breaks something critical to your companies usage of the product, causing hundrds/thousands of complaints to you, pissed off superiors, and potentially a loss of revenue, however, small, I'll be sure to point you to your former comment.

Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.

Yeah, right

[Thinboy00]

[snip]Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

And then the lobbying starts

Re:Yeah, right

[commodore64_love]

The lobbying already started several weeks ago. Closed-source companies are trying to scare politicians away from open-source software by saying, "It's not secure."

Re:Please define "Average User"

[Thinboy00]

[snip] Is it only windows that has the "Average User?"

no. What's eating the mod (singular)?

Say it with me people Foxit Reader!

[fuzzylollipop]

why would anyone want to use Acrobat Reader when there is a free alternative that is way smaller, faster and better. http://www.foxitsoftware.com/

Re:Say it with me people Foxit Reader!

[S3D]

Not all pdf are readable with foxit. I have foxit as default, but still have to use Acrobat from time to time.

luck matters

[v4vijayakumar]

sometimes you got to be lucky to fix some kind of bugs. sigh.

Re:luck matters

[troll8901]

Yes. Most of the time, the mosquito escapes my bare hands, even at high speed. Luck is involved definitely.

Re:There's a simple reason for that.

[thePowerOfGrayskull]

As for how forgiving you'd be: we'll see if that's still true when tens of thousands of your users suddenly can't open a critical document without crashing or other instability.

It's ultimately a judgment call: they need to decide if getting an urgent patch out is worth the risk that an urgent patch introduces. In the case of a product with this large an installed userbase, and given the fact that this hole has been out there for quite a while already, I think that they took the only responsible course of action available. Though I'm not going to get into the stupidity of allowing embedded script in the first place...

Re:There's a simple reason for that.

And to prove it even more, on my screen, his is a four line comment!

Security through obscurity

[WiiVault]

The advantage is security through obscurity. Assuming the patch fixes this problem, even if it creates others so few people will have applied it, it is hardy worth developing malware for. This is a very nice stopgap until Adobe gets the real thing out the door.

Re:Security through obscurity

[Nazlfrag]

Apart from the fact that obscurity is not really security at all, why do you think a patch posted to the front page of slashdot and dozens of other places on the net is somehow obscure?

Re:There's a simple reason for that.

[WiiVault]

Yes but how many people will actually install this "fix"? Is that worth creating malware for between now and the official patch? I would venture it is a no. Security through obscurity at its best.

Or Use an Open Source PDF viewer

[Avalon's_Avatar]

Whilst Foxit is an improvement over Adobe's bloatware on Windows, if you want to really go light and lean try an open source alternative.

Sumatra

Re:Please define "Average User"

If you've got to ask, the definition is you.

Re:There's a simple reason for that.

[Antique+Geekmeister]

Oh, I believe it. My patch was clean on a large project, but some numbskull didn't have his changes in the source control system and compiled the new version for installation from what was on his desktop, without any of the other previously source control submitted updates. The results.... well, the results weren't pretty because my patch didn't get the full QA procedure as a "minor patch", and because they trusted _my_ code. I continued to get the blame for the situation at meetings with staff for other departments, including the department with the fool who ignored source control, and who was directly ignoring orders from his boss and mine to build only from clean source control software trees.

That was difficult to live down, and it led to a serious and harsh meeting with the QA and software developers about their development and testing environments.

Do you want to keep it just in case?

[rdebath]

Don't cha just love the way the idiots rally round to say nothing can be done.

Just because the Yes then No questions only protects lazy idiots doesn't mean it's worthless. You know I think the marketing department must write all the Microsoft 'Confirmation dialogs' because they read like marketing copy ... always positive, never mention anything in a negative way, never let the mark even think of the 'N' word.

Then again here's a nice way of saying it ...
Do you really want to delete everything (y/N)?
Do you want to keep it just in case (Y/n)?

Re:There's a simple reason for that.

[troll8901]

Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.

I agree with your response to PP.

Microsoft once put out a patch that accidentally disabled the dial-up terminal window, IIRC. Because of this, the PC could not connect properly, the company could not register car parts with the transport authority, and we were potentially facing losses due to non-delivery of cars.

The symptons were misleading because it seemed as though the remote modem was dropping carrier.

This little accident is such a tiny thing, isn't it?

Re:It's been Two Weeks since you made the patch ..

Exactly. And yet all the little kneejerk-anti-software-company idiots on this site tag the story "humiliation". Yeah, real humiliating to make a patch cross-platform and tested. Imagine if Adobe had rushed out a windows patch but nothing for OSX and Linux, we'd have a whole different set of basement dwelling crybaby shit. Slashdot gets continually more pathetic.

Nice...

.. that they released a patch as they were the ones who published a blog post detailed enough so anybody could recreate the exploit which was kept closely by all others who knew about it. And they published it Friday afternoon. Thanks Sourcefire!! &^%*&$$!!

what alternatives?

like what?

FTFY

[jonaskoelker]

Just point them to a page on the corporate intranet, they put in their login, profit?

You're doing it wrong! It's:

• Just point them to a page on the corporate intranet
• they put in their login
• ???
• reduce costs!

Re:There's a simple reason for that.

[Hognoxious]

you /cannot/ simply slap together a fix and push it out to millions of people.

You can if you're Apple.

Foxit DOES support JS in PDFs

I'd like to see a reader that doesn't even support JS inside PDFs.
No implementation -> no problem.

BTW, I use SumatraPDF...
http://blog.kowalczyk.info/software/sumatrapdf/

Re:There's a simple reason for that.

Do you remember the bug in debian's openssl lib? the one line of code removed that seemed to fix an issue they were having? oh wait, look, now all the keys generated with this lib for the past 6 months or so are now weak, and all comm that used those keys now compromised.

its not that simple

Good for him...

[stewbacca]

so why doesn't he stand up his own giant graphic design software company and pay thousands of employees across the world if he's so much beter than Adobe? Oh, that's right, because any single person can act much more quickly (and cheaply) than any large organization. Next story please.

Who uses adobes reader?

[Snaller]

Its slow and bulky - use a freeware alternative.

Re:There's a simple reason for that.

[AngryNick]

Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.

You're right. I'm not responsible for a network, and my portfolio of applications run on just 8,000 machines. But the data on those machines cannot -- under any circumstances -- be compromised. I'm not talking about the inconvenience of a system-wide outage or a day or two of lost revenue, I'm talking about the inconvenience of the $20B company those 8,000 people work for appearing on the front page of the Wall Street Journal due to a breach. The former might get me fired, but the latter will get them all fired too.

Here is my point: Make a workaround, "pre-patch", or apology available as quickly as possible so that _I_ can make the decision about the risk. We will test your patch in our environment, determine the best course of action for our company, and keep paying you for your product. If I don't test it in my environment and it hobbles my 8,000 machines, then it's my own damn fault for deploying it.

Sorry if I wasn't clear in my previous comment.

Why? People just don't get it!

[hackel]

Why would someone go out and help these proprietary-peddling companies?!? Don't people understand, they NEED to let users crash and burn for using software that is proprietary and created by vendors with a mysteriously slow ability to patch their own products. Adobe has proven itself to be evil on more than one occasion, and now people are bailing them out! I just don't get the logic...

Personally, I prefer Evince/ghostscript anyway...it's always way faster than the garbage Adobe Reader, and not susceptible to such vulnerabilities.

And people say unix shell is arcane

[Viol8]

I thought windows was supposed to be pointy clicky easy to use? Yeah right, not looking at that load of heiroglyphics it isn't.

Re:There's a simple reason for that.

[StoatBringer]

You never played Age Of Conan, did you?

Re:There's a simple reason for that.

[Dynedain]

Because Adobe's patch wont be to just disable JS, so in other words, it won't be simply a registry hack to fix.

They'll have to figure out how to close the security hole WITHOUT disabling javascript functionality. That tends to take a bit more work.

The canonical version

[againjj]

Here is the version I had given to me back in the 80's (still have it on my shelf, too!): http://wiretap.area.com/Gopher/Library/Humor/Jokes/litebulb.jok

Re:Open source "more secure" than closed source?

[drew]

Not really, because these people are still fixing a closed source software.

It's more an example of "Big Software Companies don't care (as much as they should) about security." Adobe could have a fix out just as quickly, but they won't accept a fix that works by disabling the (mis)feature entirely. If they really cared about security, they wouldn't have added a scripting language in the first place - you'd think maybe they would have paid attention and learned their lesson from the whole Word Macro Virus mess. Apparently the only thing they learned was that poorly thought out features sell better then security.

I think the best argument that you could use this to justify is that "Companies care more about money than about their customers," which is still a useful in favor of Open Source when talking about public institutions, but not necessarily for the same reasons.

Hire some more Indians

Gee, I think if Adobe opens another offshore office they can lick this problem in 30 minutes, no?

Seriously. This is what happens when your 'dev team' is a bunch of monkeys.

You want Bill Shakespeare, you get Frank Bacon.

Re:There's a simple reason for that.

[swilver]

Unlike the consequences of executing code provided in a format that's supposed to be non-executable...

Users don't read!

[AnotherScratchMonkey]

Even "smart" users don't read. Don't even attempt to put text in a dialog in front of them. Just put a pair of graphics illustrating the choice. I'm sure my fellow Slashdot readers can come up with ideas for suitable graphics. Some might even be safe for work!

Use case: Legal forms from the government

[AnotherScratchMonkey]

I need to fill out a form from a local government office to get some information from them. They email me a PDF of the official form.

The form is a pure document, so I have to print it out, scribble answers on it (or feed it into a typewriter; remember those?), then either scan and email it back to them or jam it in a paper envelope, stick a stamp on it, and drop it in the snail mail.

How much nicer it would be if I could fill in what I needed using my computer keyboard and email it back.

I don't want to do this with Word, as that's a proprietary format, and the resulting document may not image in a way that makes it legally valid. (This is where we start pushing the Open Office formats.)

Re:Use case: Legal forms from the government

[TheRealMindChild]

Flat out, a PDF is a "vector graphic". Wanting to "fill in what I needed using my keyboard" would work just as nicely as if it was a BMP.

Unfortunately, people see the "Document" bit of PDF and assume it is meant to be used like a Word Document. It isn't. However, Adobe has done some pretty horrible things to their simple format to appease such people and now look at the mess you have.

A PDF should be used as a final output. FINAL. OUTPUT. If you need to make changes to it, you go back to what you created the PDF with, EDIT THAT, then re-render your PDF.

Re:Use case: Legal forms from the government

[AnotherScratchMonkey]

That's fine, but the source is typically a Microsoft Office document, which has the problem of being proprietary and requiring an expensive piece of commercial software to handle.

We need to get all the legal entities (of which government is just one) to agree on an open standard document format like that of Open Office, so the public can easily process those documents.

Patch fixes buffer overrun

[AnotherScratchMonkey]

No, the patch fixes the overrun in JBIG2 decompression. The workaround if you don't apply the patch is to disable JavaScript, either with a registry hack or through the Reader Preferences dialog.

In case you failed to read the article, here's the blog entry with the patch , not the workaround.

Updates...

[CopaceticOpus]

I think it's funny that Adobe is taking so long to build this patch, since it seems like every freaking time I load up Adobe Reader, it wants to update itself.

Do I want to update Reader? Well, the current version reads PDFs, right? Why do I need a new version every week?

Re:Patch

[Brian+Gordon]

And why was that modded down? I was hoping people would see I meant it seriously; nobody using linux uses Acrobat.

Re:There's a simple reason for that.

[lamapper]

Here is my point: Make a workaround, "pre-patch", or apology available as quickly as possible so that _I_ can make the decision about the risk. We will test your patch in our environment, determine the best course of action for our company, and keep paying you for your product. If I don't test it in my environment and it hobbles my 8,000 machines, then it's my own damn fault for deploying it.

Where are the moderator points when you need them. Great post and you should be modded up!

Too many system administrators just accept as gospel that this patch today and that patch yesterday and the patch tomorrow will not cause problems and blindly accept them. No wonder the company will never give them time to test the patches, updates, etc... for potential problems in their specific IT environment and infrastructure. Especially when a company throws out crap to make money and continually patches it; instead of getting it right to begin with.

A good Systems Administrator checks the patch for problems on a system prior to rolling it out to the rest of the company. Of course watching for rootkits, viruses, injection schemes, etc...

A great Systems Administrator subnets the test environment, isolates it from the corporate intranet and monitors the packets to/from this test environment looking for more than just Trojan horses.

Guess which one of those has the experience, authority and respect of their supervisor to push back and state No we will not just randomly roll out updates as they come to us from company X and assume that they work without problems. Yes we will take time to test the update or patch before rolling it out.

Guess which one makes over 6 figures per year and which one is paid less than $50,000 per year.

Most of the others are somewhere in between $50K and 100K working for companies that know that they need System Admins, but not really giving them the time and/or the authority to do things right.

Just take a look at the typical duties of a System Administrator. Most Systems Administrator do NOT have enough time to do all those tasks as carefully as they need to be performed in order to secure the companies network and servers.

Executable code

"Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'"

What do you think PostScript is?

Executable code.