Homemade PDF Patch Beats Adobe By Two Weeks

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

Registry hack

[coulbc]

We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

Re:Feature Request

I'm going to have to disagree...

Allowing some scripting in a document is great. For example, I'm writing a math textbook. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technically illiterate. For that matter, my working draft (not the one on the website) uses PDF attach to include the TeX source and the GFDL.

In conclusion, it's my opinion that that having a PDF scripting language as long as it can't, you know, do anything but modify that one file. The problem is that Adobe seems to be trying to include the kitchen sink...

Patch?

[noidentity]

So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!

Why doesn't anyone think javascript is useful?

[UtucXul]

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

I've also seen lots of forms that do some math or validation. How do people think that happens?

Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

Re:Feature Request

[Ihmhi]

Feature request: a NoScript equivalent for Acrobat Reader.

Re:Feature Request

[Aragorn+DeLunar]

And this is why we need to get away from labeling dialog box buttons "Yes", "No", "Cancel", etc. We can label them anything we want, so why not be descriptive? Try "Safe", "Unsafe", "Really Stupid", "Don't click this -- ever!"

The same applies to the save dialogs. I like how OO.org 3.0 handles the "Do you want to save?" dialog when closing the program: The buttons are labeled "Save", "Discard", and "Cancel". Of course, "Cancel" could be better described as "Return to Program."

Re:Feature Request

[Idiomatick]

http://www.foxitsoftware.com/pdf/reader_2/reader-interstitial.html

Or just make google open all your pdfs so that you aren't forced too even if its ugly its fast and secure.