Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Vulnerability Now Exploitable With No Clicking

Posted by CmdrTaco on from the don't-not-click dept.

SkiifGeek writes "With Adobe's patch for the current PDF vulnerability still some time away, news has emerged of more techniques that are available to exploit the vulnerability, this time without needing the victim to actually open a malicious file. Instead, the methods make use of a Windows Explorer Shell Extension that is installed alongside Adobe Reader, and which will trigger the exploitable code when the file is interacted with in Windows Explorer. Methods have been demonstrated of successful exploitation with a single click, with thumbnail view, and with merely hovering the mouse cursor over the affected file. There are many ways that exploits targeting the JBIG2 vulnerability could be hidden inside a PDF file, and it seems that the reliability of detection for these varying methods is spotty, at best."

5 of 206 comments (clear)

  1. Re:Not PDF vulnerability ... Adobe vulnerability by OpenGLFan · · Score: 4, Informative

    Adobe's particularly horrible implementation.

    Right now, on my laptop, I have two VirtualBox sessions running images pretty close to the servers at work. I'm testing out some simulation. I've got slashdot open in Firefox, and I've got Adobe's PDF reader open to a reference manual.

    The PDF reader is using more memory than the two virtual servers combined. That's a ridiculous amount of bloat, and it doesn't even count the "Adobe Updater" software that runs all the time.

  2. Re:Not PDF vulnerability ... Adobe vulnerability by gravos · · Score: 4, Informative

    If you use Windows try this alternative implementation: Sumatra PDF Reader. It's Open Source, less than half the size of Foxit (1/15th the size of Acrobat) and has search, text-read, copy-paste, and plenty of keyboard shortcuts. It's very quick and streamlined and makes Foxit look bloated in comparison. And naturally it's not affected by this vulnerability.

    --
    This game will waste your life. Don't clicky!
  3. Re:So, don't use Adobe Reader by ArsonSmith · · Score: 4, Informative

    'You can read the source' is irrelevant 99% of the time;

    The point is that someone, other than the original author, can and most likely has.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  4. Re:Not PDF vulnerability ... Adobe vulnerability by Your+Pal+Dave · · Score: 4, Informative

    It's not obvious, but if you hold down the control key while mousing text is selected and automatically copied to the clip board.

    Once you get used to it this is actually quite convenient.

  5. Re:Not PDF vulnerability ... Adobe vulnerability by interiot · · Score: 4, Informative
    For Windows, there are others:

    (yes, there's a ton of good PDF freeware available now)