Adobe Confirms PDF Zero-Day, Says Kill JavaScript

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

Ditch Acrobat...

[nweaver]

Adobe is really slow about security patches on Acrobat. This is just the latest.

Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.

Re:Ditch Acrobat...

[TommydCat]

Yeah... like if I'm offered the choices

1. Disable javascript and kill the web
2. Uninstall Adobe_who_evidently_can't_code_their_way_out_of_a_wet_paper_bag crap

Why would I choose the former? Even if I do that I'm sure they'll have another exploit by next Wednesday that wouldn't be defanged by disabling a scripting language, looking at their track record..

Color me tired of this much more so than surprised..

Re:Ditch Acrobat...

[Fatalis]

It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

Re:Ditch Acrobat...

[TommydCat]

Ok, color me surprised then... Thank you for the clarification.

I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...

Re:Ditch Acrobat...

Mod parent up... You do not disable javascript in your browser, only within the Adobe applications themselves.

Re:Ditch Acrobat...

According to Secunia disabling Javascript does not mitigate the risk. Old news?

http://secunia.com/blog/44/

Re:Ditch Acrobat...

[InsertWittyNameHere]

Anyone know if this affects Bluebeam PDF Revu?

Re:Ditch Acrobat...

[wiredlogic]

For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

Re:Ditch Acrobat...

I'm personally becoming quite tired of the "Oh, we implemented a 'bad programming language' into our design, so you should ditch it."

If the answer to the exploit was, "Javascript is at fault because of it's standard" then the answer to your problem is to remove Javascript.

If the answer to your problem is "Adobe f'd up and practiced coding without thinking.. AGAIN" -- Then Javascript should be left the hell alone. Seriously, what'd Javascript ever do to Adobe? Enable their own bad programmers to make bad decisions that get them bad publicity? Sounds like Adobe's fault to me :P

Re:Ditch Acrobat...

The summary made it pretty obvious it's talking about Javascript within Acrobat. Nice attempt at first-post kharma whoring though, you even crammed a useless link in there!

Re:Ditch Acrobat...

[Gordo_1]

Bloated? I don't think one should describe what Adobe has done to Acrobat Reader simply as "Bloat". I suggest redefining the term as a verb with a tip of the hat to the new masters, as in "you silly hack, you've adobed your software!"

After getting fed up with Reader in the wake of the Feb. 19th PDF remote exploit notice (http://www.adobe.com/support/security/advisories/apsa09-01.html/) I decided to install FoxIt (I know, proprietary, not open source goodness)... But anyway, when I went to uninstall Adobe Reader, Windows claimed it to be taking up 221MB on my hard drive. 221 Megabytes! For a document reader!?

After installing FoxIt, Windows claims that it takes up only 7.15MB, which I corroborated by checking the size of the install directory. For the life of me, I can't figure out what exactly it is that Adobe Reader does that FoxIt doesn't. They're functionality identical so far as I can tell. So what in god's name is Adobe doing with that extra 200 megabytes of disk space?

Re:Ditch Acrobat...

[OakDragon]

Adobe is really slow about security patches on Acrobat.

Have you updated the Adobe Updater? Perhaps what we need is an updater to update the Adobe Updater.

Re:Ditch Acrobat...

[hairyfeet]

Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.

These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.

Re:Ditch Acrobat...

[an+unsound+mind]

Precisely that bloat functionality.

Advanced forms handling, embedded content, Adobe javascript, et cetera.

Things most people never need and things that would use Microsoft Word if Adobe had never offered the functionality.

You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

Re:Ditch Acrobat...

As decisions go, Javascript inside PDF has to be one of the most boneheaded in history.

Re:Ditch Acrobat...

I hate adobe, and I hate how wannabe "web developers" use it for the most bloated web sites I have ever seen.

Re:Ditch Acrobat...

JavaScript is actually quite usefull for forums, so there is a good reason to have it there (unlike the 3d stuff and other plugins). The problem is that the JavaScript is not properly sandboxed.

Re:Ditch Acrobat...

Oh, shut up, diskspace is cheap, rah rah rah, and and if software companies didn't use up all that space what would you use it for else!? Don't you know that the resources of your computer, like cpu-time, diskpace and ram are the property of various software companies to expend as *they* see fit? Don't bother your silly little mind with things better people have already decided, serf. :>

Re:Ditch Acrobat...

[Anenome]

"So what in god's name is Adobe doing with that extra 200 megabytes of disk space?"

I shouldn't really be telling you this, but there's an easter-egg video involving Carrot Top hidden somewhere in Adobe Reader. Call it a result of the 'more megabytes = more powerful' school of software management :P

Re:Ditch Acrobat...

[interiot]

Seriously, when PDF is based on a language that can calculate fractals on the fly and draw a different random maze every time you print it, why are we surprised that PDF is nearly as capable?

Re:Ditch Acrobat...

pr0n that a developer accidentally commited.

Re:Ditch Acrobat...

[Threni]

> Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals
> really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by
> piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.

They probably started off intending to use safe Java in a sandbox, and some idiot in a meeting went "java..huh..uhuh....so..that's...javascript...let's add javascript to our app..that'll make it easier to read text and look at images"...

> These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat

Lol! These companies have looked at Microsoft and gone "those suckers will get what they're given".

Re:Ditch Acrobat...

[maxume]

On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.

Clearly they don't care about using my disk (obviously, neither do I).

Re:Ditch Acrobat...

[KDR_11k]

Forums... in PDF?

Re:Ditch Acrobat...

Porn. PDF porn. Yummy, tasty PDF porn.

Re:Ditch Acrobat...

And surprising easy to read actually. After a couple of days it was actually easier to understand than my boss's emails...

Re:Ditch Acrobat...

[gilgongo]

And if you need some further discussion on the subject of The World's Worst Software...

Re:Ditch Acrobat...

[Skuld-Chan]

For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.

If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.

If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.

If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.

So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.

That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.

Re:Ditch Acrobat...

[Skuld-Chan]

These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader [wikipedia.org] which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.

You think using Foxit will help you avoid security flaws? Check this out:

http://www.foxitsoftware.com/pdf/reader/security.htm

Those are just the ones they found - Foxit isn't even a big target for black hat hackers. Once it is - the Foxit religion will lose faith and switch to something else I'm sure. It would actually be possible to write an exploit that exploits Foxit and Adobe Reader.

Having worked on Acrobat - I know that it is audited all the time by the security team there. You can do a ton of code reviews, and fix a lot of vulnerabilities quickly (which they did all the time actually - stuff you've never seen exploited because of this), but being that we are human stuff comes up. Like anyone who is a security target: it is a cat and mouse game at this point and until that happens to your product you'll probably never appreciate the problem.

Re:Ditch Acrobat...

you silly hack, you've adobed your software!

What's wrong with turning your software into a house? Oh that's right, houses have Windows.

Adobe

Re:Ditch Acrobat...

[Toonol]

It'll be horrible, but I really want to see an implementation of this.

Re:Ditch Acrobat...

[Kneo24]

You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

I ran into something similar at work once. I had the guys in QA load up my thumb drive with all of the procedures that go for the product line I had inherited from one of the other leads there that... well, no need to digress... The documentation was just so fucking sloppy that most of it had to be completely rewritten from scratch. I couldn't make heads or tails of anything when I went to do any testing.

I sat down with the technician that I was now in charge of for this stuff. As I was trying to have him teach me everything, he just placed the documentation to the side and stated that it would be easier to teach me without it. It took me about an hour, but I finally started understanding everything he was teaching me. The documentation started to make sense, but it was still so horribly inaccurate that the fact that any person actually spent time writing anything down was a waste of resources.

With understanding in tow, I take my thumb drive home and open it up. .pdf's everywhere, sizes as large as 2MB.

As far as I had known, the only person who had a writer to edit these had left the company years ago. Making updates to these specifically was not going to happen. No matter, I was rewriting them all anyway. I load up word knowing that was the standard program in use at work and start pounding at my keyboard.

Document sizes were smaller (not that that was too important), documents could be edited by them if they needed to (very important), and any moron could actually follow the documentation step by step with full understanding what was going on.

When I had asked the QA team why there even .pdf's anyway, they pretty much summed it up to bureaucratic nonsense. Apparently the president thought it was a great way to keep everything under "lock and key".

Re:Ditch Acrobat...

[FatdogHaiku]

Perhaps what we need is an updater to update the Adobe Updater.

OK, but they have to promise it will run all the time and use at least 200mB of my RAM...

Re:Ditch Acrobat...

[westyvw]

So I took a look at that Foxit Reader just now on the VM. Yuck. At least it allows you to opt out of the crap it trys to add in.

I will stick with Okular and PDF Edit. Much better, I can read AND edit pdfs.

Re:Ditch Acrobat...

[slater86]

Same here,

for the Non Active Directory crowd. We now run this in a batch file (yes its a bit old skool but it works)

echo. echo Adobe Reader 7.0.9 MSIEXEC /UNINSTALL {AC76BA86-7AD7-1033-7B44-A70900000002} REBOOT=SUPRESS /QB-
echo.
echo Adobe 8.x MSIEXEC /UNINSTALL {AC76BA86-7AD7-1033-7B44-A80000000002} REBOOT=SUPRESS /QB-
echo.
echo Adobe 9.0
MSIEXEC /UNINSTALL {AC76BA86-7AD7-1033-7B44-A90000000001} REBOOT=SUPRESS /QB-
echo.
echo Adobe 9.1
MSIEXEC /UNINSTALL {AC76BA86-7AD7-1033-7B44-A91000000001} REBOOT=SUPRESS /QB-
echo.
echo Installing FoxIT PDF Reader
"FoxitReader_Setup.exe" /i /custom /allusers /register /startmenu

Re:Ditch Acrobat...

[perryizgr8]

i can't understand what is the need to use pdf. i mean you can use odf or doc(x). why get into another crappy format?

Re:Ditch Acrobat...

[hairyfeet]

Both of those apps are Linux only, and most of us aren't going to toss our entire OS or load up a VM every time we simply want to view a PDF.

And as for the other poster who "worked for Adobe" and touted Acrobat VS Foxit security? Your link has a GRAND TOTAL of three vulnerabilities for the ENTIRE 3 series of Foxit. You have seen more vulnerabilities in adobe than that in the past 4 months.

If the choice is go to an OS where NONE of my hardware actually works(sorry but Linux supports less than 15% of my current gear) or stick with the huge amount of super bloated malware attracting Kitchen sink adding that is Adobe Reader I frankly just wouldn't allow PDFs just like I don't allow ActiveX. But thankfully there is Foxit so I don't have to make that choice. And I'm really really glad that linux works for you dude, but being a PC repairman I can tell you there is a LOT of us where it just don't. For us the solution needs to actually run on Windows, and not through the mess that is CygWin.

Re:Ditch Acrobat...

[sixtuslab]

While all other Adobe products are near perfect or perfect, my mind defies the logic behind Adobe pushing the only totally moronic product in it's productline, Acrobat/fileformat PDF, it's sad to realise that with all the efforts the Adove development teams push into their new products can be ruined by a program that reflects the vampirical blood lust of Adobes Marketing/Sales department. Overall, in the last few years I've seen little actual development in the features of the new builds of many different programs from various companies, the complete inverse of how much more browser toolbars, widgets and other irrelevant applicational diseases are spreading. Thankfully in Adobe's case the Marketing/Sales fungus is concentrated in the Adobe Acrobat plague, so just stay away from that and you'll be fine =) Anyway, go Adobe dev and Slashdot!

Re:Ditch Acrobat...

[koiransuklaa]

I'm not a Windows user so I've never used Foxit. That said, your complaints sound somehow wrong to me.

First, you say "Foxit isn't even a big target for black hat hackers" like it's a bad thing. Here's some news for you: Some of us utterly dislike the software monoculture companies like Adobe and Microsoft are selling, partly because it creates big targets for black hats...

Second, you didn't comment on the bloat accusations. It's great Adobe does audits, but wouldn't it be great if they didn't have to audit source code that builds into a 180MB monster?
  I'm sure they have a client demanding each one of those 'features', but why does everyone on the planet need to have all those feature installed and enabled as well? It's a balance between (perceived) ease-of-use and security, and I think I know which side Adobe is leaning on.

Re:Ditch Acrobat...

[Lemming+Mark]

FWIW, KDE apps aren't Linux/BSD only anymore.

You can probably use Okular via the KDE for Windows port, though I don't know if that's had an official stable release yet; don't really use Windows much, otherwise I'd look into it more since in my experience it's a nice app than Adobe's offerings tend to be, whilst still being fast and featureful.

Okular might well work on MacOS X via the KDE for Mac stuff - same caveats but I don't own a Mac so I've *never* tried this ;-)

Re:Ditch Acrobat...

[viralburn]

Have you seen some of the HP printer drivers ? 600 Mb+, I guess it requires an extra 300 Mb if the printer has a scanner.

Re:Ditch Acrobat...

[hairyfeet]

I've tried KDE on Win, and honestly? It really sucks. KDE is GREAT in Linux because it IS the shell. In Windows instead of doing the smart thing and writing scripts that allow it to run as a shell replacement is runs on TOP of the shell. See the problem? You are trying to run an ENTIRE desktop environment on TOP of an ENTIRE desktop environment.

Like I said, you might as well be telling folks to ditch Windows for the "fun" of PDF support. CygWin is seriously ugly and WAY too CLI, VMs are frankly a PITA, and KDE on Win is running double desktops environments. Seriously bloated and nasty.

What I don't get is why they didn't go for shell replacement. There are plenty out there like Stardock and Michelle that will completely change out the shell. Hell with Michelle 3 you get a straight black desktop with everything right click ala the old BB4Win. If you are going to bring KDE over to Windows, then have it perform the same function that it does in Linux. Having it run on TOP of Explorer and the Windows taskbar is just as ugly a hack as CygWin. No thanks.

Re:Ditch Acrobat...

[Lemming+Mark]

Now they have stuff like Plasma running on Windows I expect they'll do a full shell replacement... debatable how useful that is but I think it'd be pretty fun to have anyhow! And the prospect of a common desktop shell across all the operating systems in an organisation is intriguing.

As for running KDE apps, e.g. Okular on Windows, they're not running an entire desktop under Windows, you're running one app that uses a cross-platform toolkit. If you use Firefox or Opera you would also be using a cross-platform toolkit, rather than simply native Windows APIs.

You could probably argue that having all the KDE goop is overkill but it's still not quite the same as running a whole desktop, which would suggest to me a separate taskbar, filemanager, menu, etc and no integration with the rest of Windows. AFAIK KDE apps for Windows run quite happily as individual apps, no need to start up the rest of the desktop.

Re:Ditch Acrobat...

[SL+Baur]

I can't understand what is the need to use pdf.

For web usage, none at all, really. For printing, it's supposed to guarantee WYSI(R)WYG[1] output. No other document format does that.

[1] What You See Is (Really) What You Get

Re:Ditch Acrobat...

[hairyfeet]

I've tried KDE on Win, hell I have it installed on this machine right now. While I can't tell you what they have planned for the future, I can tell you that RIGHT now it is SERIOUSLY fugly. let me give an example: I just launched Dolphin, the file manager, right? I use Xplorer2 lite for a file manager, so I am used to having something other than Explorer.exe, so I figured Dolphin is nice,right? WRONG. Just launching Dolphin launches nearly a dozen processes, most of which die out rather quickly, but even after closing dolphin we are looking at over 150MB of RAM being sucked up by nearly a half dozen processes. And that is with it closed!

You get 4 Kioslave.exes, a couple of Klauncher.exes, and even with it closed I have Dbusidaemon.exe,Kioslave.exe,Klauncher.exe,and Kde4d.exe all running and sucking up nearly 200MB now. And the only way I have found to close them is to launch process explorer and kill them manually. Now THAT is ugly! And the worst part is they aren't even making it like a real port. It is like one of those bad console to PC ports. What I mean is instead of having it look for standard Windows conventions, like say C: or My Documents, it is looking for places like /home. But of course there IS no /home in Windows so you have to navigate away from the useless locations every time you launch. It just feels like a hack.

Now in the future if they get it so KDE is an actual shell replacement I'd be happy to run it, and maybe even give it to my clients. The KDE shell has always felt more logically laid out to me that dumping everything in "program files" like Windows does. But having the thing suck up nearly 200MB of RAM with nothing running and STILL having the Windows shell sucking up even MORE RAM on top? It is just nuts. I can run an entire DSL Linux in a VM for less RAM! So while I applaud them for trying, right now IMHO it really isn't usable for anything. It just piles too much stuff on top of Windows to make it worthwhile. I can run something like Michelle 3 or Windowblinds in MUCH less memory. And like I said, when you figure in the crazy amount of overhead you have to even launch something simple like the calculator or file manager you are better off just running DSL in a VM. At least with that when I close it it is actually closed.

Re:Ditch Acrobat...

[Skuld-Chan]

I haven't worked there in ages, but there was a lot of talk about distributing a small stripped down version of Reader (it actually scales quite well - for instance there's versions that run on phones - not even smart phones). As I recall what it came down to however was cost - the QA process for Reader actually includes 25 different languages (something else none of these other vendors like Foxit have to deal with) and well over 30 platforms (if you add up all the versions of Mac OSX, Linux, and Windows/Windows Server and the 32/64 bit versions of each of those) you can see they are generally interested in keeping QA time down since - even though most of it is automated, it is very expensive. Plus - the actual download size is about as big as Foxit (packed) so I don't see why its such a big deal these days.

One way to keep down development costs is to reduce the amount of distributed versions - something that is practiced in every software company I've ever worked in.

Inevitable post recommending Foxit Reader

[Nimey]

because you knew that was coming.

Re:Inevitable post recommending Foxit Reader

[MozeeToby]

How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...". I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

I suppose there must be a place for them, but it seems to me they're mostly used by people too lazy to create a page with the information they want to display, and instead just put a link to the PDF they sent to their printer, often from a years out of date brochure or flier.

Re:Inevitable post recommending Foxit Reader

[Fatalis]

I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

Re:Inevitable post recommending Foxit Reader

[Rude+Turnip]

The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

Re:Inevitable post recommending Foxit Reader

[thePowerOfGrayskull]

All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!

Re:Inevitable post recommending Foxit Reader

[nine-times]

I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

Re:Inevitable post recommending Foxit Reader

[Jamie's+Nightmare]

I suppose there must be a place for them

If you had job you could download and print tax forms.

Re:Inevitable post recommending Foxit Reader

[Kugrian]

I run along them all the time just in general information gathering.

I'd love for them to be in a freer format, but at the same time, I love that they are in a format I can read on my computer.

Re:Inevitable post recommending Foxit Reader

[Bill,+Shooter+of+Bul]

Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

RTF, No. HTML, yes. Or would you not consider Google App's spreadsheet to be complex? Images can be embedded in cdata tags. Its not easy or really recommended, but possible.

Re:Inevitable post recommending Foxit Reader

[Tubal-Cain]

If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

If you don't use a reader with a browser plugin, a PDF is just as likely to crash your browser as a zip file.

Re:Inevitable post recommending Foxit Reader

[Your.Master]

pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).

So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.

Re:Inevitable post recommending Foxit Reader

[nine-times]

Images can be embedded in cdata tags. Its not easy or really recommended, but possible.

Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"

Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.

Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.

So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.

Re:Inevitable post recommending Foxit Reader

[Jaysyn]

I routinely create, view & print really big PDFs. When comparing FoxIt & Adobe the time difference between opening & printing a E-sized PDF on my machine is huge. FoxIt blows Adobe completely out of the water in every manner I can think of.

Most of the time Adobe will never actually print anything out, or if it does, it will be missing elements.

Re:Inevitable post recommending Foxit Reader

[Fatalis]

That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.

Re:Inevitable post recommending Foxit Reader

[RiotingPacifist]

I dont really mind the startup time, but the idea that a program adds itself to my bootup menus and runs all the time, really puts me off. The tiny overhead of the updater application doesn't bother me so much, its the fact that it exists at all that indicates a serious design flaw!
That is why on windows always choose xmplay^H^H^H foxit over itunes^H^H^H adobe pdf!
Unfortunately people still flock to this software because of its 'features', and the atrocities of its design are hard to get across to non-geeks.

Surely windows has a cron you can use update program regularly without running it all the time!?
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get though. Additionally a preload system that allows programs to boot faster would let most of these 3rd party programs die (I mean one that software can add itself to, in addition to the standard preload).

Re:Inevitable post recommending Foxit Reader

[thePowerOfGrayskull]

That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.

I'm not usually a subscriber to the "evil big company" theory, but I'm not too fond of trusting Adobe to install and run whatever they want, regardless of whether or not I have asked for it. Actually, I guess I am a subscriber to that theory - since I don't tend to let anyone run their crap on my PC unless I know exactly what it does or can at least be reasonably sure that it's not doing something stupid*. That's a large part of how I've stayed virus free for a couple of decades, in spite of not running anti-virus.

Aside from that - I'm not sure that I agree that's what memory is for. When I'm working in game development and my development tools are consuming 3GB of memory, you're damn right I"m picky about someone taking up an unnecessary 60MB plus. I view my computer's memory as /my/ resource, to be used by my computer as I want it to.

* like allowing anybody at all to run flawed javascript when I open a PDF file -- which should be a read only format for viewing and printing documents

Re:Inevitable post recommending Foxit Reader

[thePowerOfGrayskull]

These are things that have frustrated me for years, especialyl as more and more applications are presuming to do it. It's like people have never heard of the concept of windows scheduler/cron, or even spawning off an update thread in the background on startup. Processors and hard drives are so fast these days that even bloated and beefy software (I'm looking at YOU openoffice.org and netbeans) provides acceptable startup times without a "launcher" application.

As far as Adobe - the only thing I ever do with my PDF files is read them. Every year I watch Reader's footprint get bigger and bigger, and yet there is /no/ difference in my experience with it (except that it's slower) than there was several years ago.

Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get

That would also be quite nice. A simple Updater API would go a long way and might clean up some of this crap.

Re:Inevitable post recommending Foxit Reader

[jonaskoelker]

just as likely to crash your browser as a zip file.

I use IE6, you insensitive clod!

Re:Inevitable post recommending Foxit Reader

[poopdeville]

How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...".

All the time.

I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

Embed graphics that scale with the text. Embed fonts. Make book quality printings. You know, things people want to do with documents, portably, without changing how the document looks.

Re:Inevitable post recommending Foxit Reader

The run-time footprint is half that for me (reader 8.1.4), and if you turn off updater, the process does not automatically run.

- T

Re:Inevitable post recommending Foxit Reader

[SL+Baur]

I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...".

All the time at work. And replace the "..." with "print it out".

I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

You have a small mind. Government forms and payroll stubs are two important uses.
(For usage as an "official" document, exact format is *everything*).

Now, has anyone ever used PDF to print counterfeit money? There are some limitations ...

Re:Inevitable post recommending Foxit Reader

[Pandrake]

The way I always describe why PDF is preferred over any other format for layouts is, "It's not a 'save as' format, it's a 'print as' format," and if they don't gloss over at that I continue with the difference between rendering a page on the screen to see it's size that isn't a paper size, or print to this printer which has different margins than that printer so what margins does the "file" have, and how PDF ignores all that because it's already been printed correctly and to it's own format for a page.

No problem for Macs, really

What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

All Adobe software is so overbloated that if you compare them with Microsoft, they're the lightweight ones.

Re:No problem for Macs, really

[1729]

What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

Re:No problem for Macs, really

[0racle]

The problems also affect Acrobat proper.

Re:No problem for Macs, really

[SpottedKuh]

The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

I can second this: I've encountered fill-in forms that just didn't play nicely with Preview.app.

Another issue is that the full-screen presentation mode in Acrobat works much more nicely for, e.g., giving PDF presentations compiled in LaTeX. It works with clickers for advancing slides.

Re:No problem for Macs, really

[jabithew]

In all seriousness, does anyone know if these zero-day exploits affect Preview? 1729's post implies that they wouldn't, but I'm curious.

Re:No problem for Macs, really

[Rashdot]

I had to install it to e-file my state taxes

I had to install it just to print out a DHL address sticker.

Disable JavaScript

[icebike]

Or install any of the other PDF readers available and remove the spyware/call-home laden Adobe Reader once and for all.

Good idea...

[idontgno]

kill Javascript.

And while you're at it, deep-six the rest of that Web 2.0 crap.

Just not on my lawn, you crazy kids!

Y'know...

[Mr.+DOS]

...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

      --- Mr. DOS

Re:Y'know...

The average user immediately presses 'accept' or 'ok' on any prompt that comes up when they open a file without reading the message or thinking about what it means. Adding this requirement is just annoying for users and does absolutely nothing.

What I would like to see is a way to deploy Reader to client PCs with JavaScript disabled through a configuration file or command line flag. It is not realistic to expect users to go to preferences and disable JavaScript on an application that is used to view documents.

Re:Y'know...

[denis-The-menace]

I'm told we can kill JavaScript because our "IntraNet" (cringes) uses PDFs with JavaScript!

Adobe could also implement Zones or something like it but that idea didn't work too well in IE.

If Adobe can put sound and videos in PDFs, why not security? They can't say it's because it would stops things from working, they already have DRM built-in to PDF.

Re:Y'know...

...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

      --- Mr. DOS

It might as well BE on by default. I'm always getting prompted to enable macros in documents that *I CREATED* that aren't even supposed to HAVE macros in them. After a while, you just click "yes" because the message mostly doesn't mean anything any you have to get on with your work.

Re:Y'know...

Sounds like some of your standard template files (eg. normal.dot) have macros in them.

If you don't know what the macros are for and believe they should not exist, you should be clicking "no" and then getting back to work.

Can we always kill javascript?

[nine-times]

Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.

What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.

Re:Can we always kill javascript?

[doi]

You mean like TEX?

Re:Can we always kill javascript?

[characterZer0]

Programatically clone a page to the end of the document.

Calculate and fill fields based on the value entered into other fields.

Update reference data from the web.

There are good uses.

Re:Can we always kill javascript?

[mcrbids]

Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app?

No, we can't.

Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

Yeah, it sucks. I like PDFs to be... PDFs - print-ready documents. But as soon as there's a checkbox that says "embed videos into PDF documents" that somebody else has that Adobe Reader doesn't, Adobe is screwed, and they know that.

Of course, we won't talk about the checkbox that says "doesn't take a blue moon to load"...

Re:Can we always kill javascript?

[jeffb+(2.718)]

Oh, fine. Next you'll be telling me that you don't want moving parts in your books. Well, maybe you can explain to my little boy why Mr. Giraffe won't wake up when we open that page in Happy Fun at the Pop-Up Zoo!, or why Baby Roo won't peek out of Mama Roo's pouch any more.

Besides, we've already learned to skip the page with Mr. Angry Monkey.

Re:Can we always kill javascript?

[Lord+Ender]

No, actually, Adobe can't do that. If they want to deploy software to the masses, they need to either make it part of Reader or make it part of Flash. Anything else is bound to fail.

Re:Can we always kill javascript?

[colfer]

The US Postal Service click-n-ship requires you turn on that JS crap in Acrobat. Once you click "yes", Acrobat leaves it on unless you go disable it again, each time. Vendors like the USPS need to get a clue.

Re:Can we always kill javascript?

[avandesande]

All of these things seem pointless with 'always on' internet connectivity. Why not just go back to the provider for a new version?

These architectural considerations for reader are so 1999.

Re:Can we always kill javascript?

[iamhigh]

And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

Re:Can we always kill javascript?

[Chabil+Ha']

Well, it's only following an evolution in documents. Pretty soon, a document reader/creator becomes 'feature complete' in respect to fulfilling those functions, so firms start adding features that enable documents to become, in effect, working applications. End users find them to be terribly effective in what the want as far as functionality goes, but you get with it the standard fair of problems of layering a development environment on the foundations of something that was never intended to be that.

Re:Can we always kill javascript?

[smoker2]

Name those apps ....

Re:Can we always kill javascript?

[PhxBlue]

Programatically clone a page to the end of the document.

I'm not familiar with what you're talking about, here -- can you point me to an example? Also, when would you need to do this?

Calculate and fill fields based on the value entered into other fields.

PDF doesn't need to be a spreadsheet.

Update reference data from the web.

Seems like HTML/XML/Javascript would be a better solution to that, don't you think?

Re:Can we always kill javascript?

[icebike]

Does Mr Giraffe reach over and grab the phone and call the publisher each time you read the book, reporting your name and address each time it does?

Re:Can we always kill javascript?

[Anenome]

"Programatically clone a page to the end of the document."

Autopager
https://addons.mozilla.org/en-US/firefox/addon/4925
"Orgasmic."

Repagination
https://addons.mozilla.org/en-US/firefox/addon/2099
"Genius."

I use both in tandem. Repagination is more manual, Autopager is more automatic, both useful at different times. I assume this is what he's referring to anyway. I know there are some web pages that can do this without requiring a mod, like, oh say Slashdot! If you try the beta homepage and scroll to the bottom it will automatically add in the previous day's entries: http://slashdot.org/index2.pl

Re:Can we always kill javascript?

you mean like DVJU?

Re:Can we always kill javascript?

[TheRaven64]

Much as I like [La]TeX, using a format or document interchange that runs in a turing-complete interpreter with full access to my filesystem and the ability to run external commands doesn't seem like an improvement, security-wise, over PDF. DVI, maybe...

Re:Can we always kill javascript?

[RiotingPacifist]

These are good uses of javascript, but bad uses of pdfs!
Programatically clone a page to the end of the document. print these dynamic fields, so what advantage does using a pdf offer over a webpage (or if you cant get a webpage into a 1 file format then a small java applet seams better suited than a pdf)?
Update reference data from the web. - doesn't it make more sense to update your pdf?

Re:Can we always kill javascript?

The funny thing is, PDF is just a mangled version of postscript, which actually is a full-fledged programming language.

Re:Can we always kill javascript?

[Mister+Spikey]

I don't care about the karma etc. but really... not only is it not needed in PDFs, scripting of any kind should be off by default whatever browser you use. Can't set it off by default? Pick another browser that lets you do that. I will take the hassle of authorising every site I trust rather than ending up on one I don't that does something naughty. Non-tech people learn to use a browser, but generally without a clue to do with security. Make scripting an opt-in, combined with more education on what makes a trustworthy site, and eliminate the majority of script hijacks. Inconvenient? Yes. Welcome to Life 101.

Re:Can we always kill javascript?

[bcrowell]

Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

Yep. They want flash, pdf, and AIR to be ubiquitous. This article shows their point of view: "What's wonderful for Adobe is, we are pretty much everywhere you look. [...] Just about every Web site uses Flash. Every tax form you download off the IRS is done in PDF. So it's OK if the average consumer does not know who Adobe is. We're almost like air." They want their suite of tools to be a ubiquitous consumer-level software tool like Windows, and they understand that if they're going to make money that way, they have to convince people that their tool is better than the free alternatives, just as MS has to convince people to desire Windows rather than Linux.

Adobe is very clever about making their formats and implementations open enough to get them widely adopted, while maintaining their market position via a combination of (a) the first-move advantage when they release new features, and (b) keeping certain aspects of their formats and implementations just proprietary enough to maintain the perception that the competition isn't as good. You see it with flash, where they've opened up a lot recently, but for most developers there is really no viable alternative to using Adobe's tools. You see it with pdf, where they sell people snake oil, e.g., convincing them that the DRM features are useful, even though they're trivial to circumvent.

One of the big things working in their favor is patents. E.g., flash supports mp3 but not ogg, which makes it difficult to make a legal, OSS toolchain for flash development, because the license for mp3 forbids distribution of encoders in large numbers without paying a royalty. Ditto for patented color management and patented video codecs. Any patented special sauce they can add to their apps makes it easier for them to differentiate themselves from the free competition.

Re:Can we always kill javascript?

PDF does not guarantee pixel-perfect output. See the PostScript operator setflat.

Re:Can we always kill javascript?

[shutdown+-p+now]

PDF doesn't need to be a spreadsheet.

Adobe pushes PDF for electronic forms, too, and there you often want that kind of automatic recalculation and validation.

To be honest, I never really understood the whole idea. If you want to make something that can be filled in using a computer, just make a web application for that. If you really need something fancy, then alright, let's have a rich client application for e-forms (see InfoPath). But why take a document format, the whole point of which is print fidelity, and stick forms on top of that? The sole purpose is so that the form can be printed out immediately after it's filled, but then why bother with filling on the computer in the first place?

Re:Can we always kill javascript?

[colinrichardday]

In Linux, alias latex to latex -no-shell-escape.

Re:Can we always kill javascript?

[Nikker]

The reason PDF is so accepted in business is that it is seen as a static resource / record of events. By throwing scripting in the mix the content becomes dynamic and can mislead someone who would compare the format to a paper copy. The idea of dynamic content is by no means a bad idea but confusing and even abandoning a static format makes it just a bit more difficult to rely on this form for archiving documents which is the whole reason business adopt it, it is only one file and shows the exact same thing every time and can be relied on to do that x years in the future (provided you have the reader)

Re:Can we always kill javascript?

Calculate and fill fields based on the value entered into other fields.

Seems that using mathxml would be a much more secure way to allow this.

Re:Can we always kill javascript?

These are not "good" uses for PDF. These are use cases for an application interface, which captures data which may eventually be rendered as PDF for archiving, offline-print, or user familiarity.

Adobe has excellent application interface technology. But it's not PDF.

Re:Can we always kill javascript?

[characterZer0]

PDF Forms for offline data entry, to be submitted later when online.

Re:Can we always kill javascript?

No -- but why did you think they skipped the page with Angry Monkey?

creeping featuritis

[wiggles]

Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.

Seems like a solution in search of a problem to me.

Re:creeping featuritis

[CastrTroy]

Not that I think we need JS in acrobat either, but I bet someone said the exact same thing as you when someone told them about the idea of putting Javascript in web browsers.

Re:creeping featuritis

[ChunderDownunder]

Exactly. This 'why would a PDF viewer ever need a JS interpreter?' is an over-reaction. If embedded Javascript enables PDFs to enhance the user's onscreen experience, I'm all for it. Interactive documents may mean fewer printed copies - save a tree! The facility breeds innovation. Even Emacs has a build-in scripting language!

Where Acrobat Reader has failed is to provide a robust sandbox. Java applets had this 13 years ago through a SecurityManager that defined what an applet could and could not do. Assuming this is not already the case, Acroforms/XFA should formalise what a PDF viewer can and cannot execute as part of the PDF specification. Then users can enable JS in Acrobat Reader and other viewers with confidence.

Ask not why PDFs should have scripting support but why Acrobat Reader does not rigidly sandbox the scripting environment.

Re:creeping featuritis

Forms use Javascript. Embedded content uses javascript.

Personally, I hate developing it, but there is a demand for PDF documents that are more than simple pamphlets. True, everything we develop for said customers could be handled with html, but having a single file you can email around is worth more to them than you'd think. It's easier for them this way; and the commenting features are actually pretty nice.

To sum up: there is a market for js in PDF. That is why it's there.

Why do PDF readers need Javascript?

[serutan]

Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

Re:Why do PDF readers need Javascript?

[Red+Flayer]

Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

Re:Why do PDF readers need Javascript?

[PotatoFarmer]

You'll be fine unless there's a buffer overflow. Though I suppose remote execution would be a problem if you're in the shower and some jackass decides to flush an output stream.

Re:Why do PDF readers need Javascript?

One reason for the Javascript is when making a pdf form. Although not perfect, you can do quite a lot if you know Java. I just started making forms for my users and love the scripting ability.

Re:Why do PDF readers need Javascript?

[RobBebop]

Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

Woah now! Don't let the cat out of the bag too early. Considering how far toilets have come over the century, you'll be happy with a little Javascript injection turning your toilet into a Spam Zombie.

Let's review:

1. Toilet 0.0: A bush. Possible attack vectors include bee stings and bear claws.
2. Toilet 1.0: A hole in the ground. Insects and burrowing creatures stung and bit you when you dug your hole to close to them.
3. Toilet 2.0: The community toilet. Walls give you privacy, but god awful smells make it painful to use.
4. Toilet 3.0: The Flush Toilet. Don't put too much in or it overflows.
5. Toilet 4.0: The Autoflush Toilet. Same as previous, but multiple flushes each time you try to wipe yourself.
6. Toilet 5.0: (coming soon) Internet Integrated Diagnostics Toilet. Javascript vulnerabilities and toxic Chinese workmanship.

Re:Why do PDF readers need Javascript?

Haven't you heard? JavaScript is the new email. The next step? JavaScript support in an email client written in JavaScript.

Re:Why do PDF readers need Javascript?

[b4dc0d3r]

Here at the office, we have auto-flushers.

They usually wait until you adjust a little and then power-flush a gallon of water in a bidet-like fountain, then when you leave spray you again. Inevitably, every toilet will be, shall we say, visibly un-flushed upon entering the rest room, so you have to pre-flush using the manual black button.

Now, despite the obvious bugs, it has to have some sort of logic in there. I was going to reply saying "no, you're an idiot", but in preparing my response I decided that with any faulty junk software, the answer is to fix it in the next layer, and if you don't have another layer add one. Web formats database output, JS fixes web output.... Adobe makes a portable document and makes it dynamic, far from permanent.

So my point is, unless every one of us speaks up at that meeting where your manager says the client has requested for us to implement JS in a toilet, and says we absolutely will not do it and will quit if required to do so, and actually follow through on that, it is inevitable.

And finally to summarize, it is inevitable.

Re:Why do PDF readers need Javascript?

Yo dawg, I heard you like JavaScript so I put a JavaScript in your JavaScript so you can be exploited while you be exploited!

Kill Adobe reader, not java script

[140Mandak262Jamuna]

Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?

Re:Kill Adobe reader, not java script

[itzfritz]

The problem is that none of the other commercial readers work as well as Adobe's. Of the three (IMO) main required features of a commercial pdf app (pdf create/edit; in-browser viewing; virtual pdf printer), only Adobe does all three of them well. I am currently using Foxit for the first two, and PDFCreator for the third, and I am not pleased.

Re:Kill Adobe reader, not java script

[keeegan]

Not much better than pdfcreator, but we use this at my work: http://www.primopdf.com/

Re:Kill Adobe reader, not java script

[Thaelon]

Sumatra is to Foxit what Foxit is to Adobe Acrobat Reader.

Re:Kill Adobe reader, not java script

[simp]

Sumatra is a bit too lightweight. The version I tried did not remember the window size and position in between sessions and had some weird problems with the search box.

But the general idea is very good. It just needs that little bit more polishing of the rough edges.

Re:Kill Adobe reader, not java script

[VeNoM0619]

Hate to tell you, but FoxIT has Javascript on by default.

Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

Re:Kill Adobe reader, not java script

Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?

Forms.

Re:Kill Adobe reader, not java script

But it's very unlikely to have that very same javascript bug.

Re:Disabling Javascript is standard

[OverlordQ]

And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)

JavaScript?

[owlstead]

We don't need JavaScript in a PDF viewer, at least not for normal purposes. The problem is that Adobe keeps putting additional functionality in the reader. Functionality that I don't need 99% of the time. It's hard enough to create a secure document viewer thats able to do font rendering and vector graphics and such. Lets focus on that and use another viewer for forms and such. Heck, create a PDF viewer first where I can normally select and copy text.

BTW, this is how I currently use PDF documents. I use a small PDF viewer that does almost nothing but show/zoom and select for documents from the internet. I turn to Adobe if and only if I receive complicated PDF's from a known source. Oh, and OpenOffice writer if I want to make my own simple PDF's or when I make comments on a document/webpage or PDF.

Re:JavaScript?

If the PDF doesn't have selectable text, it was created as an image, and not an actual text based document. Using pdfwriter as opposed to distiller causes this issue.

Re:Disabling Javascript is standard

[Burkin]

I'd have thought most people who post here would be savvy enough to have NoScript installed.

They are talking about disabling JavaScript in Adobe Reader, not in your web browser.

Okular instead

[CajunArson]

Okular rocks, and it apparently can run on Windows as well.
My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.

Re:Okular instead

[Lemming+Mark]

My experience of Okular (and its predecessor, kpdf) is that it's quite fast to render, much faster to start than Adobe's own readers typically are, integrates nicely with my desktop (tbf I'm using KDE so you'd expect it to). My work involves reading a lot of PDF's, so Okular is a KDE4 killer app. As a result I've not installed Adobe's reader on this machine in ages. If I used Windows / Mac more I'd definitely want it on those platforms too!

Mac?

[dingen]

There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?

Re:Mac?

[Mr.+DOS]

I'd guess, the same type who find Adobe Reader on Linux/Gnome useful, i.e., masochists, sadist IT guys, and IT guys who don't know any better. Oh, and those who need to need to fill out forms in PDF's.

      --- Mr. DOS

Re:Mac?

[dingen]

Mac OS X's Preview.app handles forms in PDF's just fine.

Re:Mac?

[thanasakis]

If you are using the built in reader that comes with gnome, shouldn't you by the same token be judged as masochist?

I mean, I would be really HAPPY! if it worked right, but problem is that it is full of rendering bugs and memory leaks.

I had to reluctantly install Acrobat from medibuntu after running into several PDFs which had serious problems.

   

Re:Mac?

[petermgreen]

my pet peeve with that reader is it's handling of pdf "bookmarks". In large pdf datasheets (think say a pic datasheet) the "bookmarks" in the pdf are the main method of navigation,

Most such datasheets have a flag set that makes acrobat display the bookmarks panel as soon as the pdf is opened. If they don't have the flag set it's just one menu entry away and if I really want I can set the flag myself with jpdftweak.

OTOH in the gnome viewer I have to manually open the panel and then switch it to showing bookmarks.

Re:Mac?

Do you run Apple Mac OS X on a machine with a redundant RAID disk array?

Re:Mac?

There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?

Only Adobe Reader can read all the annotations made from the Adobe suite. And it has a diagnostic tool to see what fonts are embedded in the document, which is necessary for submissions in scientific journals. But for everyday, I use Skim which is a very powerful pdf reader which use the native pdf support from Mac OS X.

Adobe Reader has more holes that swiss cheese

[Manip]

Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.

It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!

Re:Adobe Reader has more holes that swiss cheese

[keeegan]

Especially since its designed by a company of designers designing software for other designers.

Re:Adobe Reader has more holes that swiss cheese

[Anenome]

Hey, isn't this a golden, golden opportunity for the open source community? Here you've got the industry leader droppin' it like it's hot, time to pickup the ball. Chop, chop! How hard could it be to code a bare-bones PDF reader (asks the nonprogrammer)?

The only features I have to have are the various view options, the ability to fullscreen it, and the fact that it saves my position in the document between views (and actually, the adobe reader sucks at this because it only saves upon closing, so if your system crashes it is not saved, it should save at interval). Someone mentioned the ability to highlight and annotate the text, that would be nice.

Re:Adobe Reader has more holes that swiss cheese

[Spit]

The default on Ubuntu is evince, which does all that.

Re:Adobe Reader has more holes that swiss cheese

[perryizgr8]

okular
nuff said

Re:Disabling Javascript is standard

[RobBebop]

Quite so... I didn't even realize that PDF's could run Java scripts...

But now I've got a new hoop to jump through when I update a new computer:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
5. Click OK

Simple as that!

Re:Disabling Javascript is standard

[Etherized]

This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.

Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.

This is a Zero-Day?

[mmkkbb]

I've had Adobe Reader 9.1 installed for a few weeks. What gives?

Re:This is a Zero-Day?

[Red+Flayer]

Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

Re:This is a Zero-Day?

[mmkkbb]

Indeed I am (or was).

Xpdf.

'Nuff said.

PDF Forms under Linux

[mysteryvortex]

I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.

Re:PDF Forms under Linux

Try again. Recent versions of evince allow you to enter data in fill out forms. I have been told ocular does this as well, but haven't personally tried it.

Re:PDF Forms under Linux

Okular can do PDF forms. I used it to fill out my state income tax form. It uses Qt widgets for the text boxes, but it works.

Re:PDF Forms under Linux

[CajunArson]

Okular allows for you to fill in forms, and even save the form data in the PDF itself, putting it one step ahead of the free Adobe reader.

Re:PDF Forms under Linux

[zippthorne]

You can fill them in, but you'll have to print them. You can't use it to submit forms.

Disabling Javascript won't mitigate the risk still

[biddly718]

According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/

Re:Disabling Javascript is standard

[colfer]

Any document that wants JS will prompt you, and if you breeze by with a "yes", then JS is now on for all documents, until you go disable it again. If you say "no", then your document may not even open. PDF's are great for so many things, scale wonderfully, etc. This feature bloat just ruins it.

Acrobat has had buffer-overflow vulnerabilities in even with JS turned off, due to some nonsense about Windows prefetching the meta info or something.

Incessant Acrobat JavaScript nagging

[Allen+Varney]

It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"

Re:Incessant Acrobat JavaScript nagging

[nevesis]

My life story.

If you can find a way to disable this - please reply.

Re:Disabling Javascript is standard

[DiegoBravo]

> and if you breeze by with a "yes"

Not to disagree with you, but ... did you ever see any "standard user" answering "NO" when a popup appears implying that a "YES" is just needed to do the intended work? "What the hell could be that f**k javascript thing? I just want to read the damn document"....

disabling js will not save you

[Deanalator]

Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml

They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

Sumatra

[Tubal-Cain]

To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

Re:Sumatra

SumatraPDF is not exactly free from bugs, however.

SumatraPDF <= 0.9.3 Heap Overflow PoC

http://seclists.org/fulldisclosure/2009/Apr/0257.html

Re:Sumatra

Now I just need to figure out how to set Continuous scrolling as default...

Not quite obvious: Sumatra's defaults are changed by opening Sumatra without any document and then configuring it to your preferences.

Re:Sumatra

[PremiumCarrion]

It also remembers the last page you were looking at on a PDF, which is awesome for reading ebooks.
IMO this is its killer feature, because AFAIK neither adobe nor foxit [can] do this

Re:Sumatra

[Opyros]

There appears to be a file named sumatrapdfprefs.dat in the same directory as the executable; despite the extension, it's an ASCII text file and can be directly edited.

Re:Sumatra

[master811]

Also, it is a stand-alone executable, not an installer.

So is Foxit (if you get the zipped version).

Re:Disabling Javascript is standard

[Fnord666]

But now I've got a new hoop to jump through when I update a new computer:

Here is a link to an article discussing the registry keys needed to turn off javascript in Reader. Scripting this should help automate your new machine build without any added human intervention.

Already ran into this...

Fortunately Avira caught the trojan (first time this piece of shit reported something that wasn't a false positive). But I was on a site and, I think it came in through one of the advertisement banners, but suddenly I notice my web browser stopped temporarily and the system slowed down a bit. I noticed AcroRd32.exe had spawned in the processes list. About 30 seconds later it finds TR/Crypt.XPACK.Gen [trojan] in C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\DCF18OEB\xrun[1].tmp and C:\WINDOWS\system32\rn.tmp. At least I fucking hope the trojan was blocked, if it already wrote a .tmp file to system32 I'd hate to think something got installed that slipped past the AV's notice.

But yeah, this definitely came through a .PDF file that somehow piggybacked on a web banner because there was some randomly-named pdf file in Acrobat Reader's file history list when I checked. I promptly disabled JavaScript and disabled the Acrobat Reader plugin. But, you know, why did Firefox allow a web banner to run a .pdf file? Isn't this browser supposed to be secure? I'm using FireFox because I got sick of Internet Explorer pulling this exact same shit on me -- letting rogue sites run whatever code they wish on my computer. So I'm going to be looking for a new browser but I have a feeling all of them, even Opera and Chrome and whatever, they all are probably badly written like this.

The virus information sites don't really say much what this specific trojan does. Is it a key logger?

Re:Already ran into this...

[virtual_mps]

when you installed the reader plugin you told the browser to transparently display any pdf content. Hint: if you don't install the plugin you'll get prompted about what to do with pdfs (save/open/etc). I recommend not installing the reader plugin.

One amusing aspect of this is....

The USPTO requires that you use Acrobat reader to fill out forms for patent filing. Those forms all require javascript. No javascript, and you cannot file. They are typically 1-2 months behind allowing updated "secure" versions of Acrobat to file, compounding the issue. Patent IP firms can find themselves vulnerable for 2 tiems the nessesary amount of time. uspto link

I 3 OO.o + Foxit

[tunapez]

That is all.

Re:I (Heart) OO.o + Foxit

[tunapez]

OOps, the cone fell off my heart... I loooooove OO.o + Foxit

Precisely why I use Preview on OSX

[rinoid]

I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.

I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.

Finally, all PDFs are associated with Preview and not Acrobat.

Re:Precisely why I use Preview on OSX

[smash]

Whilst that's fair enough, it just leaves you open to Apple's programmer laziness, not Adobe's. Don't take this as trashing Apple/Macs (I have a mini myself) - ALL programmers are lazy. The laziness is a driving force to make them automate things... :D

Windows/Microsoft got bitten in a major way by a preview-thumbnail bug in explorer a few years back, don't think apple are somehow magically immune...

Having said all that, if the previewer has no javacsript support, its probably a heap more secure than Adobe reader...

Executable...

[GenP]

So, uh, why are documents executable in the first place?

Re:Executable...

[smash]

^^ this. I had no idea recent versions (or even old ones) of adobe reader even had javascript. Why?

Its considered by most people to be a static document format, leave interactivity to HTML or other formats.

Re:Disabling Javascript is standard

I don't have a JavaScript Category.
What version did they put that in?

Looking at it logically

[Gilmoure]

Ok, how does Acrobat/PDF thing impact the finding, downloading, and viewing of porn? Not all? Then why use it?

I purpose a new term

[cyberfunkr]

"Negative-One-Day Exploit"

Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.

As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."

Security solution is ... already applied

"[Adobe] Says Kill JavaScript"

Duh! It shouldn't be on by default in the first place, and I long ago started disabling whenever I installed Adobe Reader.

What's good for a browser on the web is good for any kind of off-line document reader that commonly views untrusted documents pulled from the web. This whole thing is Word "macro viruses" all over again.

Re:Disabling Javascript is standard

[Anenome]

Here's a question: when is someone going to fix Javascript?

Why is it that we all have mods to block it on our browser. We have to disable it in our PDF readers. Why is no one complaining to the developers of javascript about this? Have we just given up the problem as intractable?

Some Adobe Use Javascript for Enterprise Forms

[IgnacioB]

And not only is turning off Javascript a broken record....it breaks part of their own product! Those that pay large amounts for their LiveCycle product to do forms will kill their own application as a result. Turning off javascript ONLY works for those that use PDF to view documents only. And Adobe's the 800 rude gorilla of the market. While Foxit is interesting it's not an Enterprise class product.

Mod parent up

I'm confronted by this wonderful idiotmessage twenty to thirty times a day as I'm forced to deal with PDFs in my job. It is the most annoying aspect of my working life really, and considering my useless job that says a lot.

Obligatory

[NoobixCube]

Im on ur drive... eatin ur sectorz! om nom nom.

Adobe dev checks in?

One reason for the Javascript is when making a pdf form. Although not perfect, you can do quite a lot if you know Java. I just started making forms for my users and love the scripting ability.

Painful Dubya-style 4th grade-level grammar aside, you don't even appear to know that Java is to JavaScript as a construction company is to construction paper. It's a good thing that you posted anonymously - you dodged an embarrassment bullet there.

Re:Disabling Javascript won't mitigate the risk st

[Wiz]

This is for the previous Reader vulnerability. The new one is very much in the Javascript functions:

http://www.securityfocus.com/bid/34736

No big deal

[surfingmarmot]

I just opened up Adobe Reader on my Desktop Mac and disabled Javascript in the preferences...

And then I just opened up Adobe Reader on my laptop Mac and disabled Javascript in the preferences...

And then I just opened up Adobe Reader on my stand-alone PC and disabled Javascript in the preferences...

And then I just opened up Adobe Reader on my XP Pro Parallels VM on my desktop Mac and disabled Javascript in the preferences...

And then I just opened up Adobe Reader on my VIsta Home Pro 64-bit Parallels VM on my desktop Mac and disabled Javascript in the preferences...

And then I remembered all my VM snapshots and my Mac TIme machine backups that would need to be changed if I ever used them..

OMFG! Why didn't they just disable such bloat as the default? Stupid is as stupid does.

Re:No big deal

[perryizgr8]

surely you have noone else to blame but yourself for this predicament. don't blame poor innocent adobe if you have so many (virtual) pcs.

SumatraPDF - A Viewer That Doesn't Suck

Very true. Since you didn't provide more info (and the program is excellent), here's the good stuff: SumatraPDF is a really good value considering the tiny footprint (a measly 1.2 MB installer, same size installed.) No way to run JS, so you're perfectly safe from any attacks that have something to do with PDF scripting vulnerabilities. Memory footprint, startup and performance are as good as you'd expect for this size, and you can't possibly call it "bloated" in terms of interface by any measure. For those of us that do LaTeX, this is *the* PDF viewer of choice when working. On the bad side, it's Windows-only (never tried to run it under Linux, but there you have much more to choose from, so no issue really). Rendering is also somewhat suboptimal compared to Adobe (in terms of antialiasing), but some images look actually better than in Reader. The website might also use some work, especially changing the obnoxious yellow, but maybe it's just me.

It even outdoes the magnificent [see post]

[jonaskoelker]

221 Megabytes! For a document reader!?

Hey! It's not just a document reader!

It also has M-x tetris.

Foxit, my flassy ash!

[mnemotronic]

The website for the Foxit program, mentioned by several posters as an alternative to Reader, has, right on the home page, Flash! the best thing ever!

Thats why you get opensource

Line self explanatory

DVI?

[colinrichardday]

DVI?

Re:DVI?

[nine-times]

Does it support embedding pictures and fonts? How widely is it supported? How many people have DVI readers already installed on their computers?

These are honest questions I don't know the answer to. I don't believe I have anything that will view DVI files installed on any of my computers, but I know for a fact that I have PDF viewers installed on all of my computers, because they even come in the default installation of OSX and Ubuntu.

Re:DVI?

[poopdeville]

DVI died the day pdflatex became available. DVI was Knuth's device independent document format for TeX. I think it found some other uses, but PDFs are better all around.

Re:DVI?

[colinrichardday]

Does it support embedding pictures and fonts? How widely is it supported? How many people have DVI readers already installed on their computers?

DVI does not support jpeg or png images (I don't know about fonts). It does support pstricks, a powerful (but complicated) scalable-vector graphics package. It's similar in capacity to SVG, but doesn't support animation, though it has a nicer way of plotting functions.

You should have TeX/LaTeX and related packages in Ubuntu. Try "which xdvi" on a command line. There are versions available for Mac and Windows as well, but few users have them preinstalled. I will point that few Windows users have a pdf viewer preinstalled, and must download one themselves.

If one wants to send editable documents, one can .tex files, but one can place a shell escape in such files.

What about the browser plugin?

[kiddailey]

I'm curious. What about the Adobe Acrobat browser plugin that is installed with the reader? Doesn't it also support the same embedded JavaScript? I haven't yet found any clarification on this, but I am inclined to assume that it does.

If it does, it'd be trivial to use "hidden" embedded PDFs in a web page as an attack vector. And if the plugin doesn't share preferences with the stand-alone reader, turning it off in the reader won't do much good.

Does anyone know?

PDF Converter

You should consider - http://www.nuance.com/pdfconverter/

Re:Disabling Javascript is standard

[koiransuklaa]

It's not a js bug, it's a bug in Adobe code that can be exploited because they've included a scripting language.

In my opinion javascript is a nice, flexible Java-like language that has gotten a really bad reputation to very little fault of its own. If you really think there is something we need to fix in javascript especially, maybe you should be more specific?

That's Adobe for you...

[tekshogun]

Users should be ditching acrobat reader anyway. The program is horribly slow, laiden with bugs and vulnerabilities, and has the worse method of updating. Off the internet, I think Adobe Reader and Acrobat are great but for viewing PDF's online, bad idea. Find yourselves another reader to use and if you need Acrobat only to author PDF files, get something free. Plenty of free PDF writers out there.

Gone with Reader 9: JavaScript nagging

[schoett]

This nag message is gone since Acrobat Reader 9 (IIRC)

www.pdfreaders.org

[H4x0r+Jim+Duggan]

...or just get a PDF reader that's free software.

try FoxIt Reader

[pascal.ch]

http://www.foxitsoftware.com/pdf/reader/ much leaner and snappier than Acrobat

Re:Disabling Javascript is standard

[Nick+Ives]

Indeed, I honestly had no idea that PDFs ran JS! Why is JS needed for PDFs anyway? I remember when PDF was just a glorified (already executed and semi-rendered) PostScript replacement...