Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Posted by timothy on from the kpdf-has-better-panning-anyhow dept.

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

4 of 211 comments (clear)

  1. Re:Inevitable post recommending Foxit Reader by Rude+Turnip · · Score: 5, Informative

    The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  2. disabling js will not save you by Deanalator · · Score: 5, Informative

    Check out the stuff Immunity is selling.
    http://www.immunityinc.com/ceu-index.shtml

    They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

    Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

    The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

  3. Sumatra by Tubal-Cain · · Score: 5, Informative

    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

  4. Re:Kill Adobe reader, not java script by VeNoM0619 · · Score: 5, Informative

    Hate to tell you, but FoxIT has Javascript on by default.

    Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

    And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

    --
    Disclaimer: I am not god.
    We may not be created equal
    But we can be treated equal.