Slashdot Mirror


Adobe Confirms PDF Zero-Day, Says Kill JavaScript

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

3 of 211 comments (clear)

  1. Y'know... by Mr.+DOS · · Score: 5, Insightful

    ...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

    It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

          --- Mr. DOS

  2. Re:Inevitable post recommending Foxit Reader by nine-times · · Score: 5, Insightful

    I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

    Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

    PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

  3. Re:Can we always kill javascript? by iamhigh · · Score: 5, Insightful

    And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

    --
    No comprende? Let me type that a little slower for you...