Slashdot Mirror


Adobe Confirms PDF Zero-Day, Says Kill JavaScript

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

4 of 211 comments (clear)

  1. Re:Can we always kill javascript? by characterZer0 · · Score: 4, Interesting

    Programatically clone a page to the end of the document.

    Calculate and fill fields based on the value entered into other fields.

    Update reference data from the web.

    There are good uses.

    --
    Go green: turn off your refrigerator.
  2. Re:Ditch Acrobat... by wiredlogic · · Score: 5, Interesting

    For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

    Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

    --
    I am becoming gerund, destroyer of verbs.
  3. Incessant Acrobat JavaScript nagging by Allen+Varney · · Score: 4, Interesting

    It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"

  4. Re:Ditch Acrobat... by Skuld-Chan · · Score: 4, Interesting

    For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.

    If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.

    If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.

    If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.

    So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.

    That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.