Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Warns of Reader, Acrobat Attack

Posted by timothy on from the gnome's-reader's-pretty-good-y'know dept.

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

10 of 195 comments (clear)

  1. Really... by Anonymous Coward · · Score: 1, Insightful

    Why on earth do you need JavaScript in a PDF?

    1. Re:Really... by Monkeedude1212 · · Score: 3, Insightful

      To send an email after filling out a form and clicking sumbit in a PDF.

      Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?

    2. Re:Really... by kbielefe · · Score: 3, Insightful

      Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.

      --
      This space intentionally left blank.
  2. Don't cross streams by Gothmolly · · Score: 3, Insightful

    Separate your programs from your data, and your documents from your interactive media.

    --
    I want to delete my account but Slashdot doesn't allow it.
  3. Re:Preferences? by ByOhTek · · Score: 2, Insightful

    or Here

    Both are good places to start. You can end at the other.

    Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  4. Re:Look at the Acrobat Reader credits. by Dunbal · · Score: 3, Insightful

    If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

          Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.

          Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.

    --
    Seven puppies were harmed during the making of this post.
  5. Re:Javascript Again by gad_zuki! · · Score: 2, Insightful

    What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.

    The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have no legitimate reason for a JS PDF.

  6. Re:Anyone still has JavaScript enabled? by maxume · · Score: 2, Insightful

    And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.

    --
    Nerd rage is the funniest rage.
  7. Re:Anyone still has JavaScript enabled? by Anonymous Coward · · Score: 1, Insightful

    We tested turning it off. It broke some important applications that use Reader as part of a workflow. There isn't any money in the foreseeable future to replace / rewrite these applications so Javascript is still on in Reader. This type of stuff is also what keeps us from going to alternate PDF readers. That plus the ability to digitally sign and several other things. Often (unfortunately) large companies find ways to use these things that make use of features that home users or smaller businesses find useless or bloat, etc. Heck, even our SOX compliance app uses this and it also breaks with Javascript off.

  8. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 5, Insightful

    Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.