Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Warns of Reader, Acrobat Attack

Posted by timothy on from the gnome's-reader's-pretty-good-y'know dept.

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

5 of 195 comments (clear)

  1. Don't cross streams by Gothmolly · · Score: 3, Insightful

    Separate your programs from your data, and your documents from your interactive media.

    --
    I want to delete my account but Slashdot doesn't allow it.
  2. Re:Really... by Monkeedude1212 · · Score: 3, Insightful

    To send an email after filling out a form and clicking sumbit in a PDF.

    Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?

  3. Re:Look at the Acrobat Reader credits. by Dunbal · · Score: 3, Insightful

    If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

          Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.

          Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.

    --
    Seven puppies were harmed during the making of this post.
  4. Re:Really... by kbielefe · · Score: 3, Insightful

    Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.

    --
    This space intentionally left blank.
  5. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 5, Insightful

    Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.