Slashdot Mirror


Adobe Warns of Reader, Acrobat Attack

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

7 of 195 comments (clear)

  1. Why javascript in a pdf reader? by 140Mandak262Jamuna · · Score: 3, Interesting

    It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Why javascript in a pdf reader? by StuartHankins · · Score: 3, Interesting
      The companies which require this functionality have already decided to use the market leader's product. Since you have absolutely no way of convincing them all to switch to something else, perhaps you should be the one to look for alternative solutions.

      You had a niche application, WYSISWYPrint. Try to compete with the swift, quick to load, quick to render competition or you will be lost in the netherworld between browsers and pdf renderers.

      If anything, the PDF standard is increasing usage worldwide. PDF is a very well documented standard -- I speak as someone who wrote a program to create PDF files with images and form fields from scratch using VB 6 with no plugins -- so go ahead and create your own reader, market it and make it the #1. Nothing's stopping you.

  2. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 4, Interesting

    I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

    The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

  3. Re:BUT WAIT!!!! by betterunixthanunix · · Score: 3, Interesting

    Acrobat and Reader are bloated. Try something a little lighter like XPDF or Okular.

    --
    Palm trees and 8
  4. Re:Anyone still has JavaScript enabled? by wkk2 · · Score: 3, Interesting

    JavaScript in PDFs has always been trouble. I use forms that auto complete, add columns, etc. A compromise might be a default of prompt before running scripts with a recommend/default of "no". I'd always click "no" unless I trusted the source. Since that would marginalize the product it will probably never happen. I wish I had never upgraded from 4.

  5. Re:Really... by Deagol · · Score: 3, Interesting

    > A spreadsheet app is also substantially larger than a PDF reader.

    This *is* Adobe we're talking about here. For grins, I just installed Adobe Reader 9.2 and Gnumeric 1.9.16 on a XP VM, and for the informal survey of the "Program Files" directory, Adobe (203MB) weighs in at almost twice that of Gnumeric (106MB).

    I vote for using the best app for the job. In the case of this thread, I wholeheartedly think the spreadsheet is that tool.

  6. Re:Really... by lahvak · · Score: 3, Interesting

    No, PDF format is a crippled postscript. It was intentionally crippled so it will NOT be a language, because distributing documents written in a programming language was not secure. Then they realized they crippled it too much, and added javascript to it. It is an improvement, since the scripts are localized in the document, easier to identify, they can be disabled if you want to, etc.

    I think in general having scripting language embedded into an interactive document format is a good idea, however, it seems that Adobe's implementation is rather buggy and badly designed.

    --
    AccountKiller