Adobe Warns of Reader, Acrobat Attack

← Back to Stories (view on slashdot.org)

Adobe Warns of Reader, Acrobat Attack

Posted by timothy on Tuesday December 15, 2009 @04:03AM from the gnome's-reader's-pretty-good-y'know dept.

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

6 of 195 comments (clear)

Min score:

Reason:

Sort:

Anyone still has JavaScript enabled? by Anonymous Coward · 2009-12-15 04:10 · Score: 5, Funny

I thought after so many vulnerabilities everyone had turned that off in Reader...
1. Re:Anyone still has JavaScript enabled? by jasonwc · 2009-12-15 04:30 · Score: 4, Interesting
  
  I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.
  The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".
2. Re:Anyone still has JavaScript enabled? by jasonwc · 2009-12-15 05:26 · Score: 5, Insightful
  
  Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.
Javascript Again by Anonymous Coward · 2009-12-15 04:12 · Score: 4, Informative

If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.
Acrobat attack. by NoYob · 2009-12-15 04:16 · Score: 5, Funny

They're horrible. You have guys flipping and attacking you with their feet while standing on their hands. You have two other guys with one sitting on the other's shoulders while they punch down on you. You try to fight back and they just do backflips away or jump and balance on some pole way above your head.
Yikes! I hate acrobat attacks!

--
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Re:Preferences? by Killer+Orca · 2009-12-15 04:17 · Score: 4, Funny

Wherever it says 'Uninstall'