No JavaScript Needed For New Adobe Exploits

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

Re:Linux is more Secure than Windows

[headkase]

You don't run as administrator in Windows anymore

Try running most Windows XP software and see what happens.

Security updates are likewise pushed in windows. Windows has an updating function

My update-manager updates all my installed programs. Windows Update does Windows and Office, everything else is hodgepodge.

Your statements all show unfamiliarity with Windows.

I am very familiar with Windows, it is one of the reasons I switched to Linux.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

Linux is not immune, despite your specious claims.

Linux is not immune but the singular fact that you are not running as root mitigates a lot of possible damage.

Windows is most affected by this exploit

[StuartHankins]

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit. I guess if you run Windows you're accustomed to grabbing your ankles though.

I'm at the point where if you run Windows and have the audacity to complain about the exploits, bugs, worms, trojans, et al, you get no sympathy from me. The world has known about Microsoft's crappy security for decades, and Microsoft has done little to improve it. How many unscheduled patches have rolled out their door lately? Why do they have a "malicious software removal tool" updated monthly? (Hint: it's not because Windows is well-designed)

To use a car analogy, Microsoft produces cars, all of which have this huge hole in their roofs. Instead of redesigning the roof or putting something over the hole, they want you to buy a carpet replacement subscription. Each time, you dole out the money for a new copy of Windows, thinking "this will be the one!" and each time you are disappointed. When will you get smart?

I'm not quite ready to say that Microsoft chooses to have broken security, but it's obvious -- if that's not the case -- that Microsoft clearly doesn't understand security. But is that really better? How many people do you know who have been infested with viruses, trojans, etc on Windows operating systems? How many of those got infected despite installing antivirus software and keeping their machines up-to-date? Nowadays having only antivirus on a Windows machine is just asking to be rooted, and I don't think it's the new computer users' fault. It's getting worse every day.

Re:Linux is more Secure than Windows

[sopssa]

And it's not Windows fault that some users can't seem to update their system. Would it be Linux fault if I ran Red Hat 2?

His last point doesn't deny that running as root is more severe than limited account. It says most malware doesn't need admin/root access and is correct. Are you reading some other post than me?

every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security

You mean Adobe PDF Reader for Linux? It sure does.

Re:Linux is more Secure than Windows

[Red+Flayer]

You don't run as administrator in Windows anymore, either.

Speak for yourself, wimp.

Only weaklings run with any permissions profile other than root, no matter what OS they use.

Want to learn how you too can be a manly man and run as root?

Read more here.