Slashdot Mirror
Adobe Finally Fixes Remote Launch 0-Day
Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.
Because its an attack out in the wild that the developers didn't know about and before a patch can be shipped.
Taxation is legalized theft, no more, no less.
Missing from the summary is gsview. It makes a very secure pdf reader that works on windows, although it certainly isn't anything nice to look at. Uses ghostscript for the backend.
For the 90% of us who don't require all the minutiae of functionality and cruft which Adobe Reader offers, there are options. Obviously Mac folk are covered by Apple's built in Preview, but on Windows, Sumatra PDF is amazing and ridiculously small. It's better than Foxit, in my opinion, for barebones PDF viewing in Windows. Check it out! http://blog.kowalczyk.info/software/sumatrapdf/index.html
You would have to be running pre-10.1 version of flash first. Then the exploit would have to force your system to execute code that was written for *nix. Since Windows is the majority of the market I doubt anyone has taken the time to write such code for this exploit. I think your safe. :)
The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.
Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.
It's not like Foxit is completely without security flaws either.
And doing just a bit of research - Foxit only fixed this exact same bug 2 weeks earlier than Adobe.
The MSP Installer is also available for those who may use Adobe Reader in silent installs/updates.
Side rant: Why does Adobe still only offer the unpatched versions of Reader on their front page?
Prove it.
Apparantly, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works - I thought this was the vulnerability inherent in the PDF spec (Foxit had a patch out the same week this was disclosed).
Socialism: a lie told by totalitarians and believed by fools.
Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.
Of course, we've seen (here on slashdot) what happens when you try to do that too often ... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.
Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.
No, zero-day exploits are are... (wait for it) actively exploited in the wild before the first 'look what I found' ever appears.
Crumb's Corollary: Never bring a knife to a bun fight.