Slashdot Mirror
New Adobe PDF Zero-Day Under Attack
Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."
PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Unfortunately, there are no mitigations we can offer. "
I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?
Free Martian Whores!
And you wouldn't have to do that if Adobe Reader didn't have fucking scripts! The entire purpose of the format is to display printable pages. It doesn't need movies or sounds or any of that other shit.
2000 lbs. That's the definition of a ton. It's like asking if a ton of bricks weighs more than a ton of feathers.
1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)
Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.
Advice to you if you genuinely work for adobe - make a noscript option. Or even better - just cut out all the scripted elements.
PDFs were and are awesome for one thing only, displaying documents the same everywhere. Active content is a mistake.
Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
There is way too much manual intervention required in the Adobe updater.
1. It does not download updates automatically.
2. It requires a new EULA to be accepted.
3. It makes you wait as it downloads the update
4. It makes you wait as it installs.
Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.
This way, in no more than 1 click you'll updated.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.
My team pulled a 32 hour session last week.
I am not sure how you can be proud of working 32 hours in a row on difficult security issues, nothing against your team but I wouldn't want any (and security-sensitive especially) code written at the 31th hour of a caffeine-fueled marathon by an exhausted developer... I do understand that 'we worked 32 hours in a row, we need to go home' sounds good to managers, but every single metric shows pretty clearly that working normal (as in, 8 a day) hours leads to much higher quality code.
-- the cake is a lie
32 hour session? Uh, dude... I'm less than impressed. That's not hard work, that's sadomasochism in the workplace, brought on by badly missed deadlines for some un-stated reason. And it tells us quite a bit about WHY the quality isn't as much there as we've expected out of the past Adobe products and releases- and shows a glimpse of why we're not seeing 64-bit anything out of your claimed employer.
Going that long without breaks and sleep leads me to believe you're actually the CAUSE of some of this stuff we're talking to. You WILL make mistakes past that 12 hour wall- it's human nature, pure and simple. Will you catch them? Maybe, maybe not- test isn't there as a safety net for this kind of crap and if they're working as hard as the devs, they'll miss stuff too. I won't really work much past 10 hours for myself as I'm going to start making dumb mistakes in that last two hours before the hard limit for people. If it were me, even as an anon coward, I'd not be bragging about going nearly 3 times past the hard limit for humans for the tasks we're talking about here.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas