Slashdot Mirror
New Adobe PDF Zero-Day Under Attack
Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."
PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Unfortunately, there are no mitigations we can offer. "
I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?
Free Martian Whores!
1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)
Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.
Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
My team pulled a 32 hour session last week.
I am not sure how you can be proud of working 32 hours in a row on difficult security issues, nothing against your team but I wouldn't want any (and security-sensitive especially) code written at the 31th hour of a caffeine-fueled marathon by an exhausted developer... I do understand that 'we worked 32 hours in a row, we need to go home' sounds good to managers, but every single metric shows pretty clearly that working normal (as in, 8 a day) hours leads to much higher quality code.
-- the cake is a lie