Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

Posted by Soulskill on from the go-big-or-go-home dept.

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].

117 comments

  1. PDF link to PDF exploit by Carewolf · · Score: 5, Funny

    Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.

    1. Re:PDF link to PDF exploit by saloomy · · Score: 1

      The PDF rendered fine on OS X, not sure if that means its cleanly constructed, but it's readable, and not corrupt to the PDF previewer.

    2. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 2, Funny

      Thank God I'm using Firefox. Had I accidentally clicked on that link, I'm sure I would have had a good 2 to 3 minutes to realize my mistake and to close the browser window, since that's just about how long it takes for Firefox's shitty builtin PDF.js PDF viewer to kick in and render even the smallest of PDFs.

    3. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.

      Yes ... allow me to demostrate ...

    4. Re:PDF link to PDF exploit by ichthus · · Score: 0

      I know, right? That's how long it takes on my 200 MHz Pentium system too.

      --
      sig: sauer
    5. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      I can trust my Okular software to view it.
      Can *you* trust your software? No? Then why are you still using it?

    6. Re:PDF link to PDF exploit by drinkypoo · · Score: 1, Offtopic

      I know, right? That's how long it takes on my 200 MHz Pentium system too.

      That's how long it takes on my six-core, eight-gig, SSD system. It is seriously pathetic how long it takes Firefox to view a PDF by itself.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:PDF link to PDF exploit by drinkypoo · · Score: 3, Interesting

      Chrome does a fantastic job rendering pdfs very quickly.
      Why do you continue to use that pathetic browser?

      I use both browsers. I use Chrome mostly for google sites, and anything that won't load in Firefox. I use Firefox mostly because I want Chrome to have competition, but also because noscript is still better on FF than on Chrome. And also because chrome's built-in cookie control is total shit which breaks sites so you either don't use it or you have a hard time with many websites, but cookiesafe works great all the time.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re: PDF link to PDF exploit by Zorpheus · · Score: 1

      How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

    9. Re:PDF link to PDF exploit by adolf · · Score: 1

      The answer to the question that you did not ask is Pale Moon.

      --
      Kid-proof tablet..
    10. Re: PDF link to PDF exploit by adolf · · Score: 1, Funny

      How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

      How can you let your browser view [GIF/JPEG/CSS/HTML] by itself? It will open malicious [user-requested content] automatically, adding a big security hole without much use.

      (When you get your head out of the sand, we'll talk about security.)

      --
      Kid-proof tablet..
    11. Re:PDF link to PDF exploit by ttucker · · Score: 2

      I dropped Firefox because it is built on the carcass of an ancient browser, and its developers are more worried about playing tech specification hardball than implementing features that are/will be needed.

    12. Re:PDF link to PDF exploit by ttucker · · Score: 1

      I can trust my Okular software to view it. Can *you* trust your software? No? Then why are you still using it?

      Sounds like hubris.

    13. Re:PDF link to PDF exploit by drinkypoo · · Score: 1

      The answer to the question that you did not ask is Pale Moon.

      Hilariously, I am running Pale Moon (x64 even) rather than actual Firefox. It's exactly as bad in this regard.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      If you installed Flash on your system, then you deserve everything you get.

    15. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      Because Chrome is not secure. It still falls back to SSL3 if it can't establish a TLS connection. Convenience over security...great plan.

      Chrome also has much slower startup time and it doesn't obey my operating system's UI theme.

    16. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      You can get evince on windows.

      It is pretty ok.

    17. Re:PDF link to PDF exploit by drinkypoo · · Score: 3, Funny

      I dropped Firefox because it is built on the carcass of an ancient browser

      And Chrome sprang fully-formed from the brow of its creator when they spake the word?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    18. Re:PDF link to PDF exploit by adolf · · Score: 1

      What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

      --
      Kid-proof tablet..
    19. Re:PDF link to PDF exploit by drinkypoo · · Score: 1

      What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

      I don't know, but I have done. Now I use SumatraPDF externally.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    20. Re:PDF link to PDF exploit by preflex · · Score: 3, Informative

      You still use NoScript?
      uMatrix is available for Firefox now.
      Goodbye NoScript. Goodbye RequestPolicy. Goodbye CookieSafe. uMatrix does it all and does it better.

      Your web browser is a dog. uMatrix is its leash.
      It's available for Chrome as well.

    21. Re:PDF link to PDF exploit by drinkypoo · · Score: 1

      I might give it a try, but what I have now is working pretty well. I have a couple of special cases I'll throw it at, and see what happens.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    22. Re:PDF link to PDF exploit by MyFirstNameIsPaul · · Score: 2

      How does it do with handling XSS attacks? NoScript has been out in front on this for a long time.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

    23. Re:PDF link to PDF exploit by turning+in+circles · · Score: 1

      Why are you talking about browsers like it's an either/or? I use Firefox, Chrome, Opera, Iron, and even Internet Explorer depending on what I want to be doing, what cookies I want kept on the browser, etc. Firefox is poor at reading pdfs, though.

      --
      Might as well face it I'm addicted to data.
    24. Re: PDF link to PDF exploit by Anonymous Coward · · Score: 0

      I use Firefox plus foxit reader for pdfs.

    25. Re:PDF link to PDF exploit by weilawei · · Score: 1

      I'm also running Pale Moon x64 (latest version) and it doesn't try to display PDFs. It just offers a download link (as I would hope, because I like to use an external reader).

    26. Re:PDF link to PDF exploit by labnet · · Score: 1

      Chrome does a fantastic job rendering pdfs very quickly.
      Why do you continue to use that pathetic browser?

      I use both browsers. I use Chrome mostly for google sites, and anything that won't load in Firefox. I use Firefox mostly because I want Chrome to have competition, but also because noscript is still better on FF than on Chrome. And also because chrome's built-in cookie control is total shit which breaks sites so you either don't use it or you have a hard time with many websites, but cookiesafe works great all the time.

      Plus it has proper side tabs with the Tree Tab control. Something chrome removed a couple of years ago.

      --
      46137
    27. Re:PDF link to PDF exploit by Bing+Tsher+E · · Score: 1

      I use SeaMonkey because it's built on the legacy of an ancient browser. Both in codebase and in architecture.

    28. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      If you'd ever bothered to actually pay attention to Mozilla's bug tracker or Firefox release notes then you'd understand how full of shit you really are. But who needs reality to get in the way of their fantasies?

    29. Re:PDF link to PDF exploit by Trogre · · Score: 1

      Heh, yes PDF.js is possibly the worse PDF renderer to see the light of day, with the possible exception of Apple's Preview.

      Thankfully just about every Firefox user redirects PDFs to open with okular or SumatraPDF.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    30. Re:PDF link to PDF exploit by Trogre · · Score: 1

      Cool. Show me another browser that does hierarchical side tabs and we'll talk.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    31. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 0

      >Heh, yes PDF.js is possibly the worse PDF renderer to see the light of day
      Source?

      >Thankfully just about every Firefox user redirects PDFs to open with okular or SumatraPDF.
      Source?

    32. Re:PDF link to PDF exploit by theArtificial · · Score: 1

      In the same vein uBlock Origin is pretty sweet, too. I recently came across uMatrix and I dig the interface.

      --
      Man blir trött av att gå och göra ingenting.
    33. Re:PDF link to PDF exploit by WuphonsReach · · Score: 1

      I dropped Firefox because they no longer have a usable sync across multiple devices. With two laptops, a desktop, a cell phone and a tablet, some sort of bookmark/password/history sync is absolutely essential to me.

      Right now my options are... Chrome.

      The killer feature for Firefox or Opera would be to offer some way to sync to any WebDAV backend. Then I could setup something like Owncloud / Seafile on my own hardware..

      --
      Wolde you bothe eate your cake, and have your cake?
    34. Re:PDF link to PDF exploit by adolf · · Score: 1

      Well, you're on the right path: Pale Moon doesn't have pdf functionality OOTB. Look for and destroy a pdf.js in your profile directory, perhaps? Because whatever you have isn't getting updated, and according to TFS, that can be a problem from time to time.....

      And yes, again: Firefox's pdf viewer is disgusting. Gmail's JS-based viewer actually provides presentable documents, and they seem to even print OK, but Firefox's interpretation of pdf (IN THE SAME BROWSER!) reminds me of the early days of Ghostscript, or maybe even Freetype -- a million years ago, before they got the kerning right. Or even close. At all.

      --
      Kid-proof tablet..
    35. Re:PDF link to PDF exploit by LordWabbit2 · · Score: 1

      I agree, I use different browsers to separate accounts/cookies. I don't want one google portal for all my google accounts, fuck that. I use different browsers to keep my shit apart. Browsers are largely all the same - sure there are some that do x better and some that do y better. I prefer debugging javascript code in IE because of the better integration it has with Visual Studio, general browsing in Chrome because of the process isolation, Firefox for certain plugins that either don't exist in other browsers or simply work better. I had not heard of Iron before though, will be installing that tonight, tx.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    36. Re:PDF link to PDF exploit by ttucker · · Score: 1

      If you'd ever bothered to actually pay attention to Mozilla's bug tracker or Firefox release notes then you'd understand how full of shit you really are. But who needs reality to get in the way of their fantasies?

      My opinion is formed basically entirely on asinine bugtracker comments from core developers. One of my biggest peeves is the reluctance and downright refusal to consider moving forward from NPAPI, even though it is one of the biggest security risks for web browsing.

    37. Re:PDF link to PDF exploit by ttucker · · Score: 1

      I dropped Firefox because it is built on the carcass of an ancient browser

      And Chrome sprang fully-formed from the brow of its creator when they spake the word?

      Chrome is based on a rendering engine that was originally created by Apple in 2001. Webkit was a fork of KHTML, which was at the time a very short and cleanly written open source project. When Webkit began to impose crufty legacy problems on Chromium, a new fork was created with the intention of excising problem code. The Mozilla foundation got too comfortable with Firefox, and it is losing relevance quickly.

    38. Re:PDF link to PDF exploit by drinkypoo · · Score: 1

      Webkit was a fork of KHTML, which was at the time a very short and cleanly written open source project.

      It was short because it was a half-assed rendering engine. It didn't become capable of rendering pages of any complexity until Apple got their hands on it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    39. Re:PDF link to PDF exploit by turning+in+circles · · Score: 1

      More specifically SRWare Iron which also can be loaded and run from a flashdrive. My brother turned me onto this, I confess.

      --
      Might as well face it I'm addicted to data.
  2. Drops? by thechemic · · Score: 5, Insightful

    He dropped them from his to do list?

    He was carrying them around and dropped them?

    Slang for "He published them" ?

    He dropped them from his research list?

    He dropped the vulnerabilities from his own systems?

    Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

    --
    Let's make like a bird... and get the flock outta here.
    1. Re:Drops? by belthize · · Score: 5, Funny

      He held the exploits palm down before dropping them and then simply walked away exclaiming "Mateusz out".

    2. Re:Drops? by Anonymous Coward · · Score: 2, Funny

      It's just Dice trying to sound "hip" and "with it". I can't wait for Nerval's Lobster to use that in his next sponsored submission.

    3. Re: Drops? by Anonymous Coward · · Score: 0

      He sure dropped a deuce on Slashdot.

    4. Re:Drops? by pr0fessor · · Score: 1

      Where they on Magic Cards or in Pokeballs?

    5. Re:Drops? by bluefoxlucid · · Score: 1

      Look we have an editor constantly ranting about "fat" and "beets" as if nobody ever feeds him.

      --
      Support my political activism on Patreon.
    6. Re:Drops? by drinkypoo · · Score: 4, Funny

      Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

      If you're not a slashdot subscriber, who cares what you think? If you are a slashdot subscriber, that goes double.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Drops? by jabberw0k · · Score: 2

      When a publisher drops a title, that means it is no longer in publication. Original headline is complete confusion.

    8. Re:Drops? by Quirkz · · Score: 1

      When you have "extremely powerful primitives" the only thing you can do is drop.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    9. Re:Drops? by thechemic · · Score: 1

      LOL

      --
      Let's make like a bird... and get the flock outta here.
    10. Re:Drops? by Fortran+IV · · Score: 2

      Not Dice's fault (this time); the summary just quotes The Register's opening hook.

      --
      I figure by 2030 or so my 6-digit UID will be something to brag about.
    11. Re:Drops? by Anonymous Coward · · Score: 0

      "Dropping a vulnerability" is common security community vernacular, and anyone who pays attention to security research should understand what it means. It sounds like you were able to deduce its meaning as well, and just want to complain about new lingo. Slashdot is a "news for nerds" site, not a "news for people who don't understand technology but want to act like they do" site. If you'd prefer non-technical language, I'd suggest reading your local newspaper.

    12. Re:Drops? by puddingebola · · Score: 1

      Thank you for dropping some science. Word.

    13. Re:Drops? by TechyImmigrant · · Score: 1

      >"Dropping a vulnerability" is common security community vernacular

      Is it? Maybe I live in a security researcher bubble that doesn't interact with the cool security researcher kids who use 'drop' in place of 'publish'.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    14. Re: Drops? by dasacc22 · · Score: 1

      Words.

    15. Re: Drops? by Anonymous Coward · · Score: 0

      He dropped that exploit like am ugly baby

    16. Re:Drops? by Anonymous Coward · · Score: 0

      Original headline is complete confusion.

      theregister.co.uk often has confusing headlines. it's their style.

    17. Re:Drops? by Anonymous Coward · · Score: 0

      Yeah, stupid use of language annoys me. Other examples would be things like "rocks" intended to mean "wears" (as in clothing) and "reboot" for "remake" when referring to movies.

      I'm sure I'll think of a few more now that you've got me thinking about it.

  3. I wish I could quit you, Adobe Reader. by Anonymous Coward · · Score: 1

    I wish I could do without Adobe Reader. I really wish I could.

    Huge piece of bloated software. One of the largest virus vectors out there today. Unwieldy to deploy, manage. Filled to the brim with up selling features and advertisements. (Not as bad as Java, thankfully) You can fix a lot of that with group policies and Adobe's custom package generator but damn it's a pain in the as every time an update rolls out.

    There are a lot of PDF alternatives now, but fuck it if Adobe hasn't sunk their hooks in so many large and govt orgs. Despite PDFs being a "standard" Adobe sells a lot of "solutions" that spit out PDFs laden with "features" that are only functional in Adobe Reader.

    Can't even tell you how many calls I've gotten about PDFs that don't render in Chrome, having to explain they have to save the thing and launch it from their desktop.

    1. Re:I wish I could quit you, Adobe Reader. by thechemic · · Score: 4, Informative

      We installed Foxit Enterprise Reader and disabled in-browser PDF viewing for all browsers. This forces PDF downloads and everything displays wonderfully. It's lightning fast too!

      --
      Let's make like a bird... and get the flock outta here.
    2. Re:I wish I could quit you, Adobe Reader. by Dutch+Gun · · Score: 1

      I left Foxit behind when they started pushing crapware installs, and more critically, when it had some problems rendering some fairly basic PDFs correctly. Back to Adobe Reader for me as well.

      It's like that with MS Word docs as well. The damn things are so complicated that only the original code has a prayer of rendering it correctly, and even then not always.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:I wish I could quit you, Adobe Reader. by Anonymous Coward · · Score: 0

      You should look at Sumatra PDF. It's small, Free software, and fast.

    4. Re:I wish I could quit you, Adobe Reader. by Anonymous Coward · · Score: 0

      When we had to remove Foxit in order to install Adobe for an electronic paystub site that required it, we found that Foxit couldn't be fully and properly removed, and ended up having to wipe several systems.

    5. Re:I wish I could quit you, Adobe Reader. by KGIII · · Score: 1

      You convinced me to dig out a second laptop. I uninstalled FoxIt and can find no browser hooks in FF, Opera (beta), Chrome, left over files, files in the profile, or even any registry entries. This is the latest version on Windows 7. Where should I be looking for remnants?

      --
      "So long and thanks for all the fish."
  4. "Curses! Foiled again!" says NSA. by Torodung · · Score: 1

    "Curses! Foiled again!" says the NSA. Why in the heck aren't they doing this research again? Oh, because security is only for the strong.

    (Sorry for the slightly off-topic post guys, but it really riles me up that people aren't doing their jobs)

    1. Re:"Curses! Foiled again!" says NSA. by StikyPad · · Score: 1

      The NSA is an offensive organization, not a defensive one. That's it's mission. There's a very good argument to make that it should be prioritizing defense over offense, especially given, say, the OPM EPIC hack, but that's not it's mission right now.

      --
      https://www.eff.org/https-everywhere
    2. Re:"Curses! Foiled again!" says NSA. by Bob+the+Super+Hamste · · Score: 4, Insightful

      The NSA is an offensive organization

      You could have just stopped there.

      --
      Time to offend someone
    3. Re:"Curses! Foiled again!" says NSA. by ShaunC · · Score: 2

      Why in the heck aren't they doing this research again?

      They are, but when they find something, they add it to their arsenal and use it themselves instead of alerting anyone to the vulnerability. This fact was the subject of some hand-waving from the White House earlier in the year. There's a good chance NSA has known about several of these for a long time, which is a little disconcerting since the Adobe Type Manager exploit may date back to 1998.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    4. Re:"Curses! Foiled again!" says NSA. by StikyPad · · Score: 1

      I could have, but it's important to remember that things aren't written in stone, and that we can change its mission through public debate and the political process. Ostensibly, anyway.

      --
      https://www.eff.org/https-everywhere
    5. Re:"Curses! Foiled again!" says NSA. by Anonymous Coward · · Score: 0

      the best offense...

    6. Re:"Curses! Foiled again!" says NSA. by vux984 · · Score: 1

      The NSA is an offensive organization, not a defensive one. That's it's mission.

      That's according to you. Now according to the NSA their mission, from their Mission pagel:

      "The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances."

      https://www.nsa.gov/about/miss...

      Offense is definitely a big part of there job. But right up there with SIGINT is IA (information assurance); so what is IA?

      Well I could look in a dictionary but lets see what the NSA thinks it is instead... since they are the ones charged with doing it:

      https://www.nsa.gov/ia/ia_bann...

      NSA's Information Assurance Directorate delivers mission enhancing information assurance technologies, products and services that enable customers and clients to secure operational information and information systems.

      Or to paraphrase: enable its customers (government and its departments, domestic corporations, and our allies) to secure their data and computer systems.*

      That is ALSO there mission. They have been so busy with SIGINT that not only have they neglected IA, but they have ACTIVELY subverted and sabotaged it in the process.

      *and I'm not just putting words into their mouths when I say their job is to protect our allies (vs spying on them) that's also from them:

      "The NSA [...] encompasses both SIGINT and IA [...] in order to gain a decision advantage for the Nation and our allies under all circumstances."

    7. Re:"Curses! Foiled again!" says NSA. by Anonymous Coward · · Score: 0

      The fault is entirely on your side. You need to understand that

      A) They lie all day

      B) The objectives are clearly inconsistent

      C) Pork will only flow if they can show something. As in "we just listened to Francois and here is the transcript".

      In other words, their definition of security is "fuck all IT systems, globally on a mass scale". That provides "security" because nobody can scheme some wrongdoing. See ?

  5. No surprises there by Anonymous Coward · · Score: 0

    "Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Linux he reckons beats all exploit defenses."

    Two swiss cheeses...

    1. Re:No surprises there by Anonymous Coward · · Score: 0

      Is this really Adobe exploits or is it installed in Windows even when I dont have any Adobe stuff installed ?

      Also, how is the relationship to Linux ?

    2. Re:No surprises there by Fortran+IV · · Score: 4, Informative

      It would have been nice if The Register's somewhat hysterical FA (much less the Slashdot summary) had made clear up front that Microsoft patched most of the Windows vulnerabilities all the way back in March (MS15-021), and the last one in May (MS15-044). According to j00ru's blog post, Adobe patched their holes in May as well.

      j00ru was clear enough in his blog post, but El Reg decided to stick in one line: "Microsoft and Adobe issued patches in three updates."—six paragraphs down, looking more like an image caption than part of the article. Sheesh.

      --
      I figure by 2030 or so my 6-digit UID will be something to brag about.
  6. Running adobe as SYSTEM??? by Anonymous Coward · · Score: 0

    Anyone else notice that adobe was running with system privs? Mine runs at medium for the main exe with low for the child exe, I'm not sure what's up with that demo.

  7. Fire the guy and put him behind bars by Anonymous Coward · · Score: 0

    He's a "hacker", therefore he has no rights but is dangerous and needs to be locked up. Judges agree with this.

    What, you don't like knee-jerk reactions? Then stop pavlov-training the world by calling everything "hack" and everyone "hacker".

  8. So by Anonymous Coward · · Score: 0

    15 vulnerabilities in Adobe that allow you to attack at the OS level.

    Always a spin.

    1. Re:So by Anonymous Coward · · Score: 0

      5 in Adobe. 10 in Windows.

  9. Hmmm ... by gstoddart · · Score: 3, Funny

    So, if I assume there's been at least one monthly major security issue attributable to Adobe (maybe twice monthly, once for Reader and once for Flash) ... and if we extend that over the last decade or, it becomes pretty obvious that Adobe writes some shitty code.

    I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.

    Pity we couldn't bill them for all the wasted time and resources.

    --
    Lost at C:>. Found at C.
    1. Re:Hmmm ... by Anubis350 · · Score: 1

      To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?

      --
      "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
    2. Re:Hmmm ... by StikyPad · · Score: 1

      Everybody writes shitty code. Not all code is as widely distributed as Adobe's.

      --
      https://www.eff.org/https-everywhere
    3. Re:Hmmm ... by drinkypoo · · Score: 1

      To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?

      Well, there's Adobe Flash Player... which is the more wretched hive of scum and villainy?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Hmmm ... by Anonymous Coward · · Score: 0

      I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.

      Java is way up there.

      And unlike windows, java is actually a very small program. making it run reliably & securely shouldn't be that difficult.

  10. Re: Windows is a toy by Anonymous Coward · · Score: 0

    We know, we know...you're suggesting that the (insert OS here) that you're using is superior. Personally I think that TI-99 you typed your flame bait from is a POS!

  11. Re:Adobe products. by ArcadeMan · · Score: 1

    If you're still using Flash and Adobe Reader in 2015, you're just asking for trouble.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  12. Getting tired... by NotThisMind · · Score: 1

    Is there a good program that just *reads* without this constant useless updates and a 'need' for internet connection? Or should i just use an older version? Like 10 or 11?

    1. Re:Getting tired... by Virtucon · · Score: 1

      foxit reader. http://www.foxitsoftware.com/d...

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    2. Re:Getting tired... by drinkypoo · · Score: 4, Interesting

      I use SumatraPDF. AFAIK it's the smallest windows PDF reader which is worth using, I believe it's smaller than Foxit. But it's been a while since I installed Foxit, so a comparison would take effort.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Getting tired... by Anonymous Coward · · Score: 1

      Modern versions of foxit have quite a lot of bloat.

    4. Re:Getting tired... by Anonymous Coward · · Score: 0

      It's *WAY* smaller than Foxit. SumatraPDF is a gem in the Free software world.

  13. Can we just take a vote by Virtucon · · Score: 1

    I vote Adobe the worst software provider in terms of quality. We bash Microsoft quite a bit but think about it. Shockwave, Flash now Acrobat Reader must be the crappiest three pieces of software in terms of quality and vulnerabilities. I guess when you couple Adobe + Windows it's truly craptacular!

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Can we just take a vote by Anonymous Coward · · Score: 0

      You realize that 10 of the 15 exploits were related to Windows, right?

      And you're asking for sympathy from bashing Microsoft? WTF are you doing?

    2. Re:Can we just take a vote by Anonymous Coward · · Score: 0

      10 was across a whole range of subsystems. 5 were to specific addons. Those 2 addons have as many vulins as the whole of windows on average per month. That is not good no matter which way you put it. These are *ADDONS*. When an addon is becoming a nuisance it tends to get uninstalled...

    3. Re:Can we just take a vote by Anonymous Coward · · Score: 0

      Shockwave Flash (it's one thing, not two) is a programmable plugin environment for a browser. Like everything else that can be programmed, bad actors can and will use it as a way to do bad things.

      PDF is basically PostScript version 3.x. PostScript is a turing-complete language, and so is PDF. And what did I just say about programmable platforms?

      This is like saying "C is a security vulnerability because it can be used to run arbitrary code." Well, no shit. That's what it's designed to do!

    4. Re:Can we just take a vote by Fortran+IV · · Score: 1

      And 8 of the 10 Windows vulnerabilities were related to the Adobe Type Manager Font Driver (ATMFD.DLL). I don't know how much of ATMFD was written by whom, but according to Wikipedia, "Adobe licensed to Microsoft the core code." That makes Adobe responsible for 13 of the 15 vulnerabilities, including all 9 of the most dangerous.

      --
      I figure by 2030 or so my 6-digit UID will be something to brag about.
  14. Re:What year is it? by bev_tech_rob · · Score: 1

    People still have Adobe Reader installed?

    Lots of people...get out of your mom's basement or out from under your rock...

    --
    You're messin' with my Zen Thing, man.....
  15. Re:Windows is a toy by ttucker · · Score: 1

    Where does OpenSSL fit into your story? No software is perfect, and assuming it is invites peril.

  16. why do they get away with this sad quality? by Anonymous Coward · · Score: 0

    15 bugs in 2 products is probably a new low, even for ms and adobe.

    There is no reason to think that there are not many more.

    Why can we not have simpler s/w which is robust?

    Economics seems to be driving the industry in the wrong direction.

  17. Smart people by AndyKron · · Score: 1

    Before too long smart people will start using pencil and paper again.

    1. Re:Smart people by Spinlock_1977 · · Score: 1

      I hope you realize that no smart person could respond to your post with said equipment. I guess this puts me in the dummy crowd.

      --
      - The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
    2. Re:Smart people by Anonymous Coward · · Score: 0

      They already do

    3. Re:Smart people by weilawei · · Score: 1

      Wait, when did we (anyone needing to do anything remotely complex) stop using paper and pen (or pencil, or pen tablet; insert preference here)?

      I find that even if it's just on a pen tablet, the act of writing/sketching helps me process ideas and complex situations more effectively than mere rumination or typing.

    4. Re:Smart people by KGIII · · Score: 1

      I guess they could *then* (after using pencil and paper) do OCR on it and submit it but that really defeats the point.

      --
      "So long and thanks for all the fish."
  18. Re:It's Adobe fault by JcMorin · · Score: 1

    Where is Windows fault in that? The version of Adobe PDF Viewer for Windows that has a bug...

  19. Re:Adobe products. by zlives · · Score: 1

    same can be said for if you are still using windows... or heck anything connected to the internet period.

  20. Re:Smart peopleFTFY by zlives · · Score: 1

    "Before too long smart people will start using pencil and paper again" for anything requiring security.
    for social media... these tools are fine.

  21. images aren't a programming language by raymorris · · Score: 3, Informative

    Pdf is a subset of PostScript, a turing complete programming language. It's most often used for rendering documents, but is in no way limited to that. You can program an emulator in ps and run Linux inside your pdf. Gif and jpeg are not executable code. They are just (compressed) color VALUES).

    There was one security hole in one specific executable LIBRARY which processes jpegs, but jpegs themselves are not executable and therefore essentially safe. Not so for pdf.

    It is hoped that pdf is slightly safer than pure PostScript, but it's not FUNDAMENTALLY safer.

  22. Re:What year is it? by Bing+Tsher+E · · Score: 1

    Lots of people haven't upgraded from Adobe Reader.

    We have work to do educating people.

  23. Horrible wording by Trogre · · Score: 0

    The research has dropped 15 vulnerabilities? What does that mean? They did have the vulnerabilities but have now discarded them?

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife