Security watchers are warning of a serious unpatched vulnerability in Adobe's Reader program that's actively being exploited to install malware on the PCs of unsuspecting users. The vulnerability has been confirmed in versions 8.1.3 and 9.0.0 of Adobe Reader running on Windows XP Service Pack 3 and is presumed to work on other …
I have been using xpdf and kghostview for years - in part because of Adobe's history of security problems, but mostly because the open source alternatives had more useful features. I recently switched to kpdf because it is even better than the other two. All of these are Unix programs, but a quick search for "PDF reader windows" shows that windows users have a choice.
Perhaps its is time to change "PDF warning" to "Adobe warning" next to links to PDF files like people now say "Windows virus" instead of "PC virus".
Here's my post about it with sample exploit code:
Change the bEnableJS DWORD value to 0
or even better, the following link has an ADM file:
Damn, that reminds me - I keep forgetting to disable Java in Acrobat because I keep forgetting the idiots at Adobe did something as moronic as embedding a programming language in a document viewer program.
I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious.
Apart from the security issues, how does Acrobat Reader manage to go through major revisions without removing bugs which have been around for years?
I've lost count of the number of times Acrobat dies when trying to view pdfs using integrated browser (Firefox) support. There ought to be a script for killing all acroread32 processes and then reloading a page - it's something I have to do on an almost daily basis.
And later for older versions?
Gee, thanks Adobe, it's not like we weren't pissed off enough that we can't run Acrobat 9 already:
Yup, a major bug that *completely* stops Acrobat 9 from being usable on *any* computer in our network, and Adobe have been sitting on it for FOUR MONTHS.
That'll be PDF's blocked at the firewall then.
As a windows user, I have been using Foxit reader for more than a year now and recommend it. It's like Adobe used to be back at about version 4 - light, responsive, easy to install etc., but reads the latest pdfs and allows annotation also.
I'll second the "try Foxit" motion. I stumbled into it, like many handy things, via Stumbleupon when it was keeping me awake one night with the "just one more click" syndrome. It's hard to argue against it when Adobe's Reader takes up over 200mb space (why?!), takes aeons to open a PDF document and requires updates once or twice a month. I'd also be curious to know why they allow scripts in a document viewer....
"I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious."
Indeed. PDF means Postscript. Postscript already _is_ a general programming language.
that Adobe Reader went back to the basics of rendering PDFs? Or at least have a click box that enables such a mode and nothing else?
It is now such a nasty piece of bloatware, performing like a snail with a fricking wheel clamp, that I only use it if Foxit doesn't work properly.
There are even tools to make Reader faster (by disabling all the very-rarely used plugins). If somebody has written a tool it is because a lot of people want it. Adobe should take note.
I once saw a Julia Set (often mis-identified as Mandlebrot) program written in PostScript. Send it to the printer, and wait for hours for it to spit out the page!
Does adobe think its microsoft?
Therefore it could, and SHOULD, have been turned off by default at installation time.
I now standardized on XPS format. I think many will do the same after Windows7 will take over. It does not have any active code by design, signing it digitally is easy, and as it is part of Windows starting from Vista (can be installed on XP also from MS site), security updates will arrive via standard update channel. Goodbye, PDF.
Are Adobe trying to emulate M$ with their bloatware? At least we can do something about it.
As mentioned above Foxit is the way to go.
Considering 99% of the pdf's out there shouldn't have any scripts running, how about having scripting off by default and a popup asking if you want to enable scripts for a particular document.
Or better yet keep pdf's passive documents and use a new extension for executable pdf's.