3 weeks is normal for IT
IT takes it as normal business to have 1 support person per 400 people.
So just do the math:
If 1 person supports 400 and over a million customers use adobe and the average turn around time for a fix is within 24 hours then how many man hours will it take to serve/support everyone?
IT is alwas short staffed on purpose.
"Over the past decade, Microsoft has gone from laughing stock to trusted member in security circles"
Really? News to me ... Thanks for the heads-up, though.
If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue?
If this were on an MS box, I would be more worried, but because its on a Linux box, its unlikely they will have the ability to exploit the box, unless they have secondary exploit to give themselves greater access.
I suspect there is some bias on the Secunia team, to try and equate Linux exploits on the same level as MS box pwnage..
Paris, she knows all about being exploited
Adobe badly needs to go away and invent something cutting edge again (like PostScript used to be) and stop endlessly fiddling with stuff that already works fine, making it a mess of security conflicts.
Adobe is trying to compete with Apple for the buggiest software on the planet.
Their QC is tanking.....
Rather good news
I shall say !!
That means Adobe is rushing out their Linux runtime, the down side is it might be lightly tested code but good news overall as M$ is loosing ground.
And when you've disabled it . . .
Cos if the setting acts anything like "Automatically check for updates" (unchecked) then it will just ignore you and carry on regardless!!
Version 8.1 (could be 8.1.1) was the worst of the lot. The bar-steward tried to update, failed disgracefully and looped forever. Before we knew what had hit us, the 8meg leased line had ground to a halt.!!!
Long story short, had to reconfigure the companies firewalls to drop all connections to akamai's servers and manually rename the 2 offending exe's/dll's for the entire company.
To say I was less than happy would be the largest understatement ever achieved in the history of mankind!!
/ Mine's the one of me putting the smoking gun back in its' holster after shooting the Adobe development team!! /
The usual suspect
"Secunia considers the vulnerabilities "highly critical," its second highest rating on a five-tier scale."
Ye,ye, the standard five-point scale translated...
1. ARMAGGEDDON = probably evil and capable at it
2. HIGHLY CRITICAL = doesn't look too good
3. REALLY SCARY = all software goes here first by default
4. DONT PANIC = not known to have a security flaw this side of y2k (anything here but openbsd?)
5. ok = reserved for future use (in case this company does sell a software for their next version)
(go) sign for its subtext
Ten years - nope
Microsoft's big move on security was in 2002, hardly ten years ago.
Who the fuck uses Adobe Reader on Mac or Linux? Why on earth would you install that shite when you already have alternatives - preview on Mac to name but one?
"If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue?"
So it isn't an issue where the files your account has access to (which could easily contain sensitive/personal info) can still be accessed by malware? Your files can be stolen or deleted and that is not an issue? Yes, it is only a one-time compromise (unless the PDF is opened again), but does it matter if that one time you lost important files/info?
The only time that statement would make sense is if every time you open a PDF, you run your pdf reader using a very restrictive account. Oh, and you copy the pdf file first to an "isolated" folder.
"If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue? ... because its on a Linux box, its unlikely they will have the ability to exploit the box, unless they have secondary exploit to give themselves greater access."
If an app is exploited, even if it only provides restricted user-level access, it *IS* a big deal. There are lots of bad things that can be done without rooting a box. Searching for and attacking Windows shares, searching for and sending junk/black pages to networked printers, DOSing an internal or external host/website, flooding the Internet connection with junk to slow the company's Internet connection, visiting illegal websites (including child porn) which will be tied back to the machine and the user who ran the exploit, etc. Rooting a box is not the only way to cause damage, especially if you can select your targets.
This just in!
Acrobat is junk.
Now back to your regularly scheduled programming.
There are elevation of privilege attacks for Linux
Here is an elevation of privilege attack for Linux kernels up to and including 2.6.10. It has sufficient privilege to escape from user mode linux and chroot jails.
The Java Script need in Reader
I'll try to explain the need to have Java Script in Reader:
So you can digitaly sign those official documents before sending them to the government.
Also, there are a bunch of documents that use Java Script to validate fields, and so. All for official communications.
No to say that there are better alternatives, and more secure, but thats how it is.
Everyone uninstall that piece of shit
Adobe reader has gone the way of Realplayer, become so overbloated with shit and security holes that it should be consigned to the dustbin of IT history ASAP.
Install Foxit reader, safe, secure, and does nothing but READ FUCKING PDF's! Honestly, how hard is that to fuck up.
@AC and Chris C
You don't understand, the Linux Kernal is safe so that's all that counts. Err, isn't it... Umm, ahem.
well, people such as HMRC and Companies House make use of it for filing some special returns (annual returns for example), and I think some aspects of tax.
It's done so that calculations such as 1+1 are enabled. I'm sure more than that exists, but that's what I've had experience with. It's been around since version 7.09 (at least). I've not seen anyone moot it until now though...
Why do Linux users want to inflict a closed-source proprietary insecure bug-ridden mess, badly ported from Windows, on their systems? It's not as if Linux didn't have Evince to display pdf files. I've even used Evince to display (perfectly) a pdf file that was generated by Acrobat, yet crashed Acrodat reader on Windows. (And if you didn't know, OpenOffice can often perform the same magic on .doc files which MS office says are corrupt).
"Why do Linux users want to inflict a closed-source proprietary insecure bug-ridden mess..."
Because the alternatives don't always work and the convenience of having your pdfs viewable directly in Firefox is very convenient. I'll have to investigate foxit, though...
Won't affect me. I use kpdf or okular.
There are always more good people looking at the Source Code of a Free Software project than there are evil people looking at the Source Code of that project; therefore, it is a reasonable assumption that any bug is more likely to be found first by a good person (who will fix it) than by an evil person (who will use it for nefarious purposes).
"Here is an elevation of privilege attack for Linux kernels up to and including 2.6.10"
2.6.10? Wasn't that released in late 2004? Methinks that there have been more than just a few updates since then. FUD much?