Criminals behind the notorious Zeus crimeware package have begun exploiting an unpatched hole in the widely used portable document format to install malware on end user computers. The booby-trapped PDF documents arrive in emails that purport to contain a billing invoice, according to a post from M86 Security Labs. If the user …
Are Mac OSX vulverable - if so, how to stop?
In your article you said:
QUOTE"Users in the meantime can protect themselves by turning off the automatic launch feature. To do this, go to Edit > Preferences and click on Trust Manager in the left pane. Then, uncheck the box for "Allow opening of non-PDF file attachments with external applications.""EndQUOTE.
What should Mac OS X users do to ensure they are safe?
Or are they safe in any case? (Many Mac users don't need to run Adobe Reader, because OS X has in-built PDF capabilities that do very well, usually)
Apple uses their own PDF engine which does not have this vulnerability.
here we go again.
adobe = fail
Users can protect themselves
"Users in the meantime can protect themselves by turning off the automatic launch feature. "
"Users can permanently protect themselves by uninstalling the bloated PoS."
wow. a security hole in an adobe product.
can we have a "where's the news?" icon to go with the "Where's the IT angle?" button please?
Who the fuh?
Shurely shome mishtake
Adobe doesn't ship software with vulnerabilities and bugs in it.
I know, because they told us a couple of months ago.
@ shurley shome mistake
Because, just like MS, they are features.
An Alternative Perspective -- Scientific Accountability
I've been following Dan Goodin's articles on PDF vulnerabilities
quite closely for some time now and I would like to offer an
alternative perspective. Specifically, instead of bashing PDF
for its security weaknesses, I believe the format should be
appreciated for the many scientific possibilities it offers, especially
in light of the ongoing climategate scandal.
Before I elaborate on my viewpoint, I should note that I do take
PDF vulnerabilities seriously. For instance, the recent security advisory:
lists me as having identified CVE-2010-0197. And Quirk2003,
http://www.amrita-cfd.org/doc/amr2003, is an example of a PDF
that includes a built-in security FAQ. It does so, because the document
includes /Launch actions, which currently have Stevens in a froth.
However, for added security, its /Launch actions are only active
when the document is viewed using a custom PDF pre-processor.
Therefore, while I would not bill myself as a security expert,
I like to think I have a grasp of the main issues.
My real interest lies with the concept of self-substantiating,
journal articles for injecting rigour into the practical aspects
of computational science. Imagine electronic documents that
preserve the look-and-feel of a traditional scholarly publication,
while containing embedded examples that allow the interested reader
to sample the reported work, first hand, right down to its smallest detail.
Well, Quirk20003 shows that such documents can be prototyped using PDF.
Why bother? Some of you may have read a recent story in The Guardian,
by Darell Ince: ``If you're going to do good science,
release the computer code too'' see:
It is an open secret in scientific computing that programming standards
are extremely poor and desperately need improving.
As luck would have it, I posted the last comment on Ince's article
and so it has its own url,
But the downside to posting the last comment is that I got no feedback.
Undeterred, I contacted Ince directly. Then following an exchange of
e-mails and a phone call, he pointed me in the direction of
``The Fourth Paradigm'' -- scientific discovery
through data intensive processing, see http://www.fourthparadigm.org .
And it was while annotating this Microsoft-sponsored
book that I stumbled upon CVE-2010-0197 .
Now as an undergraduate, I lived in Fitzwilliam St, Cambridge,
directly opposite to where Darwin once lived, and so I'm fully aware
of my own limitations as a scientist. However, given my document
dabblings, it pains me to see the advocacy of a new scientific paradigm,
distributed as a PDF, in which the authors cannot provide the
critical reader with worked examples to show their ``computational thinking.''
The situation is analogous to a mathematician claiming to have a wonderful proof
but only being prepared to discuss the proof in vague generalities.
It jars, because as my annotated version shows:
PDF allows for a much richer dialogue between technical author and
Here I need to make it very clear that my document dabblings are just that,
dabblings, and anyone who downloads jjq-on-4th-paradigm.pdf will soon
see the limitations of my work. The scientific question, however,
is not whether I'm right or wrong. Nor has it anything to do with
format wars, PDF vs XML vs A.N.OTHER. It has to do with accountability,
scholarship, and maintaining standards of critical thinking.
This week the US Library of Congress announced a project to
archive Twitter which, while I have grave misgivings about the target
material, shows that society takes its archiving duties seriously.
For me, a much more exciting initiative is the Federal Research
Public Access Act (FRPAA):
which today, after a number of false starts, was introduced
in the US House of Representatives, not six miles from where
I'm composing this message.
The challenge I would like to leave readers of Dan Goodin's articles
is that the next time you are tempted to bash PDF for having unnecessary
and dangerous features: stop, and imagine a world where taxpayers,
educators, and students could download and try out ``computational classics.''
These are entites that rival literary ones in terms of their cultural significance and
would help inspire generation after generation to the intellectual joys
of computer-based science. Then imagine what document features would be needed
to support said computational classics.
This year, The Royal Society (the world's oldest scientific organization still
in existence) is celebrating its 350th anniversary.
So do your imagining in the year 2360 when the society celebrates
its 700th anniversary. By then, the inherent weaknesses of current
journal papers, for reporting computational work, not withstanding
their strengths, will be apparent to even a kindergarten student.
It is also to be hoped that by then society will have a better
handle on how to deal with computer security.
Yes security is important, but it is also important for document formats
to evolve so as to support rigorous computer-based science.
James J. Quirk
16th April 2010
By gum lad
You need an editor.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination