Feeds

back to article Adobe warns over unpatched PDF peril

Hackers are exploiting critical, unpatched vulnerabilities in Adobe Reader, Acrobat and Flash Player. The zero-day vulnerabilities are platform independent and can affect users of Adobe products regardless of whether they run Windows, Mac or Linux systems, Adobe warns. The software developer reckons that Adobe Reader and …

COMMENTS

This topic is closed for new posts.

ugh! Flash inside PDF?!

Booo hissss

Can someone tell me if Apple Preview is affected? I guess that is equivalent to Adobe Reader 8.0?

I have no desire to render Flash content in PDF files - what were Adobe thinking?

2
1
Anonymous Coward

Not to this

Preview only supports the PDF 1.5 spec, so you are safe from this exploit. Adobe 9 uses the PDF 1.6 (or is it 1.9? I forget) spec which includes support for embedded interactive content such as Flash and 3D objects. It sounds like it is the Flash part of that support that is being exploited here.

0
0
Bronze badge
WTF?

@embedded interactive content. WTF!

The whole point of PDF was that is was a read-only document format for sending to printers etc.

So what's the point in adding embedded interactive content to something that should be read-only?

Also PDF's were generally thought of as inert, due to them being read only, adding embedded functionality now means the possibility of executing things inside a PDF, which throws away the safety of the format (what little there was in the first place).

If PDF is going down the interactive route, then perhaps we need a new inert document format.

At the very least the Reader should block all interactive functionality by default, and have to be switched on in order to access any of this. (aka like Macro's in Office etc.)

6
0
Silver badge

PDF

Amazing. Take a relatively stable document reader. Add all manner of crud into it, support for JavaScript, access to local resources, flash, video, unfiltered HTML rendering, hyperlink actions, forms and it becomes massively bloated, unstable and insecure.

Who'd have thought that may happen?

9
0
WTF?

RE: PDF

Of course Adobe will tell you that none of their software is bloated, unstable and insecure.

However, I've seen what happens to my laptop when Flash is loaded...

Does anyone know why PDF supports Flash anyway? I was gobsmacked by that!

3
1
Bronze badge
Paris Hilton

Is FOXIT's reader vulnerable?

Paris, because everybody foxit.

2
0
FAIL

Brilliant

What a brilliant fix. Hack out parts of Reader/Acrobat and replace Flash with an RC.

Very Adobe. Much like the fix for Redirected AppData with Acrobat: Don't Redirect Appdata

Steve may have a point. And I really don't like that

3
0
Silver badge

Solution

1. Remove Adobe Reader

2. Install* Foxit**

3. and ... relax

* rejecting the option to add the Ask toolbar or whatever other crap they're promoting this week

** other PDF readers are available - almost all of them faster and more secure than Adobe's PoS

0
0
Anonymous Coward

Is Acrobat Reader 5.1 vulnerable?

is Acrobat Reader 5.1 vulnerable? It does everything I need, reads every file I chuck at it, starts up instantly, and is a fraction of the footprint of more recent generations. Why do I want anything more recent, especially if it has as many security holes as a swiss cheese?

2
0
FAIL

Sorry...

can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?

5
4
Bronze badge

the reason why

'can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?'

It's 'cause so many of the locals around here hate Apple, that's why.

1
2
Anonymous Coward

that, and the fact....

...that people want it, you need it to get the "whole web" (not optional or debatable) and it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time - the very time that Jobs instructs their soulless minds to kick into action and spread forth the word.

Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.

2
0
Bronze badge

Flash is optional

Quote: '...that people want it, you need it to get the "whole web" (not optional or debatable)'

Yes it is optional.

I use Firefox with No Script and Ad-Block, this blocks flash content by default and I've had very few sites not work with that combination.

The few sites that do rely on Flash, are usually crud (pr0n etc.) or pandering to the masses type sites (YouTube etc.) or are promoting a new Movie or Game, so can be lived without.

Very few real sites I've found actually use Flash for actual content, with most usage being restricted to adverts only, so no real loss there.

The only high profile site I know of that does use flash is YouTube, and they are moving to HTML5, so eventually, once all the mainstream Browsers are upto speed with HTML5, I can see YouTube (Google) dropping Flash.

2
3
Anonymous Coward

Bit rambly, sorry.

>“...it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time...”

Sorry, it *is* that bad. Most conscientious web designers and developers (hello!) have been decrying the use of non standard web elements, including, Flash since 1998. Although Flash may have improved from an accessibility stand point, it's still not a great solution. It has it's place *at the moment*; mainly as a wrapper for audio and video content. Of all the existing web technologies that exist today, Flash is by far the most loathsome, over-used and abused. Which sys admin in their right mind would allow flash onto the corporate network?

>“Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.” First of all no-one has said that Apple, Microsoft et al. are free from exploited products and security issues, however so far un-jailbroken iPhones have been free of such issues, the exception being a drive-by and they can affect most browsers, what with it being more of a PICNIC issue rather than a security flaw. Microsofts new mobile OS has got an even better security record. And to the crux of the matter. Adobe's track record is hardly good. How long has 64 bit Flash been in development? It seems that not a week goes past without one report or another warning us of another vulnerable discovered in an Adobe product. Whilst it's fair to point out that Apple's own desktop OS is hardly a model of ironclad security and neither is Microsoft's, it's to be expected in OSs of that size and that age. Microsoft really do a remarkable job with Windows, and Apple are getting better at responding to security issues, but Adobe? It's a fucking runtime! Sun manage to stay on top of Java (although Apple do struggle), Microsoft are doing sterling work with Silverlight. But Adobe? Jobs got it right when he called them lazy! So, let's consider the evidence. Slow to patch software. Slow to implement documented API's. Consistently release half baked software. Security is an afterthought. Haven't yet released a decent *full version* of Flash on a mobile platform. It's not surprising that Apple have said ‘thanks, but no thanks...’ to Adobe. I'd urge Microsoft to do the same, but Ballmer is just stupid enought to allow it onto Microsoft's new mobile OS just to be contrary and personally if I were Adobe, I wouldn't trust those that rule the Mountain View Chocolate Factory as far a coult spit; I'm still waiting for one of those three to aquire Adobe...

Just a bootnote; may I respectfully suggest that you leave behind the ad hominems and inflamatory comment, I copped a bollocking for it, deservedly so, and now trying to avoid it. It can be hard but ultimately it makes you consider what you are going to say more. It can serve to give you the moral high ground too! It's ok to have opposing views, it's not ok to call people names because they do, even if it is really annoying. Attack the idea. Obviously, giant multinational corporations and their management are fair game

7
2
FAIL

For Flash masochists...

"The only high profile site I know of that does use flash is YouTube"

Pop along to activision.com and weep.

0
1
Bronze badge

Wot's an 'activision'?

And why should anyone who's not a gamer care?

0
0
Unhappy

Tactical facepalm

Bloody Adobe, seriously, I can't think of anything that I allow on my machines on a regular basis that has so many terrifying holes.

Thank god for noscript and its active content control and the mighty adblock, given the amount of malware driveby attacks are coming from syndicated ad banners.

5
0
FAIL

Why can't Adobe leave things alone?

PDF is no longer Portable, it's Proprietary. Adobe doesn't support all platforms so documents produced with the latest versions of Acrobat can't be read on many platforms. This defeats the whole point of PDF. Adobe specualisees in buying up good products and wrecking them.

3
0
Anonymous Coward

Foxit? Why?

Following a recommendation elsewhere I installed Foxit a couple of months ago.

Shortly afterwards I deinstalled it and reverted to Acrobat 5.1, over which Foxit had no significant advantages and a number of disadvantages (details of which unfortunately I can't remember).

Foxit may of course be preferably to a recent Acrobat but there are other alternatives too.

1
6
FAIL

Thimple...

Don't have it on my box.

Won't have it on my box.

Thimple...

0
0

Great Fix Adobe

They warn us about the vulnerability but the only mitigation in Flash is to use the Release Candidate. Maybe they should patch the actual releases!

And moving a file aside in Acrobat Reader. It's very arguable that Flash shouldn't be in Acrobat Reader but shouldn't they patch this too maybe..

Poor...And an unprofessional approach to security patching!

1
0
Silver badge
WTF?

One thing I don't understand.....

(Not trying to defend Adobe BTW)

Microsoft have a security problem - We get "it's a popular OS, if your OS was popular you'd be getting hammered too!"

Adobe have a security problem - We get "adobe suck"

Both have an absolutely terrible history security wise, so quite why the difference? There always seem to be plenty of pro-Adobe commenters when it comes to Apple's love(!) of Flash (or are they just siding with Adobe because they dislike Apple?)

3
0
Go

Why Ask Why?

If you're asking is X.XX version of Adobe Reader vulnerable, then you need to rethink your reasons for asking. Dump it and stop worrying.

0
0
Go

Uninstall Works Pretty Well ...

...them install Foxit PDF reader. WAY smaller footprint, far less Adobe issues, works very well, and it too id "free".

0
0
Anonymous Coward

Yeah, though it craps out a fair bit

..gets to the point where it just hangs on loading, and needs reinstalling rather too often, under windows 7.

0
1
Anonymous Coward

Wake up Adobe

If it wasn't for the fact that I get Adobe Acrobat as part of my job I'd use another PDF creation product instead. I agree with those other posters who ask why Adobe thought it a good idea to turn an effective product into a bloated pile o' crap. Most users - myself included - don't bother with the bells and whistles Adobe seem to think we want, and if they pulled the stuff out we wouldn't even notice it was gone. Wake up and smell the coffee Adobe, clean up your act, sort out the security issues, and put Acrobat on a diet to get rid of some of that bloat and maybe then we'll like you again (maybe even Jobs might embrace you again).

1
0

So, how long before you break the story

that apple employees are developing these exploits, on the clock, using code obtained under non-disclosure agreements?

"Oh, we didn't disclose their source code, so we didn't violate the agreement."

1
4
Badgers

Tinhats!

Have you been reading the ramblings of Extra Special Agent Rob Enderle? He really is a little bit on the Joe from Eastenders side! See http://www.technewsworld.com/story/Apple-Didnt-Beat-Microsoft-Robbie-Bach-Did-Apples-Secret-5th-Column-70092.html for more. Nuts.

0
0

@ AC "Yeah, though it craps out a fair bit"

Never had to do that on any of our Windows 7 boxes with Foxit.

0
0
Silver badge
FAIL

but

el-reg has loads of flash stuff over its site.... how many are booby trapped

The public demands an answer... and before I scuttle off for more beer

0
0
Anonymous Coward

Foxit, schmoxit

I've installed Foxit on a number of machines, but it always feels unfinished, somehow.

A user recently asked for a tool that would let them add "sticky notes" to a PDF file, which led me to try PDFXchange. It's a bit "busy" (half a dozen tool-bars turned on by default), but it's seems to be a much better alternative than Foxit.

0
0
Anonymous Coward

IME

running STDU Viewer and Evince atm. Haven't decided between them yet. But Foxit and specifically the ubiquity of Ask it now has has gone the way of Adobe's misguided effort.

0
0
Flame

f adobe

Die, adobe, Die! http://www.tracker-software.com/product/pdf-xchange-viewer FTW!

0
0

adobe need to go down the drain

I've refused any of their software on any pc I own for more than 10 years. Along with iTunes and QuickTime, and probably RealPlayer back in the day, it's the most bloated, addicted-to-pop-ups pice of software in the history of software. I hope it's software gets knocked extinct soon.

0
0
Linux

Linux vulnerable?

Seriously! Who uses Adobe products on Linux? (ok, except maybe flash.. :/ )

If this affects KPDF I'll eat my hat!

0
0

Also

Sumatra PDF viewer for windows and Ghostview on Linux. Who needs all the crap that comes with Adobe PDF reader? Sumatra loads PDF files much quicker than Adobe's.

1
0
Thumb Up

Had enough of Acrobat now

Too Bloated and is often vulnerable

besides to install it (at the moment needs V9 then the 9.3.2 patch cant be bothered so Foxit it for me :)

0
0
Grenade

Outrageous

I demand my money back from Adobe for this flawed free software.

1
0
This topic is closed for new posts.