Hackers are exploiting critical, unpatched vulnerabilities in Adobe Reader, Acrobat and Flash Player. The zero-day vulnerabilities are platform independent and can affect users of Adobe products regardless of whether they run Windows, Mac or Linux systems, Adobe warns. The software developer reckons that Adobe Reader and …
ugh! Flash inside PDF?!
Can someone tell me if Apple Preview is affected? I guess that is equivalent to Adobe Reader 8.0?
I have no desire to render Flash content in PDF files - what were Adobe thinking?
Not to this
Preview only supports the PDF 1.5 spec, so you are safe from this exploit. Adobe 9 uses the PDF 1.6 (or is it 1.9? I forget) spec which includes support for embedded interactive content such as Flash and 3D objects. It sounds like it is the Flash part of that support that is being exploited here.
@embedded interactive content. WTF!
The whole point of PDF was that is was a read-only document format for sending to printers etc.
So what's the point in adding embedded interactive content to something that should be read-only?
Also PDF's were generally thought of as inert, due to them being read only, adding embedded functionality now means the possibility of executing things inside a PDF, which throws away the safety of the format (what little there was in the first place).
If PDF is going down the interactive route, then perhaps we need a new inert document format.
At the very least the Reader should block all interactive functionality by default, and have to be switched on in order to access any of this. (aka like Macro's in Office etc.)
Who'd have thought that may happen?
Of course Adobe will tell you that none of their software is bloated, unstable and insecure.
However, I've seen what happens to my laptop when Flash is loaded...
Does anyone know why PDF supports Flash anyway? I was gobsmacked by that!
Is FOXIT's reader vulnerable?
Paris, because everybody foxit.
What a brilliant fix. Hack out parts of Reader/Acrobat and replace Flash with an RC.
Very Adobe. Much like the fix for Redirected AppData with Acrobat: Don't Redirect Appdata
Steve may have a point. And I really don't like that
1. Remove Adobe Reader
2. Install* Foxit**
3. and ... relax
* rejecting the option to add the Ask toolbar or whatever other crap they're promoting this week
** other PDF readers are available - almost all of them faster and more secure than Adobe's PoS
Is Acrobat Reader 5.1 vulnerable?
is Acrobat Reader 5.1 vulnerable? It does everything I need, reads every file I chuck at it, starts up instantly, and is a fraction of the footprint of more recent generations. Why do I want anything more recent, especially if it has as many security holes as a swiss cheese?
can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?
the reason why
'can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?'
It's 'cause so many of the locals around here hate Apple, that's why.
that, and the fact....
...that people want it, you need it to get the "whole web" (not optional or debatable) and it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time - the very time that Jobs instructs their soulless minds to kick into action and spread forth the word.
Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.
Flash is optional
Quote: '...that people want it, you need it to get the "whole web" (not optional or debatable)'
Yes it is optional.
I use Firefox with No Script and Ad-Block, this blocks flash content by default and I've had very few sites not work with that combination.
The few sites that do rely on Flash, are usually crud (pr0n etc.) or pandering to the masses type sites (YouTube etc.) or are promoting a new Movie or Game, so can be lived without.
Very few real sites I've found actually use Flash for actual content, with most usage being restricted to adverts only, so no real loss there.
The only high profile site I know of that does use flash is YouTube, and they are moving to HTML5, so eventually, once all the mainstream Browsers are upto speed with HTML5, I can see YouTube (Google) dropping Flash.
Bit rambly, sorry.
>“...it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time...”
Sorry, it *is* that bad. Most conscientious web designers and developers (hello!) have been decrying the use of non standard web elements, including, Flash since 1998. Although Flash may have improved from an accessibility stand point, it's still not a great solution. It has it's place *at the moment*; mainly as a wrapper for audio and video content. Of all the existing web technologies that exist today, Flash is by far the most loathsome, over-used and abused. Which sys admin in their right mind would allow flash onto the corporate network?
>“Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.” First of all no-one has said that Apple, Microsoft et al. are free from exploited products and security issues, however so far un-jailbroken iPhones have been free of such issues, the exception being a drive-by and they can affect most browsers, what with it being more of a PICNIC issue rather than a security flaw. Microsofts new mobile OS has got an even better security record. And to the crux of the matter. Adobe's track record is hardly good. How long has 64 bit Flash been in development? It seems that not a week goes past without one report or another warning us of another vulnerable discovered in an Adobe product. Whilst it's fair to point out that Apple's own desktop OS is hardly a model of ironclad security and neither is Microsoft's, it's to be expected in OSs of that size and that age. Microsoft really do a remarkable job with Windows, and Apple are getting better at responding to security issues, but Adobe? It's a fucking runtime! Sun manage to stay on top of Java (although Apple do struggle), Microsoft are doing sterling work with Silverlight. But Adobe? Jobs got it right when he called them lazy! So, let's consider the evidence. Slow to patch software. Slow to implement documented API's. Consistently release half baked software. Security is an afterthought. Haven't yet released a decent *full version* of Flash on a mobile platform. It's not surprising that Apple have said ‘thanks, but no thanks...’ to Adobe. I'd urge Microsoft to do the same, but Ballmer is just stupid enought to allow it onto Microsoft's new mobile OS just to be contrary and personally if I were Adobe, I wouldn't trust those that rule the Mountain View Chocolate Factory as far a coult spit; I'm still waiting for one of those three to aquire Adobe...
Just a bootnote; may I respectfully suggest that you leave behind the ad hominems and inflamatory comment, I copped a bollocking for it, deservedly so, and now trying to avoid it. It can be hard but ultimately it makes you consider what you are going to say more. It can serve to give you the moral high ground too! It's ok to have opposing views, it's not ok to call people names because they do, even if it is really annoying. Attack the idea. Obviously, giant multinational corporations and their management are fair game
For Flash masochists...
"The only high profile site I know of that does use flash is YouTube"
Pop along to activision.com and weep.
Wot's an 'activision'?
And why should anyone who's not a gamer care?
Bloody Adobe, seriously, I can't think of anything that I allow on my machines on a regular basis that has so many terrifying holes.
Thank god for noscript and its active content control and the mighty adblock, given the amount of malware driveby attacks are coming from syndicated ad banners.
Why can't Adobe leave things alone?
PDF is no longer Portable, it's Proprietary. Adobe doesn't support all platforms so documents produced with the latest versions of Acrobat can't be read on many platforms. This defeats the whole point of PDF. Adobe specualisees in buying up good products and wrecking them.
Following a recommendation elsewhere I installed Foxit a couple of months ago.
Shortly afterwards I deinstalled it and reverted to Acrobat 5.1, over which Foxit had no significant advantages and a number of disadvantages (details of which unfortunately I can't remember).
Foxit may of course be preferably to a recent Acrobat but there are other alternatives too.
Don't have it on my box.
Won't have it on my box.
Great Fix Adobe
They warn us about the vulnerability but the only mitigation in Flash is to use the Release Candidate. Maybe they should patch the actual releases!
And moving a file aside in Acrobat Reader. It's very arguable that Flash shouldn't be in Acrobat Reader but shouldn't they patch this too maybe..
Poor...And an unprofessional approach to security patching!
One thing I don't understand.....
(Not trying to defend Adobe BTW)
Microsoft have a security problem - We get "it's a popular OS, if your OS was popular you'd be getting hammered too!"
Adobe have a security problem - We get "adobe suck"
Both have an absolutely terrible history security wise, so quite why the difference? There always seem to be plenty of pro-Adobe commenters when it comes to Apple's love(!) of Flash (or are they just siding with Adobe because they dislike Apple?)
Why Ask Why?
If you're asking is X.XX version of Adobe Reader vulnerable, then you need to rethink your reasons for asking. Dump it and stop worrying.
Uninstall Works Pretty Well ...
...them install Foxit PDF reader. WAY smaller footprint, far less Adobe issues, works very well, and it too id "free".
Yeah, though it craps out a fair bit
..gets to the point where it just hangs on loading, and needs reinstalling rather too often, under windows 7.
Wake up Adobe
If it wasn't for the fact that I get Adobe Acrobat as part of my job I'd use another PDF creation product instead. I agree with those other posters who ask why Adobe thought it a good idea to turn an effective product into a bloated pile o' crap. Most users - myself included - don't bother with the bells and whistles Adobe seem to think we want, and if they pulled the stuff out we wouldn't even notice it was gone. Wake up and smell the coffee Adobe, clean up your act, sort out the security issues, and put Acrobat on a diet to get rid of some of that bloat and maybe then we'll like you again (maybe even Jobs might embrace you again).
So, how long before you break the story
that apple employees are developing these exploits, on the clock, using code obtained under non-disclosure agreements?
"Oh, we didn't disclose their source code, so we didn't violate the agreement."
Have you been reading the ramblings of Extra Special Agent Rob Enderle? He really is a little bit on the Joe from Eastenders side! See http://www.technewsworld.com/story/Apple-Didnt-Beat-Microsoft-Robbie-Bach-Did-Apples-Secret-5th-Column-70092.html for more. Nuts.
@ AC "Yeah, though it craps out a fair bit"
Never had to do that on any of our Windows 7 boxes with Foxit.
el-reg has loads of flash stuff over its site.... how many are booby trapped
The public demands an answer... and before I scuttle off for more beer
I've installed Foxit on a number of machines, but it always feels unfinished, somehow.
A user recently asked for a tool that would let them add "sticky notes" to a PDF file, which led me to try PDFXchange. It's a bit "busy" (half a dozen tool-bars turned on by default), but it's seems to be a much better alternative than Foxit.
running STDU Viewer and Evince atm. Haven't decided between them yet. But Foxit and specifically the ubiquity of Ask it now has has gone the way of Adobe's misguided effort.
Die, adobe, Die! http://www.tracker-software.com/product/pdf-xchange-viewer FTW!
adobe need to go down the drain
I've refused any of their software on any pc I own for more than 10 years. Along with iTunes and QuickTime, and probably RealPlayer back in the day, it's the most bloated, addicted-to-pop-ups pice of software in the history of software. I hope it's software gets knocked extinct soon.
Seriously! Who uses Adobe products on Linux? (ok, except maybe flash.. :/ )
If this affects KPDF I'll eat my hat!
Sumatra PDF viewer for windows and Ghostview on Linux. Who needs all the crap that comes with Adobe PDF reader? Sumatra loads PDF files much quicker than Adobe's.
Had enough of Acrobat now
Too Bloated and is often vulnerable
besides to install it (at the moment needs V9 then the 9.3.2 patch cant be bothered so Foxit it for me :)
I demand my money back from Adobe for this flawed free software.
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24
- Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
- White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!