Feeds

back to article Adobe confirms remote code-execution flaw in Reader (again)

A security researcher has uncovered yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files. Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical flaw at last week's Black Hat …

COMMENTS

This topic is closed for new posts.
Paris Hilton

Again?????

When oh when are they going to learn to write fuckin code?? What with this and Flash forever fucking up systems... Thank god for Foxit. But when is someone going to write a replacement for flash so we can tell Adobe to fuckin shove it once and for all..

Paris cos she good at fu^75ing...

8
1
Anonymous Coward

Adobe what?

Haven't use the Adobe bloatware reader in years. I find that PDF-XChange Viewer to be better than Adobe or Foxit. Especially when scrolling through magazine pages.

2
0
Linux

Replacement flash

There's one.

It's called Gnash.

http://www.gnu.org/software/gnash/

It's not as compatible as the official Adobe Flash (and the latest version is a nightly snapshot), but then if you're boycotting official Adobe products, you don't really have much of a choice.

2
1

Yep, again.

Adobe's track record for bugs recently is reminiscent of MS a decade ago with the 9x/ME debacles.

Plenty of other PDF viewers around, as mentioned by others, Foxit probably being one of the most popular although I found recent versions a little too ad-ridden so I've switched to one called Sumatra.

Making PDFs? Use Open Office or again, one of the other many free formats.

As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.

Easiest method of stopping Flash buggering your system is to use a flashblock extension of some sort with your favourite browser (I know both FF and Chrome support it).

1
0
FAIL

#Yep Again

>As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.

Yeah...really hostile that's why they open-sourced it via Tamarin, provide the Flex SDK as open-source and just gifted a load of stuff for native rendering to Webkit. Muppet.

0
2

This post has been deleted by its author

Silver badge
Linux

Yawn. Another one?

No surprise there then! I just hope Evince is not vulnerable too. But I'm sure if it is, it will be patched first...

The vulnerabilities in OO I'm not too happy about, but I generally send them, (documents, not vulnerabilities), not receive them, so fingers crossed.

Why can't they all just play nicely like grown ups?

Grrr.....

^_^ <<< Low budget Penguin.

0
0
Silver badge
Jobs Horns

Apple has yet to acknowledge the vulnerabilities.

This falls into the same category as 'Until Hell Freezes Over' or 'When Pigs Will Fly'.

In a word ... NEVER!

1
1
LPF
FAIL

@JaitcH

What does this have to do with apple is it their software?

and maybe its a good thing flash is not running on iPhones maybe jobs has the right fecking idea!

0
0
Silver badge
Alert

LPF: Re-read the article

Paragraph 4

0
0
Thumb Down

Someone should nail Charlie Miller's car

Someone should nail (aka key) Charlie Miller's car door, to give publicity to the fact that Ford still does not make hacker proof car doors.

0
6
Joke

It's a pitty it wasn't written to do something other than display PDFs, really

Consider this: if it was called as "Adobe Remote Systems Administration Client" it would be a great product.

Unfortunately, it's supposed to display PDFs.

4
1
Bronze badge
Thumb Down

Old news

Reader 9.3.3 was released to fix a security hole. The DAY AFTER, it was well known that the fix in 9.3.3 could be bypassed by simply using quote marks on the original exploit, rendering the changes in 9.3.3 useless. That was over a month ago and they never fixed it.

2
0

This post has been deleted by its author

Coat

@Deadly_NZ

Seriously? If you reckon that spending half the time laying there motionless makes a girl "good at it", then I'll be making a mental note to keep you away from mortuaries!

2
0

This post has been deleted by its author

Go

BFD

Foxit reader.

0
0
Anonymous Coward

Why?

Why do people still use acrobat reader? There are better alternatives.

0
0
Bronze badge

I think Foxit had the last vulnerability too.

And Apple's problem is Apple's problem.

Note also that OpenOffice.org is said in the article to be holed. I wonder if that includes the beta or pre-beta version 3.3. Personally I don't exchange OpenOffice.org documents anyway. But it goes to show - again - that open source software isn't immune to this.

0
0
Anonymous Coward

Foxit

The vulnerability you mention was in effect a vulnerability in the PDF format rather than the reader. Virtually every acrobat reader suffered from that one.

If you want some amusing reading check out the history of vulnerabilities in Adobe Acrobat Reader and Foxit Reader over the last few years. It looks really bad for Adobe if you take away the ones that are common to both it look een worse for Adobe.

And Foxit isn't the only alternative Acrobat reader you know.

0
1

For a free writer

I recommend CutePDF. No programs, just a virtual printer that writes your PDF document.

0
0
Anonymous Coward

Why?

I fail to see why a PDF writer is a good idea. Distributing PDF documents effectively encourages people to use Adobe Acrobat Reader and given it's history that is not a good thing.

0
0
Bronze badge
FAIL

It must be nice...

...to be able to afford every program and font in existence.

For those of us that have to send complex documents created in InDesign or Quark XPress for approvals by people who don't have them, or who get, say, ArcView maps in from people when we don't own ArcView, PDF writers/readers fulfill a vital need.

0
0
Pint

Integer vulns are hard to spot

Sumatra is a nice PDF reader. Small and fast.

I read a document a few years ago describing integer overflow and the possible vulnerabilities it induces. I'd always been cautious in my coding with integers but to be fair to Adobe programmers, there were some subtle little things that could trip up anyone.

I mean fair's fair - hands up anyone who has never multiplied a char by something else without considering that the char, when converted to int, would sign extend to a negative number. Nobody? You're s0 gr8.

Belabouring the bleeding obvious, the answer is security in the OS such that when an app is owned, your computer is not owned too. That means not running as admin and forgoing apps that MAKE you run as admin. Bring em back to the shop. Sandboxing, such as is easily possible under Windows 7 is nice too.

0
0

Love that line

"There are no reports of the flaw being targeted for malicious purposes"

3...2...1...

Whilst the info is not fully disclosed yet knowing that there is *definitely* an exploit in there and it's an integer overflow makes it worthwhile hunting for it and lets you know (roughly) where to focus your attention.

I don't see it being more than a week or two before it's weaponised and actively exploited by someone like the Zeus team (not the httpd one). I hope Adobe et al are working hard!

Re: Connor - if you're paid to code production quality software, esp. software that is going to be a large target for blackhats you really ought to read the compiler notes. Being paid £30k+ comes with certain responsiblities. Not being a lazy bugger is probably in there somewhere. I agree with your points which are well made, but many security flaws are the result of stupid or lazy coding. Relying on implicit type conversion in C++ without reading the compiler notes is risky at best. Doing anything in C++ is risky tbh but hoping the complier does what you want it to do without checking first?..

0
0

This post has been deleted by its author

This post has been deleted by its author

Bronze badge
FAIL

See my comment above: "It must be nice..."

True enough, in the sense that it is conceivably possible that I could create screen-caps of a 100+-page, highly-formatted document and create a web site where clients could look it over for approvals.

It would be a pretty moronic use of my time, but it WOULD be possible.

Of course, to make sure that the images were sufficiently high-rez, I'd probably have to zoom in and take screen caps of PARTS of each page and stitch those together -- and likely have to color-correct them, as well...

Then, of course, once the job was approved, the printer would have to print off of those screen-caps, or I would have to send him all of the raw files and hope that he's not running older versions of the publishing software that I used.

Or I could just send PDFs to all parties concerned and get back to billable work.

Guess which one gets my vote.

1
1
Silver badge

AC Colour Separation

Only of use when you have to print something. Only required when you have a Pointless Document Format cos ist not HTML and you cant read it on the screen.

If you have to force users to print your information 20 years after the WWW appeared you may as well throw your computer away - its too clever for you.

And if you think when I print a PDF it looks anything like it does on your printer you're hopelessly mistaken. Pointless Document Format - does what it says on the tin - fuck all.

1
0

This post has been deleted by its author

Troll

I guess...

...that iPhones are vulnerable to Flash exploits too.

Oh wait...

0
0
Gold badge
FAIL

Die, Adobe, die!

You make my life miserable. Please sell Photoshop to someone that doesn't suck and just fade into oblivion.

1
0
Go

All Future Acrobat Reader Patches In One Package

This procedure wil make sure:

1.) Uninstall Acrobat Reader

2.) Download the Develper's version of Chrom

3.) Enable the built-in PDF plugin

4.) Right-click on a PDF document and set Chrome as the default viewer

The result is secure and very, very fast. No difference to viewing html at all.

To all those who don't like PDF I suggest to differentiate between Adobe Acrobat Reader (clearly a pile of poo) and the PDF format itself. It is well-documented and in my opinion one of the few formats computers will be able to render correctly in 50 years time.

1
1
Silver badge

Render Properly in 50 years time?

Having spent 5 years in the printing industry I can say that if you think your document is going to look the same on my printer as it does on yours you are sadly deluded.

A printed document will, if your very very lucky, look the same if its printed on the same printer, just after calibration, at the same temperature and humidity, same batch of inks and paper and all other parameters identical.

I have taken a large wad of cash from someone who was stupid enough to think otherwise.and by putting a single sheet of a different kind of paper into a print run was able to get the whole meaning of a contract changed as on carefully chosen word (not) was not visible in the second copy as the paper didn't take show the word.

Pointless Document Format doesn't render correctly now - it certainly wont in 50 years time.

0
0
Coat

So, essentially...

You're trading out one evil corp (Adobe) for another Chrome (Google)?

0
0
Stop

For me, it is Ok

I am not in the printing or graphics business and PDF is totally OK with me. There is a PDF standard explicitly chosen for long-term preservation of documents (think of aircraft manuals, building documentation etc). As far as I know this is the major standard for this kind of application.

I don't care if it is not 100%, pixel-by-pixel the same on different PDF renderers, I care that my brain thinks it is the same. And I also don't care about the kind of criminal abuse you describe.

What would be the alternative ? GIF ? TIFF ? JPEG ? Rather memory-intensive, I would say.

0
0
Flame

Now we know...

Now we know why Jobs doesn't want Flash on the iPhone. It's associated with scripting - not something we associate with PDFs. If Acrobat documents have got such an obvious vulnerability, how bad can Flash ones get?

0
0

fool me once

Let's see, details on vulnerability in Adobe pdf reader posted in multiple pdf files. Is this an IQ test?

1
0
FAIL

The Larger Lesson Here Is...

The evils of feature creep. If PDF had been kept to its original purpose, we'd be fine. But Adobe couldn't leave it alone and wanted to start making their static documents dynamic. IMO that change from static to dynamic is what destroyed the web, made it perform like shit, and opened up tons of security holes. Geniuses that they are, Adobe copied this static to dynamic change in the web to their Portable Document Format, forgetting that the very nature of a document is STATIC. It is to *document* the state of something at a point in time. There is no reason for links, Javascript, dancing GIF animations or whatever crap the markettards want to introduce to try and sell me their overpriced, unexciting crap. Adobe has simply made the exact same mistake that pretty much the entire web has made, so as utter failures go they aren't even original, they are just copycat failures.

Adobe adopted the idea that PDF was a container for offline web information so they wanted to be able to bundle up all the features of the web (viruses included but not intended) into a compact portable format. Knowing all the investment they had in dynamic content from stuff like Macromedia it was obvious they wanted to be able to deliver animated flash presentations and shit like that in a PDF, they probably saw it as a PowerPoint killer. Well, they succeeded at bundling up all the (destructive) power of the web into an easily portable format for exchange. They succeeded so well they have now become one of the primary conduits for malware.

Kudos Adobe!

1
0
Go

Not Entirely True

Buffer overflows can happen even in C-type programming languages even if you have a program which is only supposed to be a "viewer". Even vi, less and more could theoretically have buffer overflows.

http://en.wikipedia.org/wiki/Buffer_overflow

On the other hand, it IS possible to run untrusted executable code securely, IF you have a proper sandbox around that. Javascript, Java and .Net prove that (through user-level software mechanisms). In addition to that, mechanisms like SE Linux, AppArmor, BSD Jails or the Google Chrome Security Architecture intercept and validate system calls using the Memory Management Unit and the Operating System. IE8 is doing something similar.

One could also argue that proper Operating Systems like Unix, the WNT Kernel and things like VMware or Xen have proven that secure execution of untrusted code is indeed possible.

The problem of numerous buffer and integer overflows will persist, though. That means sandboxes are exactly the right thing to do.

0
0
This topic is closed for new posts.