A security researcher has uncovered yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files. Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical flaw at last week's Black Hat …
When oh when are they going to learn to write fuckin code?? What with this and Flash forever fucking up systems... Thank god for Foxit. But when is someone going to write a replacement for flash so we can tell Adobe to fuckin shove it once and for all..
Paris cos she good at fu^75ing...
Haven't use the Adobe bloatware reader in years. I find that PDF-XChange Viewer to be better than Adobe or Foxit. Especially when scrolling through magazine pages.
It's called Gnash.
It's not as compatible as the official Adobe Flash (and the latest version is a nightly snapshot), but then if you're boycotting official Adobe products, you don't really have much of a choice.
Adobe's track record for bugs recently is reminiscent of MS a decade ago with the 9x/ME debacles.
Plenty of other PDF viewers around, as mentioned by others, Foxit probably being one of the most popular although I found recent versions a little too ad-ridden so I've switched to one called Sumatra.
Making PDFs? Use Open Office or again, one of the other many free formats.
As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.
Easiest method of stopping Flash buggering your system is to use a flashblock extension of some sort with your favourite browser (I know both FF and Chrome support it).
>As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.
Yeah...really hostile that's why they open-sourced it via Tamarin, provide the Flex SDK as open-source and just gifted a load of stuff for native rendering to Webkit. Muppet.
Yawn. Another one?
No surprise there then! I just hope Evince is not vulnerable too. But I'm sure if it is, it will be patched first...
The vulnerabilities in OO I'm not too happy about, but I generally send them, (documents, not vulnerabilities), not receive them, so fingers crossed.
Why can't they all just play nicely like grown ups?
^_^ <<< Low budget Penguin.
Apple has yet to acknowledge the vulnerabilities.
This falls into the same category as 'Until Hell Freezes Over' or 'When Pigs Will Fly'.
In a word ... NEVER!
What does this have to do with apple is it their software?
and maybe its a good thing flash is not running on iPhones maybe jobs has the right fecking idea!
LPF: Re-read the article
Someone should nail Charlie Miller's car
Someone should nail (aka key) Charlie Miller's car door, to give publicity to the fact that Ford still does not make hacker proof car doors.
It's a pitty it wasn't written to do something other than display PDFs, really
Consider this: if it was called as "Adobe Remote Systems Administration Client" it would be a great product.
Unfortunately, it's supposed to display PDFs.
Reader 9.3.3 was released to fix a security hole. The DAY AFTER, it was well known that the fix in 9.3.3 could be bypassed by simply using quote marks on the original exploit, rendering the changes in 9.3.3 useless. That was over a month ago and they never fixed it.
Seriously? If you reckon that spending half the time laying there motionless makes a girl "good at it", then I'll be making a mental note to keep you away from mortuaries!
Why do people still use acrobat reader? There are better alternatives.
I think Foxit had the last vulnerability too.
And Apple's problem is Apple's problem.
Note also that OpenOffice.org is said in the article to be holed. I wonder if that includes the beta or pre-beta version 3.3. Personally I don't exchange OpenOffice.org documents anyway. But it goes to show - again - that open source software isn't immune to this.
The vulnerability you mention was in effect a vulnerability in the PDF format rather than the reader. Virtually every acrobat reader suffered from that one.
If you want some amusing reading check out the history of vulnerabilities in Adobe Acrobat Reader and Foxit Reader over the last few years. It looks really bad for Adobe if you take away the ones that are common to both it look een worse for Adobe.
And Foxit isn't the only alternative Acrobat reader you know.
For a free writer
I recommend CutePDF. No programs, just a virtual printer that writes your PDF document.
I fail to see why a PDF writer is a good idea. Distributing PDF documents effectively encourages people to use Adobe Acrobat Reader and given it's history that is not a good thing.
It must be nice...
...to be able to afford every program and font in existence.
For those of us that have to send complex documents created in InDesign or Quark XPress for approvals by people who don't have them, or who get, say, ArcView maps in from people when we don't own ArcView, PDF writers/readers fulfill a vital need.
Integer vulns are hard to spot
Sumatra is a nice PDF reader. Small and fast.
I read a document a few years ago describing integer overflow and the possible vulnerabilities it induces. I'd always been cautious in my coding with integers but to be fair to Adobe programmers, there were some subtle little things that could trip up anyone.
I mean fair's fair - hands up anyone who has never multiplied a char by something else without considering that the char, when converted to int, would sign extend to a negative number. Nobody? You're s0 gr8.
Belabouring the bleeding obvious, the answer is security in the OS such that when an app is owned, your computer is not owned too. That means not running as admin and forgoing apps that MAKE you run as admin. Bring em back to the shop. Sandboxing, such as is easily possible under Windows 7 is nice too.
Love that line
"There are no reports of the flaw being targeted for malicious purposes"
Whilst the info is not fully disclosed yet knowing that there is *definitely* an exploit in there and it's an integer overflow makes it worthwhile hunting for it and lets you know (roughly) where to focus your attention.
I don't see it being more than a week or two before it's weaponised and actively exploited by someone like the Zeus team (not the httpd one). I hope Adobe et al are working hard!
Re: Connor - if you're paid to code production quality software, esp. software that is going to be a large target for blackhats you really ought to read the compiler notes. Being paid £30k+ comes with certain responsiblities. Not being a lazy bugger is probably in there somewhere. I agree with your points which are well made, but many security flaws are the result of stupid or lazy coding. Relying on implicit type conversion in C++ without reading the compiler notes is risky at best. Doing anything in C++ is risky tbh but hoping the complier does what you want it to do without checking first?..
See my comment above: "It must be nice..."
True enough, in the sense that it is conceivably possible that I could create screen-caps of a 100+-page, highly-formatted document and create a web site where clients could look it over for approvals.
It would be a pretty moronic use of my time, but it WOULD be possible.
Of course, to make sure that the images were sufficiently high-rez, I'd probably have to zoom in and take screen caps of PARTS of each page and stitch those together -- and likely have to color-correct them, as well...
Then, of course, once the job was approved, the printer would have to print off of those screen-caps, or I would have to send him all of the raw files and hope that he's not running older versions of the publishing software that I used.
Or I could just send PDFs to all parties concerned and get back to billable work.
Guess which one gets my vote.
AC Colour Separation
Only of use when you have to print something. Only required when you have a Pointless Document Format cos ist not HTML and you cant read it on the screen.
If you have to force users to print your information 20 years after the WWW appeared you may as well throw your computer away - its too clever for you.
And if you think when I print a PDF it looks anything like it does on your printer you're hopelessly mistaken. Pointless Document Format - does what it says on the tin - fuck all.
...that iPhones are vulnerable to Flash exploits too.
Die, Adobe, die!
You make my life miserable. Please sell Photoshop to someone that doesn't suck and just fade into oblivion.
All Future Acrobat Reader Patches In One Package
This procedure wil make sure:
1.) Uninstall Acrobat Reader
2.) Download the Develper's version of Chrom
3.) Enable the built-in PDF plugin
4.) Right-click on a PDF document and set Chrome as the default viewer
The result is secure and very, very fast. No difference to viewing html at all.
To all those who don't like PDF I suggest to differentiate between Adobe Acrobat Reader (clearly a pile of poo) and the PDF format itself. It is well-documented and in my opinion one of the few formats computers will be able to render correctly in 50 years time.
Render Properly in 50 years time?
Having spent 5 years in the printing industry I can say that if you think your document is going to look the same on my printer as it does on yours you are sadly deluded.
A printed document will, if your very very lucky, look the same if its printed on the same printer, just after calibration, at the same temperature and humidity, same batch of inks and paper and all other parameters identical.
I have taken a large wad of cash from someone who was stupid enough to think otherwise.and by putting a single sheet of a different kind of paper into a print run was able to get the whole meaning of a contract changed as on carefully chosen word (not) was not visible in the second copy as the paper didn't take show the word.
Pointless Document Format doesn't render correctly now - it certainly wont in 50 years time.
You're trading out one evil corp (Adobe) for another Chrome (Google)?
For me, it is Ok
I am not in the printing or graphics business and PDF is totally OK with me. There is a PDF standard explicitly chosen for long-term preservation of documents (think of aircraft manuals, building documentation etc). As far as I know this is the major standard for this kind of application.
I don't care if it is not 100%, pixel-by-pixel the same on different PDF renderers, I care that my brain thinks it is the same. And I also don't care about the kind of criminal abuse you describe.
What would be the alternative ? GIF ? TIFF ? JPEG ? Rather memory-intensive, I would say.
Now we know...
Now we know why Jobs doesn't want Flash on the iPhone. It's associated with scripting - not something we associate with PDFs. If Acrobat documents have got such an obvious vulnerability, how bad can Flash ones get?
fool me once
Let's see, details on vulnerability in Adobe pdf reader posted in multiple pdf files. Is this an IQ test?
The Larger Lesson Here Is...
Adobe adopted the idea that PDF was a container for offline web information so they wanted to be able to bundle up all the features of the web (viruses included but not intended) into a compact portable format. Knowing all the investment they had in dynamic content from stuff like Macromedia it was obvious they wanted to be able to deliver animated flash presentations and shit like that in a PDF, they probably saw it as a PowerPoint killer. Well, they succeeded at bundling up all the (destructive) power of the web into an easily portable format for exchange. They succeeded so well they have now become one of the primary conduits for malware.
Not Entirely True
Buffer overflows can happen even in C-type programming languages even if you have a program which is only supposed to be a "viewer". Even vi, less and more could theoretically have buffer overflows.
One could also argue that proper Operating Systems like Unix, the WNT Kernel and things like VMware or Xen have proven that secure execution of untrusted code is indeed possible.
The problem of numerous buffer and integer overflows will persist, though. That means sandboxes are exactly the right thing to do.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...