Feeds

back to article Adobe patches critical bugs in Flash and Reader

Adobe has rolled out updates for its widely used Reader PDF viewer and Flash animation programs that fix flaws, some that hackers have been exploiting to hijack end user computers. The emergency patch for Flash was the second time in nine days that Adobe has rushed out a fix for a serious bug in the program. The vulnerability …

COMMENTS

This topic is closed for new posts.
Silver badge
Alert

Problem reported with Reader update

This link says there may be problems printing from Chrome after updating Reader:

https://profiles.google.com/lauren4321/posts/C4dGijRdoiy

0
0
Unhappy

Damn.

Did you HAVE TO tell everyone about Foxit?

3
0
Silver badge

Son't worry.

They've been telling people about Foxit for years. Hasn't changed the numbers much yet, doubt it will this time either.

0
0

Adobe patches critical bugs in Flash and Reader

And next week.....

Adobe patches critical bugs in Flash and Reader.

4
0
Silver badge
Facepalm

Dogs and Adobe Developers must wait outside!

I hope these devs are not let into the bars established next to their respective workplaces.

1
0
Emo

Awesome

Adobe Reader uninstalled, Foxit installed :)

2
0
Happy

First and second rules already broken by the author

Please respect the rules

0
0
Bronze badge
Unhappy

Foxit is following Adobe

Foxit used to be great, but it too has gone down the Adobe path of adding too many features and bloat. Foxit 5 in particular keeps crashing (using Firefox 4.0.1 on Windows XP). Highly recommend Foxit 2 or 3 though, if you can find them!

0
0
Unhappy

Not the point!

The great thing about Foxit is that it's immune to malware - for the same reason that Apples were until recently. Hardly anybody uses them, so they get ignored by malware writers. Foxit almost certainly has massive vulnerabilites, but "security through obscurity" does work, to some extent. Adobe Reader has to cope with a new exploit about once a month. I've never heard of any malware targeting Foxit - yet. Whilst I'm sure that the authors of Foxit would like like it to grab 50% of Adobe Reader's market, as a user I would be happiest if I had the only copy.

0
2

Foxit is compatible with many Adobe Reader vulnerabilities and does not need its own.

http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html observes a case where admittedly, optional components of Foxit had similar vulnerabilities to the standard-issue edition of Reader. "The extra functionality such as JBIG2/JPX decoding is only present on systems where the user has made the decision that they would like that ability."

CERT has a few notices about Foxit, don't worry.

(And, hey, is https://www.kb.cert.org/ genuine or is it a fake site, 'cause it gives my IE8 security warnings such as about mixing HTTPS and HTTP content.)

0
0
FAIL

Linux Flash player RPM has summary/description = version 7.0!

Just downloaded and installed the Linux i386 RPM of Flash player (flash-plugin-10.3.181.26.i386) and here's what the Summary and Description say ("rpm -qi flash-plugin"):

Summary : Adobe Flash Player 7.0

Description :

Adobe Flash Plugin 7.0.68

Fully Supported: Mozilla 1.0+, Netscape 7.x, Firefox 0.8+

Partially Supported: Opera, Konqueror 3.x

It really shows how incompetent Adobe are doesn't it - none of their "genius" programmers have bother updating the spec file for several years it seems. I guess that goes hand-in-hand with their festering code (full screen Flash on Linux = 100% CPU!).

0
0
Bronze badge

Yup

Yup I've complained about the crappy Flash rpm myself . It also doesn't mention that Flash 10.x require mozilla-nss, so if you don't have that installed it doesn't pull it in. Standard Adobe fail.

0
0

I found it

A rock stable version of Adobe PDF, It's version 1.0. Of course I've lost a bet and had to drink a pint of fosters mixed with bud wiser so I might not be thinking right .

0
0
Unhappy

Can anyone explain...

Serious question here - I know there are people on this forum who can probably give a sensible answer - can anyone explain how it is that hackers are still finding holes in Flash, Adobe Reader and Air?

I work for a software company and have written plenty of code in my time, so I know how easily bugs can creep in, but seriously - these products have been with us for years and they're still finding major holes? I must have had an update on one of these every week for I don't know how long.

While we're at it, the JRE is just as bad.

Windows gets loads of updates too, but that's a whole OS, not just some freeware app that is supposed to do one thing only.

1
0
Boffin

Those apps are very complex!

First of all, Flash, Acrobat, Air (and most browsers) have one thing in common: the ECMAScript interpreter. ECMAScript is the standard, upon which both Javascript (supported by browsers and Acrobat reader) and Actionscript(supported by Flash and Acrobat reader) are based.

Now, unlike any simple freeware app, or indeed unlike very complex special purpose apps, language interpreters, especially for general-purpose, flexible, high-level, turing-complete languages, are a very complex beast. Especially if one considers the need to optimize the interpretation, by compiling parts of the code and running them natively. In fact, writing a compiler/interpreter that will properly handle every conceivable case is more or less theoretically impossible (aka halting problem).

Same is true for Java (JRE). Same is true for loaders and runtime linkers of operating systems.

The only way to make an interpreter completely secure is to limit the language it is made to interpret. For example, by making it non-Turing-complete. Otherwise, as long as potentially hostile Turing-complete code can run on your system, complete safety is practically unattainable, without very serious debugging and purposeful exploit research. But who will pay for such research? Security pays much less than "Features", so adding a new way to tweak a pixel, or speeding up the flash player 5 more percents is more important for Adobe than fixing those bugs, not to mention much cheaper.

3
0
Facepalm

Agreed

Of course those who unleash Turing-complete languages have a responsibility to do the debugging and research--but it won't get done until content providers start walking away from the language... and despite Steve Jobs's efforts (my God am I agreeing with him on something????) I don't see that happening any time soon.

Users don't help either--my neighbor is thrilled with Linux Mint but every few months keeps trying to install the Windows Adobe Reader because some web site tells him he needs it--despite having a perfectly good document reader on the system. :/

0
0

@Buzzword

Are you using the Firefox plugin? I remember, back in the wastes of time, having FF crash every time I opened a PDF in the browser and after scouring forums found the suggestion to not install the browser plugin, and had no problems since...

Why? Dunno... and doubt I can find the source of this belief but been doing it since.

0
0
FAIL

WOW just wow..

"Users are better off using an alternative PDF reader such as Foxit"

That's a mighty dangerous recommendation, as clearly they simply don't have the resources to deal with thier own share of security issues.

At least Adobe are on the case and have a decent update mechanism in place.

I'm glad you aren't a security consultant...

0
1
Bronze badge
Flame

Re: WOW just wow.

"At least Adobe are on the case and have a decent update mechanism in place."

Really? Are you serious or is there a hidden joke in this?

Take a store-brought laptop that comes pre-installed with an older version of Acrobat Reader and attempt to update it to a version that has all recommended security patches applied. Two of the last three I have tried have failed and Acrobat has been replaced by FoxIt.

The advantage of FoxIt is (or at least was) that it provided PDF viewing capabilities without any of the scripting capabilities (or at least FoxIt makes these easy to disable) which is where Acrobat and Flash seem to experience the security problems.

And that's not even including the special software download pages that Adobe provides that will probably add additional software with your Flash/Acrobat/Shockwave install if you don't wait for the whole page to load.

I'm glad you only stock shelves in a supermarket....

1
1
Happy

A twisted solution

I install neither Foxit nor Adobe Reader. I use Chrome for web browsing, and have .pdf files associated with it.

They then get handled by Chrome's built in pdf plug in, which isn't written by Adobe.

This works fine for me on Windows or Linux, and as Google is very enthusiastic about updating Chrome, it should stay reasonably secure (I typically notice when Flash has been updated from the RSS feed to http://googlechromereleases.blogspot.com/)

1
0
Silver badge
Terminator

Android Flash Update

"Tuesday's fix is available for all platforms except for Android."

Realy? So how come my phone updated Flash last night? Oh and Adobe's security bulletin also says:

"users of Adobe Flash Player 10.3.185.23 and earlier versions for Android update to Adobe Flash Player 10.3.185.24."

Try to be accurate when reporting on security issues / updates, they are kinda important.

0
0

Android got its on Wednesday, HTH, HAND

Not Tuesday. Apparently.

0
0
Thumb Down

iphone

This is why iPhone doesn't do flash.

0
0

Anyway,

I thought this was a scheduled update. An -important- update., but one (or two, or...) timed to coincide with Microsoft"s regular patch package. And so not exactly an "emergency" update. Not until the bad guys figure out how to do what the update stops you from doing. Which they kind of figured out already, though.

0
0
Bronze badge
FAIL

Adobe shite

I now see more frikkin' 'update' pop-ups for Adobe crap when I boot my computer than for Windows!

FAIL.

1
0
Happy

Sumatra

Try sumatra pdf viewer for windows.I've been using it for about 6 months. Seems to do the job and doesn't try to be clever. Its open source.

1
0
This topic is closed for new posts.