On Linux or *BSD, who could be using Adobe Acrobat Reader at all, I am wondering?
Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines. Version 9.4.7 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against …
People actually using features
People using Linux on enterprise desktops and some larger . Edu. Or end users sign docs etc.
The very features Adobe Reader that make it exceptionally vulnerable? AR is ( as was mentioned below) is so bloated. When I was using a friends PC to compile some LaTeX code it would freak out every time when a doc gets updated. I do it on Debian out of emacs (C-c C-c versus C-c C-f), evince refreshes the document without a problem.
As a matter of fact evince is much more capable, it understands a bunch of different other open formats, like djvu.
"Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines."
Windows - ever so secure!
Yes indeed, Microsoft is the one to carry most responsibility for the recklessness we see in the IT development and culture. Especially RPC, I am sorry, even this is so much of a beaten place. Everyone knows that it is the most insecure protocols out there.
I would like to know though if you could successfully use one of the vulns on non-Windie machines. It goes without saying, using Adobe is unwise anyways, but stil....
What the hell has happened to Adobe recently?
Flash is well known to cripple browsers on any platform.
Adobe acrobat professional regularly crashes IE on my windows workstation.
Ligtroom 3 crashes if you are tagging photos (at least on Lion).
Photoshop also crashes very often on Lion (and sometimes takes the entire system down).
ADOBE SORT YOUR SHIT OUT !!!
Adobe's been the biggest attack surface in the industry for a number of years now, surely?
Here Is The Fix
A) Deinstall Current Acrobat Reader Version
B) Install the latest Acrobat Fix: http://projects.gnome.org/evince/?guid=ON
Right, but first you have to fix the OS by wiping the MS sh?t out the hdd and install something decent, like *buntu, Mint or whatever.
I haven't used Acrobat Reader for years
Preview on OS X
Whatever comes by default on a given flavour of Linux
Ghostview / Ghostscript or XPDF on a variety of other systems
Foxit on Windows
If you run leopard?
Apple stopped security updates for leopard including preview and its frameworks.
Try http://www.adobe.com/support/security/advisories/apsa11-04.html again
Adobe Reader 9.4.6 is unsafe. You need to get Adobe Reader 9.4.7 if you have a compelling reason not to get Adobe Reader X (10) instead.
And if I read your article right, there's an RPC problem which they cannot have fixed yet.
By the way, I'm assuming that Adobe Reader 8.x and earlier are unsupported, as the web site seems to say, and equally vulnerable. I'm asking because... never mind.
You're right. 9.4.7 is the updated version, not 9.4.6 as previously reported. My apologies. The error has been corrected.
As for the RPC vulnerability, Adobe spokeswoman Wiebke Lips wrote in an email to The Register:
"Note: CVE-2011-4369 was reported after the security advisory (APSA11-04<http://www.adobe.com/support/security/advisories/apsa11-04.html>) was published. The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used."
That slip could have been nasty for some.
I thought I detected coyness that usually means it's not fixed yet, so, well done that it is. I'm not sure about Mac and Linux users being safe though, just because there weren't attacks reported, but Adobe and those users know their business best.
Am I straight about Adobe Reader 8 being a really bad idea now?
I really can't get excited about this - I ditched Acrobat years ago for Foxit Reader and have now got the excellent NitroPDF. Free, fast, small and bug-free. What's not to like?
Adobe Reader and Linux...sigh
Is it just me or has Adobe Reader on Linux lagged behind the Mac and Windows versions for a year now? The "X" version isn't available on Linux (is there any technical reason why?) and they don't even bother updating the Linux 9.4.6 release for a month after the Windows one, despite it having the same security issue as the Windows 9.4.6 release!
Sadly, for some PDF documents, Linux alternatives like evince, xpdf and so on aren't good enough (evince in particular is prone to crashes with certain PDFs, which load fine in Adobe's wretched reader).
I've even been desperate enough to try Firefox's pdf.js extension, but it unfortunately honours the browser's font settings (which I set to 16 point - pdf.js should either have its own font settings or ignore the browser's, IMHO), leaving each page a mush of overlarge black text.
BTW, on a slightly different topic, has anyone seen a true 64-bit PDF reader on Windows (i.e. a 64-bit binary)? Nitro PDF "64-bit" version isn't 64-bit - the process is 32-bit. I'm trying to keep Windows 7 "64-bit pure", but bizarrely a 64-bit PDF reader binary doesn't seem to exist!
Writer does PDFs... and comes in x64 flavours
OK, it is first time hear about some pdf docs "crashing" evince... Quite the other way around, for some reason adobe r. would crash if you run pdftex/latex when a doc is opened.
What kind of document is it? Did you try any of the alternatives, like kpd, gv, xpdf? or docview in emacs?
I am surprised that people are still using the official 'Reader' when there ARE alternatives, oh and hurry up Google with that HTML5 implementation! I don't like the idea of Flash being yet another attack vector.
Spot on. It's definitely a Windows problem and not a "ID10T using Admin account" problem.
One must infer that to think so, you actually also use a root account all day on your OS of choice.
Praise the lord that you can still feel smug despite that, because the odds of some malware of significance and magnitude ever landing on you are very small, because nobody will ever bother with the 0.5% out of the 5% that your tiny userbase represents.
Makes one wonder if besides being jealous of all the apps and games, the minority is now also jealous of our malware... Haters will hate it seems...
As for Adobe "fixing" things, well... hope is the carrot. Mine's the one with Foxit (until i find something smaller and faster and better, who says you can't have all three...).
bloat allows vulns to hide
Adobe reader is too bloated to be used anyway. Why run scripts in a document viewer?
3D in a PDF document
FFS, is it any wonder the thing has bugs!
Why not just make a version that doesn't include this "optional" crap that a tiny, tiny number of customers are even equipped to use. In the long run, Adobe would be doing themselves a favour if they provided a "Reader Lite" version that supported 99.9% of the real world PDF documents, and let the people who need Universal 3D support install the "full fat" version with all the bells and whistles.