Adobe patches critical bugs in Flash and Reader Adobe has rolled out updates for its widely used Reader PDF viewer and Flash animation programs that fix flaws, some that hackers have been exploiting to hijack end user computers. The emergency patch for Flash was the second time in nine days that Adobe has rushed out a fix for a serious bug in the program. The vulnerability …
The great thing about Foxit is that it's immune to malware - for the same reason that Apples were until recently. Hardly anybody uses them, so they get ignored by malware writers. Foxit almost certainly has massive vulnerabilites, but "security through obscurity" does work, to some extent. Adobe Reader has to cope with a new exploit about once a month. I've never heard of any malware targeting Foxit - yet. Whilst I'm sure that the authors of Foxit would like like it to grab 50% of Adobe Reader's market, as a user I would be happiest if I had the only copy.
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html observes a case where admittedly, optional components of Foxit had similar vulnerabilities to the standard-issue edition of Reader. "The extra functionality such as JBIG2/JPX decoding is only present on systems where the user has made the decision that they would like that ability."
CERT has a few notices about Foxit, don't worry.
(And, hey, is https://www.kb.cert.org/ genuine or is it a fake site, 'cause it gives my IE8 security warnings such as about mixing HTTPS and HTTP content.)
Just downloaded and installed the Linux i386 RPM of Flash player (flash-plugin-10.3.181.26.i386) and here's what the Summary and Description say ("rpm -qi flash-plugin"):
Summary : Adobe Flash Player 7.0
Description :
Adobe Flash Plugin 7.0.68
Fully Supported: Mozilla 1.0+, Netscape 7.x, Firefox 0.8+
Partially Supported: Opera, Konqueror 3.x
It really shows how incompetent Adobe are doesn't it - none of their "genius" programmers have bother updating the spec file for several years it seems. I guess that goes hand-in-hand with their festering code (full screen Flash on Linux = 100% CPU!).
Serious question here - I know there are people on this forum who can probably give a sensible answer - can anyone explain how it is that hackers are still finding holes in Flash, Adobe Reader and Air?
I work for a software company and have written plenty of code in my time, so I know how easily bugs can creep in, but seriously - these products have been with us for years and they're still finding major holes? I must have had an update on one of these every week for I don't know how long.
While we're at it, the JRE is just as bad.
Windows gets loads of updates too, but that's a whole OS, not just some freeware app that is supposed to do one thing only.
First of all, Flash, Acrobat, Air (and most browsers) have one thing in common: the ECMAScript interpreter. ECMAScript is the standard, upon which both Javascript (supported by browsers and Acrobat reader) and Actionscript(supported by Flash and Acrobat reader) are based.
Now, unlike any simple freeware app, or indeed unlike very complex special purpose apps, language interpreters, especially for general-purpose, flexible, high-level, turing-complete languages, are a very complex beast. Especially if one considers the need to optimize the interpretation, by compiling parts of the code and running them natively. In fact, writing a compiler/interpreter that will properly handle every conceivable case is more or less theoretically impossible (aka halting problem).
Same is true for Java (JRE). Same is true for loaders and runtime linkers of operating systems.
The only way to make an interpreter completely secure is to limit the language it is made to interpret. For example, by making it non-Turing-complete. Otherwise, as long as potentially hostile Turing-complete code can run on your system, complete safety is practically unattainable, without very serious debugging and purposeful exploit research. But who will pay for such research? Security pays much less than "Features", so adding a new way to tweak a pixel, or speeding up the flash player 5 more percents is more important for Adobe than fixing those bugs, not to mention much cheaper.
Of course those who unleash Turing-complete languages have a responsibility to do the debugging and research--but it won't get done until content providers start walking away from the language... and despite Steve Jobs's efforts (my God am I agreeing with him on something????) I don't see that happening any time soon.
Users don't help either--my neighbor is thrilled with Linux Mint but every few months keeps trying to install the Windows Adobe Reader because some web site tells him he needs it--despite having a perfectly good document reader on the system. :/
Are you using the Firefox plugin? I remember, back in the wastes of time, having FF crash every time I opened a PDF in the browser and after scouring forums found the suggestion to not install the browser plugin, and had no problems since...
Why? Dunno... and doubt I can find the source of this belief but been doing it since.
"Users are better off using an alternative PDF reader such as Foxit"
That's a mighty dangerous recommendation, as clearly they simply don't have the resources to deal with thier own share of security issues.
At least Adobe are on the case and have a decent update mechanism in place.
I'm glad you aren't a security consultant...
"At least Adobe are on the case and have a decent update mechanism in place."
Really? Are you serious or is there a hidden joke in this?
Take a store-brought laptop that comes pre-installed with an older version of Acrobat Reader and attempt to update it to a version that has all recommended security patches applied. Two of the last three I have tried have failed and Acrobat has been replaced by FoxIt.
The advantage of FoxIt is (or at least was) that it provided PDF viewing capabilities without any of the scripting capabilities (or at least FoxIt makes these easy to disable) which is where Acrobat and Flash seem to experience the security problems.
And that's not even including the special software download pages that Adobe provides that will probably add additional software with your Flash/Acrobat/Shockwave install if you don't wait for the whole page to load.
I'm glad you only stock shelves in a supermarket....
I install neither Foxit nor Adobe Reader. I use Chrome for web browsing, and have .pdf files associated with it.
They then get handled by Chrome's built in pdf plug in, which isn't written by Adobe.
This works fine for me on Windows or Linux, and as Google is very enthusiastic about updating Chrome, it should stay reasonably secure (I typically notice when Flash has been updated from the RSS feed to http://googlechromereleases.blogspot.com/)
"Tuesday's fix is available for all platforms except for Android."
Realy? So how come my phone updated Flash last night? Oh and Adobe's security bulletin also says:
"users of Adobe Flash Player 10.3.185.23 and earlier versions for Android update to Adobe Flash Player 10.3.185.24."
Try to be accurate when reporting on security issues / updates, they are kinda important.
I thought this was a scheduled update. An -important- update., but one (or two, or...) timed to coincide with Microsoft"s regular patch package. And so not exactly an "emergency" update. Not until the bad guys figure out how to do what the update stops you from doing. Which they kind of figured out already, though.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
