back to article New in-the-wild attack targets fully-patched Adobe Reader

Security watchers are warning of a serious unpatched vulnerability in Adobe's Reader program that's actively being exploited to install malware on the PCs of unsuspecting users. The vulnerability has been confirmed in versions 8.1.3 and 9.0.0 of Adobe Reader running on Windows XP Service Pack 3 and is presumed to work on other …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    All your javascript are belong to us

    Hurrah!

  2. Flocke Kroes Silver badge

    There are other PDF readers

    I have been using xpdf and kghostview for years - in part because of Adobe's history of security problems, but mostly because the open source alternatives had more useful features. I recently switched to kpdf because it is even better than the other two. All of these are Unix programs, but a quick search for "PDF reader windows" shows that windows users have a choice.

    Perhaps its is time to change "PDF warning" to "Adobe warning" next to links to PDF files like people now say "Windows virus" instead of "PC virus".

  3. Mauvis Ledford

    I just came across this exploit today

    Here's my post about it with sample exploit code:

    http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/

  4. Anonymous Coward
    Thumb Up

    Reg key for GPO

    HKEY_CURRENT_USER>Software>Adobe>Acrobat Reader>Yourversionnumberhere>JSPrefs

    Change the bEnableJS DWORD value to 0

    or even better, the following link has an ADM file:

    http://isc.sans.org/diary.html?date=2008-11-11

  5. Anonymous Coward
    Boffin

    Java

    Damn, that reminds me - I keep forgetting to disable Java in Acrobat because I keep forgetting the idiots at Adobe did something as moronic as embedding a programming language in a document viewer program.

    I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious.

  6. Anonymous Coward
    Unhappy

    Did Acrobat reader ever work?

    Apart from the security issues, how does Acrobat Reader manage to go through major revisions without removing bugs which have been around for years?

    I've lost count of the number of times Acrobat dies when trying to view pdfs using integrated browser (Firefox) support. There ought to be a script for killing all acroread32 processes and then reloading a page - it's something I have to do on an almost daily basis.

  7. myxiplx
    Stop

    March 11th?

    And later for older versions?

    Gee, thanks Adobe, it's not like we weren't pissed off enough that we can't run Acrobat 9 already:

    http://www.adobe.com/go/kb404597

    Yup, a major bug that *completely* stops Acrobat 9 from being usable on *any* computer in our network, and Adobe have been sitting on it for FOUR MONTHS.

    That'll be PDF's blocked at the firewall then.

  8. Derek Roberts

    Try Foxit

    As a windows user, I have been using Foxit reader for more than a year now and recommend it. It's like Adobe used to be back at about version 4 - light, responsive, easy to install etc., but reads the latest pdfs and allows annotation also.

  9. Paul
    Thumb Up

    Re: Try Foxit

    I'll second the "try Foxit" motion. I stumbled into it, like many handy things, via Stumbleupon when it was keeping me awake one night with the "just one more click" syndrome. It's hard to argue against it when Adobe's Reader takes up over 200mb space (why?!), takes aeons to open a PDF document and requires updates once or twice a month. I'd also be curious to know why they allow scripts in a document viewer....

  10. Destroy All Monsters Silver badge
    Stop

    @Java

    "I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious."

    Indeed. PDF means Postscript. Postscript already _is_ a general programming language.

    Now, why have Javascript/Ecmascript (not Java!) in addition? Probably because if you want to attract someone who can do "scripts" it's more likely that he will be attracted to Ecmascripting than Postscripting. Can anyone write Postscript anyway?

  11. Michael Fremlins
    Thumb Down

    Isn't it time...

    that Adobe Reader went back to the basics of rendering PDFs? Or at least have a click box that enables such a mode and nothing else?

    It is now such a nasty piece of bloatware, performing like a snail with a fricking wheel clamp, that I only use it if Foxit doesn't work properly.

    There are even tools to make Reader faster (by disabling all the very-rarely used plugins). If somebody has written a tool it is because a lot of people want it. Adobe should take note.

  12. Peter Gathercole Silver badge
    Thumb Up

    Postscript

    I once saw a Julia Set (often mis-identified as Mandlebrot) program written in PostScript. Send it to the printer, and wait for hours for it to spit out the page!

  13. Harry
    Thumb Down

    Why is javascript on by default ?

    Does adobe think its microsoft?

    I have never, ever, asked for javascript to be turned on in acrobat reader, and there is absolutely NO reason why most people should need scripts in any PDF document.

    Therefore it could, and SHOULD, have been turned off by default at installation time.

  14. thomas k.

    no javascript option in prefs?

    I still use Reader 5.1 on my win2k and XP machines (though my Vista laptop prob has 9 on it) and there's nothing in Preferences regarding javascript, so nothing to switch off it seems.

    There is an option to "use browser settings" - would that be what could trigger javascript in the reader if it's enabled in the browser?

  15. Eddie Johnson
    Unhappy

    @Jave AC

    I assume Adobe thought JavaScript was needed in PDFs the same way Microshaft thought it was necessary in help files. Of course now once I secure my machines none of the MS help works anymore because they relied on really lax security settings to make their stupid chm help system work. Dumkopfs.

  16. John Dougald McCallum
    Thumb Up

    @Thomas K.

    I have Acrobat 9 and it does have an option to disable javascript it is the seventh or eighth item on the index after you open preferences just did it my self before posting this.

  17. Algis Petraitis
    Dead Vulture

    XPS is an alternative

    I now standardized on XPS format. I think many will do the same after Windows7 will take over. It does not have any active code by design, signing it digitally is easy, and as it is part of Windows starting from Vista (can be installed on XP also from MS site), security updates will arrive via standard update channel. Goodbye, PDF.

  18. Toastan Buttar
    Thumb Down

    11th March

    Hellfire ! All the hard work has been done to identify the vulnerability and its machanism. Coding up the fix is the EASY part once you know where the problem lies. So why won't it be ready until March 11th ? Tech savvy users can disable Javascript manually but most home users will be unaware of this and still be vulnerable until the patch appears.

  19. Buzzby
    Happy

    Adobe Bloatware

    Are Adobe trying to emulate M$ with their bloatware? At least we can do something about it.

    As mentioned above Foxit is the way to go.

  20. David Wilkinson

    how about a warning?

    Considering 99% of the pdf's out there shouldn't have any scripts running, how about having scripting off by default and a popup asking if you want to enable scripts for a particular document.

    Or better yet keep pdf's passive documents and use a new extension for executable pdf's.

This topic is closed for new posts.

Other stories you might like