back to article Adobe warns over unpatched PDF peril

Hackers are exploiting critical, unpatched vulnerabilities in Adobe Reader, Acrobat and Flash Player. The zero-day vulnerabilities are platform independent and can affect users of Adobe products regardless of whether they run Windows, Mac or Linux systems, Adobe warns. The software developer reckons that Adobe Reader and …

COMMENTS

This topic is closed for new posts.
  1. Chris Hatfield

    ugh! Flash inside PDF?!

    Booo hissss

    Can someone tell me if Apple Preview is affected? I guess that is equivalent to Adobe Reader 8.0?

    I have no desire to render Flash content in PDF files - what were Adobe thinking?

    1. Anonymous Coward
      Anonymous Coward

      Not to this

      Preview only supports the PDF 1.5 spec, so you are safe from this exploit. Adobe 9 uses the PDF 1.6 (or is it 1.9? I forget) spec which includes support for embedded interactive content such as Flash and 3D objects. It sounds like it is the Flash part of that support that is being exploited here.

      1. Mark Boothroyd
        WTF?

        @embedded interactive content. WTF!

        The whole point of PDF was that is was a read-only document format for sending to printers etc.

        So what's the point in adding embedded interactive content to something that should be read-only?

        Also PDF's were generally thought of as inert, due to them being read only, adding embedded functionality now means the possibility of executing things inside a PDF, which throws away the safety of the format (what little there was in the first place).

        If PDF is going down the interactive route, then perhaps we need a new inert document format.

        At the very least the Reader should block all interactive functionality by default, and have to be switched on in order to access any of this. (aka like Macro's in Office etc.)

  2. Bendy
    FAIL

    Brilliant

    What a brilliant fix. Hack out parts of Reader/Acrobat and replace Flash with an RC.

    Very Adobe. Much like the fix for Redirected AppData with Acrobat: Don't Redirect Appdata

    Steve may have a point. And I really don't like that

  3. Nick Ryan Silver badge

    PDF

    Amazing. Take a relatively stable document reader. Add all manner of crud into it, support for JavaScript, access to local resources, flash, video, unfiltered HTML rendering, hyperlink actions, forms and it becomes massively bloated, unstable and insecure.

    Who'd have thought that may happen?

    1. Anonymous Coward
      WTF?

      RE: PDF

      Of course Adobe will tell you that none of their software is bloated, unstable and insecure.

      However, I've seen what happens to my laptop when Flash is loaded...

      Does anyone know why PDF supports Flash anyway? I was gobsmacked by that!

  4. This post has been deleted by its author

  5. Chris Miller

    Solution

    1. Remove Adobe Reader

    2. Install* Foxit**

    3. and ... relax

    * rejecting the option to add the Ask toolbar or whatever other crap they're promoting this week

    ** other PDF readers are available - almost all of them faster and more secure than Adobe's PoS

  6. Anonymous Coward
    Anonymous Coward

    Is Acrobat Reader 5.1 vulnerable?

    is Acrobat Reader 5.1 vulnerable? It does everything I need, reads every file I chuck at it, starts up instantly, and is a fraction of the footprint of more recent generations. Why do I want anything more recent, especially if it has as many security holes as a swiss cheese?

  7. Anonymous Coward
    FAIL

    Sorry...

    can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?

    1. James O'Shea

      the reason why

      'can someone remind me why Apple blocking Flash from the iPhone platfom is a bad thing?'

      It's 'cause so many of the locals around here hate Apple, that's why.

      1. Anonymous Coward
        Anonymous Coward

        that, and the fact....

        ...that people want it, you need it to get the "whole web" (not optional or debatable) and it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time - the very time that Jobs instructs their soulless minds to kick into action and spread forth the word.

        Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.

        1. Mark Boothroyd

          Flash is optional

          Quote: '...that people want it, you need it to get the "whole web" (not optional or debatable)'

          Yes it is optional.

          I use Firefox with No Script and Ad-Block, this blocks flash content by default and I've had very few sites not work with that combination.

          The few sites that do rely on Flash, are usually crud (pr0n etc.) or pandering to the masses type sites (YouTube etc.) or are promoting a new Movie or Game, so can be lived without.

          Very few real sites I've found actually use Flash for actual content, with most usage being restricted to adverts only, so no real loss there.

          The only high profile site I know of that does use flash is YouTube, and they are moving to HTML5, so eventually, once all the mainstream Browsers are upto speed with HTML5, I can see YouTube (Google) dropping Flash.

          1. Linker3000
            FAIL

            For Flash masochists...

            "The only high profile site I know of that does use flash is YouTube"

            Pop along to activision.com and weep.

            1. James O'Shea

              Wot's an 'activision'?

              And why should anyone who's not a gamer care?

        2. Anonymous Coward
          Anonymous Coward

          Bit rambly, sorry.

          >“...it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time...”

          Sorry, it *is* that bad. Most conscientious web designers and developers (hello!) have been decrying the use of non standard web elements, including, Flash since 1998. Although Flash may have improved from an accessibility stand point, it's still not a great solution. It has it's place *at the moment*; mainly as a wrapper for audio and video content. Of all the existing web technologies that exist today, Flash is by far the most loathsome, over-used and abused. Which sys admin in their right mind would allow flash onto the corporate network?

          >“Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.” First of all no-one has said that Apple, Microsoft et al. are free from exploited products and security issues, however so far un-jailbroken iPhones have been free of such issues, the exception being a drive-by and they can affect most browsers, what with it being more of a PICNIC issue rather than a security flaw. Microsofts new mobile OS has got an even better security record. And to the crux of the matter. Adobe's track record is hardly good. How long has 64 bit Flash been in development? It seems that not a week goes past without one report or another warning us of another vulnerable discovered in an Adobe product. Whilst it's fair to point out that Apple's own desktop OS is hardly a model of ironclad security and neither is Microsoft's, it's to be expected in OSs of that size and that age. Microsoft really do a remarkable job with Windows, and Apple are getting better at responding to security issues, but Adobe? It's a fucking runtime! Sun manage to stay on top of Java (although Apple do struggle), Microsoft are doing sterling work with Silverlight. But Adobe? Jobs got it right when he called them lazy! So, let's consider the evidence. Slow to patch software. Slow to implement documented API's. Consistently release half baked software. Security is an afterthought. Haven't yet released a decent *full version* of Flash on a mobile platform. It's not surprising that Apple have said ‘thanks, but no thanks...’ to Adobe. I'd urge Microsoft to do the same, but Ballmer is just stupid enought to allow it onto Microsoft's new mobile OS just to be contrary and personally if I were Adobe, I wouldn't trust those that rule the Mountain View Chocolate Factory as far a coult spit; I'm still waiting for one of those three to aquire Adobe...

          Just a bootnote; may I respectfully suggest that you leave behind the ad hominems and inflamatory comment, I copped a bollocking for it, deservedly so, and now trying to avoid it. It can be hard but ultimately it makes you consider what you are going to say more. It can serve to give you the moral high ground too! It's ok to have opposing views, it's not ok to call people names because they do, even if it is really annoying. Attack the idea. Obviously, giant multinational corporations and their management are fair game

  8. Anonymous Coward
    Unhappy

    Tactical facepalm

    Bloody Adobe, seriously, I can't think of anything that I allow on my machines on a regular basis that has so many terrifying holes.

    Thank god for noscript and its active content control and the mighty adblock, given the amount of malware driveby attacks are coming from syndicated ad banners.

  9. Richard Porter
    FAIL

    Why can't Adobe leave things alone?

    PDF is no longer Portable, it's Proprietary. Adobe doesn't support all platforms so documents produced with the latest versions of Acrobat can't be read on many platforms. This defeats the whole point of PDF. Adobe specualisees in buying up good products and wrecking them.

  10. Anonymous Coward
    Anonymous Coward

    Foxit? Why?

    Following a recommendation elsewhere I installed Foxit a couple of months ago.

    Shortly afterwards I deinstalled it and reverted to Acrobat 5.1, over which Foxit had no significant advantages and a number of disadvantages (details of which unfortunately I can't remember).

    Foxit may of course be preferably to a recent Acrobat but there are other alternatives too.

  11. Anonymous Coward
    FAIL

    Thimple...

    Don't have it on my box.

    Won't have it on my box.

    Thimple...

  12. simpfeld

    Great Fix Adobe

    They warn us about the vulnerability but the only mitigation in Flash is to use the Release Candidate. Maybe they should patch the actual releases!

    And moving a file aside in Acrobat Reader. It's very arguable that Flash shouldn't be in Acrobat Reader but shouldn't they patch this too maybe..

    Poor...And an unprofessional approach to security patching!

  13. Ben Tasker
    WTF?

    One thing I don't understand.....

    (Not trying to defend Adobe BTW)

    Microsoft have a security problem - We get "it's a popular OS, if your OS was popular you'd be getting hammered too!"

    Adobe have a security problem - We get "adobe suck"

    Both have an absolutely terrible history security wise, so quite why the difference? There always seem to be plenty of pro-Adobe commenters when it comes to Apple's love(!) of Flash (or are they just siding with Adobe because they dislike Apple?)

  14. Doug Glass
    Go

    Uninstall Works Pretty Well ...

    ...them install Foxit PDF reader. WAY smaller footprint, far less Adobe issues, works very well, and it too id "free".

    1. Anonymous Coward
      Anonymous Coward

      Yeah, though it craps out a fair bit

      ..gets to the point where it just hangs on loading, and needs reinstalling rather too often, under windows 7.

  15. Doug Glass
    Go

    Why Ask Why?

    If you're asking is X.XX version of Adobe Reader vulnerable, then you need to rethink your reasons for asking. Dump it and stop worrying.

  16. Anonymous Coward
    Anonymous Coward

    Wake up Adobe

    If it wasn't for the fact that I get Adobe Acrobat as part of my job I'd use another PDF creation product instead. I agree with those other posters who ask why Adobe thought it a good idea to turn an effective product into a bloated pile o' crap. Most users - myself included - don't bother with the bells and whistles Adobe seem to think we want, and if they pulled the stuff out we wouldn't even notice it was gone. Wake up and smell the coffee Adobe, clean up your act, sort out the security issues, and put Acrobat on a diet to get rid of some of that bloat and maybe then we'll like you again (maybe even Jobs might embrace you again).

  17. DarrDarr

    So, how long before you break the story

    that apple employees are developing these exploits, on the clock, using code obtained under non-disclosure agreements?

    "Oh, we didn't disclose their source code, so we didn't violate the agreement."

    1. Anonymous Coward
      Badgers

      Tinhats!

      Have you been reading the ramblings of Extra Special Agent Rob Enderle? He really is a little bit on the Joe from Eastenders side! See http://www.technewsworld.com/story/Apple-Didnt-Beat-Microsoft-Robbie-Bach-Did-Apples-Secret-5th-Column-70092.html for more. Nuts.

  18. Grant 5

    @ AC "Yeah, though it craps out a fair bit"

    Never had to do that on any of our Windows 7 boxes with Foxit.

  19. Boris the Cockroach Silver badge
    FAIL

    but

    el-reg has loads of flash stuff over its site.... how many are booby trapped

    The public demands an answer... and before I scuttle off for more beer

  20. Anonymous Coward
    Anonymous Coward

    Foxit, schmoxit

    I've installed Foxit on a number of machines, but it always feels unfinished, somehow.

    A user recently asked for a tool that would let them add "sticky notes" to a PDF file, which led me to try PDFXchange. It's a bit "busy" (half a dozen tool-bars turned on by default), but it's seems to be a much better alternative than Foxit.

    1. Anonymous Coward
      Anonymous Coward

      IME

      running STDU Viewer and Evince atm. Haven't decided between them yet. But Foxit and specifically the ubiquity of Ask it now has has gone the way of Adobe's misguided effort.

  21. Anonymous Coward
    Flame

    f adobe

    Die, adobe, Die! http://www.tracker-software.com/product/pdf-xchange-viewer FTW!

  22. smeddy

    adobe need to go down the drain

    I've refused any of their software on any pc I own for more than 10 years. Along with iTunes and QuickTime, and probably RealPlayer back in the day, it's the most bloated, addicted-to-pop-ups pice of software in the history of software. I hope it's software gets knocked extinct soon.

  23. cyberdemon Silver badge
    Linux

    Linux vulnerable?

    Seriously! Who uses Adobe products on Linux? (ok, except maybe flash.. :/ )

    If this affects KPDF I'll eat my hat!

  24. David McMahon
    Thumb Up

    Had enough of Acrobat now

    Too Bloated and is often vulnerable

    besides to install it (at the moment needs V9 then the 9.3.2 patch cant be bothered so Foxit it for me :)

  25. Loki 1

    Also

    Sumatra PDF viewer for windows and Ghostview on Linux. Who needs all the crap that comes with Adobe PDF reader? Sumatra loads PDF files much quicker than Adobe's.

  26. Charles Smith
    Grenade

    Outrageous

    I demand my money back from Adobe for this flawed free software.

This topic is closed for new posts.

Other stories you might like