Read your acrobat docs on a linux machine
this is particularly easy on Ubuntu desktop 8.04.
linux provides several "readers" that require no thought to use or install
just use the default.
Security researchers have released what they say is an unofficial fix for the critical Adobe Reader vulnerability that's being actively exploited to install malware on machines running Microsoft Windows. The download replaces a buggy strcat call in a font-rendering DLL module with a more secure function, according to this …
I still use it, because it can still read all the documents I need to read, but comes without all the new-fangled bloatware and all the man-years of vulnerabilities associated with the bloatware. I did try Foxit but me and it didn't get on, so it just seemed simpler to go back to Acrobat 5.1.
Adobe was a pioneer of offloading their code development to India to the lowest bidder. Surprise surprise code monkey hacks produce spaghetti code that is full of bugs that take forever to find and patch correctly. Now their software is the worse in the industry and the only mystery is why the hell is it on so many boxes. Always one of the first steps to securing a computer is to check and recheck that no Adobe software is installed. If it is no matter what you do the box can't be locked down.
Three weeks for a simple fix to critical, currently exploited patch seems like taking the piss.
But maybe Adobe have worked out that this type of problem doesn't actually affect their core business or their revenues.
After all it is not going to affect Adobe Acrobat Writer sales. The reader is just a loss leader, Adobe aren't actually going to make any money out of fixing it.
Evince:
http://download.gnome.org/binaries/win32/evince/2.30/evince-2.30.3.msi
(strongly suggested)
xpdf:
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4-win32.zip
Google Chrome dev version:
http://www.google.com/chrome/eula.html?extra=devchannel
GSView:
http://mirror.cs.wisc.edu/pub/mirrors/ghost/ghostgum/gsv49w32.exe
Rather weird claim in the article.
Testing the patch / update is a thoroughly good idea, and apparantly something they've not done before given the quality of output we get from Adobe. However, testing it to make sure it doesn't brick any Win installations?!
It takes some pretty impressive coding to brick an OS from ring-3 these days.
And who the hell uses strcat and its ilk outside of homebrew kludge-ware intended for personal use only?! When did Aleph1 explain buffer overflows in extremely simple terms? 10 years ago? Pretty sure he advocated keeping well away from strcat, sprintf etc. Organisations the size of Adobe have ridiculous numbers of policies and procedures when it comes to coding - surely that should include the public flogging of anyone using such functions...
They might have any number of ridiculous beancounting regulations, but coding is normally handled very, very informallly. What counts in the end is to deliver features on time. New Features => SALES !
That's how it was in the 80s when people like Warnock and Gates grew their businesses. They still have not changed their mindsets. I doubt they will before they die.
Gates was talking some crap about "Security Development Lifecycle" and it turned out that beneath the shiny GUI we had fermenting flesh from Windows 3.11 in "Windows 7".
Adobe would only notice if their financial figures changed. As they don't make money with Acroread, why should they ?