All your javascript are belong to us
Hurrah!
Security watchers are warning of a serious unpatched vulnerability in Adobe's Reader program that's actively being exploited to install malware on the PCs of unsuspecting users. The vulnerability has been confirmed in versions 8.1.3 and 9.0.0 of Adobe Reader running on Windows XP Service Pack 3 and is presumed to work on other …
I have been using xpdf and kghostview for years - in part because of Adobe's history of security problems, but mostly because the open source alternatives had more useful features. I recently switched to kpdf because it is even better than the other two. All of these are Unix programs, but a quick search for "PDF reader windows" shows that windows users have a choice.
Perhaps its is time to change "PDF warning" to "Adobe warning" next to links to PDF files like people now say "Windows virus" instead of "PC virus".
Damn, that reminds me - I keep forgetting to disable Java in Acrobat because I keep forgetting the idiots at Adobe did something as moronic as embedding a programming language in a document viewer program.
I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious.
Apart from the security issues, how does Acrobat Reader manage to go through major revisions without removing bugs which have been around for years?
I've lost count of the number of times Acrobat dies when trying to view pdfs using integrated browser (Firefox) support. There ought to be a script for killing all acroread32 processes and then reloading a page - it's something I have to do on an almost daily basis.
And later for older versions?
Gee, thanks Adobe, it's not like we weren't pissed off enough that we can't run Acrobat 9 already:
http://www.adobe.com/go/kb404597
Yup, a major bug that *completely* stops Acrobat 9 from being usable on *any* computer in our network, and Adobe have been sitting on it for FOUR MONTHS.
That'll be PDF's blocked at the firewall then.
I'll second the "try Foxit" motion. I stumbled into it, like many handy things, via Stumbleupon when it was keeping me awake one night with the "just one more click" syndrome. It's hard to argue against it when Adobe's Reader takes up over 200mb space (why?!), takes aeons to open a PDF document and requires updates once or twice a month. I'd also be curious to know why they allow scripts in a document viewer....
"I'll patiently ask if someone can give me a sane reason why Acrobat should have Java scripting functionality? No seriously, I'm genuinely interested to know - I've probably overlooked something obvious."
Indeed. PDF means Postscript. Postscript already _is_ a general programming language.
Now, why have Javascript/Ecmascript (not Java!) in addition? Probably because if you want to attract someone who can do "scripts" it's more likely that he will be attracted to Ecmascripting than Postscripting. Can anyone write Postscript anyway?
that Adobe Reader went back to the basics of rendering PDFs? Or at least have a click box that enables such a mode and nothing else?
It is now such a nasty piece of bloatware, performing like a snail with a fricking wheel clamp, that I only use it if Foxit doesn't work properly.
There are even tools to make Reader faster (by disabling all the very-rarely used plugins). If somebody has written a tool it is because a lot of people want it. Adobe should take note.
Does adobe think its microsoft?
I have never, ever, asked for javascript to be turned on in acrobat reader, and there is absolutely NO reason why most people should need scripts in any PDF document.
Therefore it could, and SHOULD, have been turned off by default at installation time.
I still use Reader 5.1 on my win2k and XP machines (though my Vista laptop prob has 9 on it) and there's nothing in Preferences regarding javascript, so nothing to switch off it seems.
There is an option to "use browser settings" - would that be what could trigger javascript in the reader if it's enabled in the browser?
I assume Adobe thought JavaScript was needed in PDFs the same way Microshaft thought it was necessary in help files. Of course now once I secure my machines none of the MS help works anymore because they relied on really lax security settings to make their stupid chm help system work. Dumkopfs.
I now standardized on XPS format. I think many will do the same after Windows7 will take over. It does not have any active code by design, signing it digitally is easy, and as it is part of Windows starting from Vista (can be installed on XP also from MS site), security updates will arrive via standard update channel. Goodbye, PDF.
Hellfire ! All the hard work has been done to identify the vulnerability and its machanism. Coding up the fix is the EASY part once you know where the problem lies. So why won't it be ready until March 11th ? Tech savvy users can disable Javascript manually but most home users will be unaware of this and still be vulnerable until the patch appears.
Considering 99% of the pdf's out there shouldn't have any scripts running, how about having scripting off by default and a popup asking if you want to enable scripts for a particular document.
Or better yet keep pdf's passive documents and use a new extension for executable pdf's.