back to article Adobe users imperiled by critical Reader flaw

Once again, Adobe is scouring its Reader application for bugs following reports that it's susceptible to two vulnerabilities that could allow attackers to remotely execute malicious code on end-users' machines. According to SecurityFocus advisories here and here, both flaws use javascript to exploit boundary condition errors …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    3 weeks is normal for IT

    IT takes it as normal business to have 1 support person per 400 people.

    So just do the math:

    If 1 person supports 400 and over a million customers use adobe and the average turn around time for a fix is within 24 hours then how many man hours will it take to serve/support everyone?

    IT is alwas short staffed on purpose.

  2. jake Silver badge

    Trusting trust.

    "Over the past decade, Microsoft has gone from laughing stock to trusted member in security circles"

    Really? News to me ... Thanks for the heads-up, though.

  3. Andrew Fraser
    Paris Hilton

    So ?

    If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue?

    If this were on an MS box, I would be more worried, but because its on a Linux box, its unlikely they will have the ability to exploit the box, unless they have secondary exploit to give themselves greater access.

    I suspect there is some bias on the Secunia team, to try and equate Linux exploits on the same level as MS box pwnage..

    Paris, she knows all about being exploited

  4. Anonymous Coward
    Anonymous Coward

    Really ...

    WHY does a PDF reader even need JavaScript at all? I mean -- I don't expect my Thomas Hardy collection on the bookshelf to start doing rollovers or change colour.

    Adobe badly needs to go away and invent something cutting edge again (like PostScript used to be) and stop endlessly fiddling with stuff that already works fine, making it a mess of security conflicts.

  5. Anonymous Coward
    Happy

    Another Apple

    Adobe is trying to compete with Apple for the buggiest software on the planet.

    Their QC is tanking.....

  6. WinHatter
    Thumb Up

    Rather good news

    I shall say !!

    That means Adobe is rushing out their Linux runtime, the down side is it might be lightly tested code but good news overall as M$ is loosing ground.

  7. MYOFB

    And when you've disabled it . . .

    . . . I would suggest very strongly that you test that javascript is disabled.

    Why?

    Cos if the setting acts anything like "Automatically check for updates" (unchecked) then it will just ignore you and carry on regardless!!

    Version 8.1 (could be 8.1.1) was the worst of the lot. The bar-steward tried to update, failed disgracefully and looped forever. Before we knew what had hit us, the 8meg leased line had ground to a halt.!!!

    Long story short, had to reconfigure the companies firewalls to drop all connections to akamai's servers and manually rename the 2 offending exe's/dll's for the entire company.

    To say I was less than happy would be the largest understatement ever achieved in the history of mankind!!

    Grrrrrrr!!!!!

    / Mine's the one of me putting the smoking gun back in its' holster after shooting the Adobe development team!! /

  8. Paul
    Thumb Down

    The usual suspect

    Why is it always javascript?

  9. F Seiler
    Go

    security rankings

    "Secunia considers the vulnerabilities "highly critical," its second highest rating on a five-tier scale."

    Ye,ye, the standard five-point scale translated...

    1. ARMAGGEDDON = probably evil and capable at it

    2. HIGHLY CRITICAL = doesn't look too good

    3. REALLY SCARY = all software goes here first by default

    4. DONT PANIC = not known to have a security flaw this side of y2k (anything here but openbsd?)

    5. ok = reserved for future use (in case this company does sell a software for their next version)

    (go) sign for its subtext

  10. Paul Foxworthy
    Thumb Down

    Ten years - nope

    Microsoft's big move on security was in 2002, hardly ten years ago.

    http://msdn.microsoft.com/en-us/security/cc448177.aspx

  11. Mark

    What?

    Who the fuck uses Adobe Reader on Mac or Linux? Why on earth would you install that shite when you already have alternatives - preview on Mac to name but one?

  12. Anonymous Coward
    Anonymous Coward

    @Andrew Fraser

    "If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue?"

    So it isn't an issue where the files your account has access to (which could easily contain sensitive/personal info) can still be accessed by malware? Your files can be stolen or deleted and that is not an issue? Yes, it is only a one-time compromise (unless the PDF is opened again), but does it matter if that one time you lost important files/info?

    The only time that statement would make sense is if every time you open a PDF, you run your pdf reader using a very restrictive account. Oh, and you copy the pdf file first to an "isolated" folder.

  13. Chris C

    re: So?

    "If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue? ... because its on a Linux box, its unlikely they will have the ability to exploit the box, unless they have secondary exploit to give themselves greater access."

    If an app is exploited, even if it only provides restricted user-level access, it *IS* a big deal. There are lots of bad things that can be done without rooting a box. Searching for and attacking Windows shares, searching for and sending junk/black pages to networked printers, DOSing an internal or external host/website, flooding the Internet connection with junk to slow the company's Internet connection, visiting illegal websites (including child porn) which will be tied back to the machine and the user who ran the exploit, etc. Rooting a box is not the only way to cause damage, especially if you can select your targets.

    On a side note, why does a DOCUMENT READER need Javascript in the first place?

  14. Anonymous Coward
    Flame

    Javascript is over-used bloatware

    What next, Javascript-enabled beercans so that they toss themselves across the room so that the user doesn't have to? And did anyone *ask* for this feature, or do the worthless programmers just do it because they are (a) easily bored and wanted something new to design, (b) like to torture users, or (c) just because they can?

  15. ben
    Alert

    This just in!

    Acrobat is junk.

    Now back to your regularly scheduled programming.

  16. Flocke Kroes Silver badge

    There are elevation of privilege attacks for Linux

    Here is an elevation of privilege attack for Linux kernels up to and including 2.6.10. It has sufficient privilege to escape from user mode linux and chroot jails.

    http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt

    Simply "using linux" does not mean you are secure. You must also take precautions in proportion to the value of the machine you are protecting. Always keep up to date with patches. Getting rid of javascript, java and flash is also worthwhile. Most decent websites work fine without these. Adding javascript to PDF was beyond stupid.

  17. Albert Gonzalez
    Boffin

    The Java Script need in Reader

    I'll try to explain the need to have Java Script in Reader:

    So you can digitaly sign those official documents before sending them to the government.

    Also, there are a bunch of documents that use Java Script to validate fields, and so. All for official communications.

    No to say that there are better alternatives, and more secure, but thats how it is.

  18. Anonymous Coward
    Thumb Down

    Everyone uninstall that piece of shit

    Adobe reader has gone the way of Realplayer, become so overbloated with shit and security holes that it should be consigned to the dustbin of IT history ASAP.

    Install Foxit reader, safe, secure, and does nothing but READ FUCKING PDF's! Honestly, how hard is that to fuck up.

  19. Anonymous Coward
    Anonymous Coward

    @AC and Chris C

    You don't understand, the Linux Kernal is safe so that's all that counts. Err, isn't it... Umm, ahem.

  20. Stephen Gazard

    javascript in adobe, and 'why'

    well, people such as HMRC and Companies House make use of it for filing some special returns (annual returns for example), and I think some aspects of tax.

    It's done so that calculations such as 1+1 are enabled. I'm sure more than that exists, but that's what I've had experience with. It's been around since version 7.09 (at least). I've not seen anyone moot it until now though...

  21. Nigel
    Alert

    Why ...?

    Why do Linux users want to inflict a closed-source proprietary insecure bug-ridden mess, badly ported from Windows, on their systems? It's not as if Linux didn't have Evince to display pdf files. I've even used Evince to display (perfectly) a pdf file that was generated by Acrobat, yet crashed Acrodat reader on Windows. (And if you didn't know, OpenOffice can often perform the same magic on .doc files which MS office says are corrupt).

  22. Chris
    Linux

    Re: Why...?

    "Why do Linux users want to inflict a closed-source proprietary insecure bug-ridden mess..."

    Because the alternatives don't always work and the convenience of having your pdfs viewable directly in Firefox is very convenient. I'll have to investigate foxit, though...

    This vulnerability confirms the biggest problem for any OS is closed-source proprietary crap! BTW I *always* switch off javascript in Adobe reader and I *never* miss it.

  23. Anomalous Cowherd Silver badge

    JavaScript in Reader

    Actually it can do a lot more than just form validation - you can make SOAP or HTTP connections, hook into ODBC and other fun stuff. We develop a Java PDF viewer and customers send us some pretty crazy documents sometimes - with inventive use of PDF JavaScript you can do some very odd things to your documents, although all of revolves around forms in one way or another.

  24. A J Stiles
    Linux

    Bgeh

    Won't affect me. I use kpdf or okular.

    There are always more good people looking at the Source Code of a Free Software project than there are evil people looking at the Source Code of that project; therefore, it is a reasonable assumption that any bug is more likely to be found first by a good person (who will fix it) than by an evil person (who will use it for nefarious purposes).

  25. jake Silver badge

    @Flocke Kroes

    "Here is an elevation of privilege attack for Linux kernels up to and including 2.6.10"

    2.6.10? Wasn't that released in late 2004? Methinks that there have been more than just a few updates since then. FUD much?

This topic is closed for new posts.

Other stories you might like