back to article Critical Adobe Reader vuln under 'targeted' attack

Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user's computer, the software maker warned. Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company's previously …

COMMENTS

This topic is closed for new posts.
  1. frymaster

    DEP

    "Those using Windows Vista with a feature known as data execution prevention enabled are safe from the exploit"

    The default for DEP is "Turn on only for essential Windows programs and services"

    does this cover adobe reader by default?

  2. Tony Paulazzo

    Beggars belief

    >Users on other platforms can insulate themselves from the current attack by disabling javascript from running inside the application, but Adobe warned it's possible to design an exploit that works around that measure.<

    :facepalm

    Adobe should find the programmer responsible for writing all these vulnerabilities into their <expletive deleted> software, move him away from the herd (so as not to startle them) and <humanely> shoot him in the head - alternatively, take off and nuke the entire site from orbit...

    I have quicktime/Realtime alternative and VLC for video with Foxit reader to read PDFs, but there is no (to my awareness), Flash replacement.

  3. Anonymous Coward
    Stop

    PDF's Purpose?

    I was always under the impression that the purpose of PDF's was to enable the digital transmission of documents (with formatting etc) which would normally be posted or otherwise sent as "real" documents.

    So, why the hell does it need to execute JavaScript?!

    You want web-like interactive features - use a web browser!

  4. Robert A. Rosenberg
    IT Angle

    Reason for JavaScript

    "So, why the hell does it need to execute JavaScript?!"

    I think the use is for allowing URLs to connect to the Web and for jumping to anchors in the file (ie: Click here to scroll to somewhere in the file).

  5. Tom 7

    @PDF's purpose

    Pointless Document Format's purpose is to make money for Adobe.

    It is of NO use to the user.

    As for the 'reason for javascript' - even HMTL doesn't need that.

    PDF- it does nothing it says on the tin.

  6. Ken Hagan Gold badge

    Re: Reason for JavaScript

    "I think the use is for allowing URLs to connect to the Web and for jumping to anchors in the file (ie: Click here to scroll to somewhere in the file)."

    Er, HTML allowed that twenty years ago with no scripting whatsoever. AC's point is well made. None of these vulnerabilities would exist if people used PDF for its original intent (ie, exactly preserving presentation) and used an appropriate technology for everything else. I mean, it's not like it is *hard* to find applications that support DHTML.

    Adobe have tried to turn PDF into a proprietary version of the web. Sadly, this dubious project has merely retrodden the ground covered by Microsoft's efforts in the mid-90s when almost everything they produced was shot full of security holes.

    I personally consider "using the PDF format" to be an act of bad netizenship. Every time you publish a document in that format, there's a risk that the recipients will use Acrobat Reader.

  7. Pascal Monett Silver badge

    "reinvigorate its security program for Reader"

    I wonder how many tens of megs THAT will add to the size of the bloated whale called Acrobat Reader.

  8. Russell Howe
    Go

    Re: Beggars belief

    Flash alternatives - there's gnash, which is open source, but it's not as feature-complete as Adobe's player.

    Then again, it might stand a chance of having security holes fixed in a timely fashion?

  9. Anonymous Coward
    Anonymous Coward

    New install

    So now a new install will only need three additional updates before it's fully patched. It's just beyond belief that Adobe gets away with this crap - install a new version of reader direct from Adobe's web site, and then you need to install all the updates on top of that just to get it "secure" (until next week). FFS, it's not a friggin OS! It's (what used to be) a simple APPLICATION to read PDFs!!!!

    Adobe, fix your development process, and until you do, start posting fully patched versions, and give us a reasonable way to keep our hundreds and thousands of desktops up-to-date! Compared to Adobe, MS looks like a poster child for how to do security.

  10. Ross 7

    Alternatives not well known

    The lass broke her works laptop (she claims it just stopped working...) and it seems her IT bods don't actually install half the software required for the job by default when they do a HDD replacement. So, she went to install Reader - cue slow mo' shot of me going "Noooooooo!". You wouldn't believe how dificult it was for me to convince her to go with Foxit instead.

    The trouble is nobody has heard of the alternatives, and even if they have, trying to explain why they should use one rather than the crap pumped out by Adobe invariably results in a shrug and "So?".

    People need to be taught the value of diversity - it's the same in IT as in gene pools. If we're all the same, some disease/exploit comes along and it's goodnight Vienna. I use Opera and Foxit not because they are the best in their respective fields but because nobody is going to pay a blackhat to design an exploit for them - the RoI just isn't there. I'm therefore a lot safer than the masses just by picking another (free) tool to do the exact same job as IE or Acrobat.

  11. Chris Beattie
    Big Brother

    Reason for Javascript

    I seem to recall that Javascript can be used to perform input validation in PDF documents which contain editable text fields. Javascript can also be used to hide menu items in Reader. However, it's my opinion that Reader's increased attack surface is not worth the convenience.

    At least Adobe provides a Group Policy template so Reader can be deployed and managed company-wide with its potential for damage mitigated.

  12. Forget It

    FoxIt 3.1 isn't such a dog these days.

    FoxIt 3.1 isn't such a dog these days.

    I use it - on Windows - instead of Acrobat reader

    http://www.foxitsoftware.com/pdf/reader/reader-interstitial.html

This topic is closed for new posts.

Other stories you might like