DEP
"Those using Windows Vista with a feature known as data execution prevention enabled are safe from the exploit"
The default for DEP is "Turn on only for essential Windows programs and services"
does this cover adobe reader by default?
Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user's computer, the software maker warned. Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company's previously …
>Users on other platforms can insulate themselves from the current attack by disabling javascript from running inside the application, but Adobe warned it's possible to design an exploit that works around that measure.<
:facepalm
Adobe should find the programmer responsible for writing all these vulnerabilities into their <expletive deleted> software, move him away from the herd (so as not to startle them) and <humanely> shoot him in the head - alternatively, take off and nuke the entire site from orbit...
I have quicktime/Realtime alternative and VLC for video with Foxit reader to read PDFs, but there is no (to my awareness), Flash replacement.
I was always under the impression that the purpose of PDF's was to enable the digital transmission of documents (with formatting etc) which would normally be posted or otherwise sent as "real" documents.
So, why the hell does it need to execute JavaScript?!
You want web-like interactive features - use a web browser!
"I think the use is for allowing URLs to connect to the Web and for jumping to anchors in the file (ie: Click here to scroll to somewhere in the file)."
Er, HTML allowed that twenty years ago with no scripting whatsoever. AC's point is well made. None of these vulnerabilities would exist if people used PDF for its original intent (ie, exactly preserving presentation) and used an appropriate technology for everything else. I mean, it's not like it is *hard* to find applications that support DHTML.
Adobe have tried to turn PDF into a proprietary version of the web. Sadly, this dubious project has merely retrodden the ground covered by Microsoft's efforts in the mid-90s when almost everything they produced was shot full of security holes.
I personally consider "using the PDF format" to be an act of bad netizenship. Every time you publish a document in that format, there's a risk that the recipients will use Acrobat Reader.
So now a new install will only need three additional updates before it's fully patched. It's just beyond belief that Adobe gets away with this crap - install a new version of reader direct from Adobe's web site, and then you need to install all the updates on top of that just to get it "secure" (until next week). FFS, it's not a friggin OS! It's (what used to be) a simple APPLICATION to read PDFs!!!!
Adobe, fix your development process, and until you do, start posting fully patched versions, and give us a reasonable way to keep our hundreds and thousands of desktops up-to-date! Compared to Adobe, MS looks like a poster child for how to do security.
The lass broke her works laptop (she claims it just stopped working...) and it seems her IT bods don't actually install half the software required for the job by default when they do a HDD replacement. So, she went to install Reader - cue slow mo' shot of me going "Noooooooo!". You wouldn't believe how dificult it was for me to convince her to go with Foxit instead.
The trouble is nobody has heard of the alternatives, and even if they have, trying to explain why they should use one rather than the crap pumped out by Adobe invariably results in a shrug and "So?".
People need to be taught the value of diversity - it's the same in IT as in gene pools. If we're all the same, some disease/exploit comes along and it's goodnight Vienna. I use Opera and Foxit not because they are the best in their respective fields but because nobody is going to pay a blackhat to design an exploit for them - the RoI just isn't there. I'm therefore a lot safer than the masses just by picking another (free) tool to do the exact same job as IE or Acrobat.
I seem to recall that Javascript can be used to perform input validation in PDF documents which contain editable text fields. Javascript can also be used to hide menu items in Reader. However, it's my opinion that Reader's increased attack surface is not worth the convenience.
At least Adobe provides a Group Policy template so Reader can be deployed and managed company-wide with its potential for damage mitigated.