ugh! Flash inside PDF?!
Booo hissss
Can someone tell me if Apple Preview is affected? I guess that is equivalent to Adobe Reader 8.0?
I have no desire to render Flash content in PDF files - what were Adobe thinking?
Hackers are exploiting critical, unpatched vulnerabilities in Adobe Reader, Acrobat and Flash Player. The zero-day vulnerabilities are platform independent and can affect users of Adobe products regardless of whether they run Windows, Mac or Linux systems, Adobe warns. The software developer reckons that Adobe Reader and …
Preview only supports the PDF 1.5 spec, so you are safe from this exploit. Adobe 9 uses the PDF 1.6 (or is it 1.9? I forget) spec which includes support for embedded interactive content such as Flash and 3D objects. It sounds like it is the Flash part of that support that is being exploited here.
The whole point of PDF was that is was a read-only document format for sending to printers etc.
So what's the point in adding embedded interactive content to something that should be read-only?
Also PDF's were generally thought of as inert, due to them being read only, adding embedded functionality now means the possibility of executing things inside a PDF, which throws away the safety of the format (what little there was in the first place).
If PDF is going down the interactive route, then perhaps we need a new inert document format.
At the very least the Reader should block all interactive functionality by default, and have to be switched on in order to access any of this. (aka like Macro's in Office etc.)
Amazing. Take a relatively stable document reader. Add all manner of crud into it, support for JavaScript, access to local resources, flash, video, unfiltered HTML rendering, hyperlink actions, forms and it becomes massively bloated, unstable and insecure.
Who'd have thought that may happen?
This post has been deleted by its author
is Acrobat Reader 5.1 vulnerable? It does everything I need, reads every file I chuck at it, starts up instantly, and is a fraction of the footprint of more recent generations. Why do I want anything more recent, especially if it has as many security holes as a swiss cheese?
...that people want it, you need it to get the "whole web" (not optional or debatable) and it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time - the very time that Jobs instructs their soulless minds to kick into action and spread forth the word.
Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.
Quote: '...that people want it, you need it to get the "whole web" (not optional or debatable)'
Yes it is optional.
I use Firefox with No Script and Ad-Block, this blocks flash content by default and I've had very few sites not work with that combination.
The few sites that do rely on Flash, are usually crud (pr0n etc.) or pandering to the masses type sites (YouTube etc.) or are promoting a new Movie or Game, so can be lived without.
Very few real sites I've found actually use Flash for actual content, with most usage being restricted to adverts only, so no real loss there.
The only high profile site I know of that does use flash is YouTube, and they are moving to HTML5, so eventually, once all the mainstream Browsers are upto speed with HTML5, I can see YouTube (Google) dropping Flash.
>“...it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time...”
Sorry, it *is* that bad. Most conscientious web designers and developers (hello!) have been decrying the use of non standard web elements, including, Flash since 1998. Although Flash may have improved from an accessibility stand point, it's still not a great solution. It has it's place *at the moment*; mainly as a wrapper for audio and video content. Of all the existing web technologies that exist today, Flash is by far the most loathsome, over-used and abused. Which sys admin in their right mind would allow flash onto the corporate network?
>“Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.” First of all no-one has said that Apple, Microsoft et al. are free from exploited products and security issues, however so far un-jailbroken iPhones have been free of such issues, the exception being a drive-by and they can affect most browsers, what with it being more of a PICNIC issue rather than a security flaw. Microsofts new mobile OS has got an even better security record. And to the crux of the matter. Adobe's track record is hardly good. How long has 64 bit Flash been in development? It seems that not a week goes past without one report or another warning us of another vulnerable discovered in an Adobe product. Whilst it's fair to point out that Apple's own desktop OS is hardly a model of ironclad security and neither is Microsoft's, it's to be expected in OSs of that size and that age. Microsoft really do a remarkable job with Windows, and Apple are getting better at responding to security issues, but Adobe? It's a fucking runtime! Sun manage to stay on top of Java (although Apple do struggle), Microsoft are doing sterling work with Silverlight. But Adobe? Jobs got it right when he called them lazy! So, let's consider the evidence. Slow to patch software. Slow to implement documented API's. Consistently release half baked software. Security is an afterthought. Haven't yet released a decent *full version* of Flash on a mobile platform. It's not surprising that Apple have said ‘thanks, but no thanks...’ to Adobe. I'd urge Microsoft to do the same, but Ballmer is just stupid enought to allow it onto Microsoft's new mobile OS just to be contrary and personally if I were Adobe, I wouldn't trust those that rule the Mountain View Chocolate Factory as far a coult spit; I'm still waiting for one of those three to aquire Adobe...
Just a bootnote; may I respectfully suggest that you leave behind the ad hominems and inflamatory comment, I copped a bollocking for it, deservedly so, and now trying to avoid it. It can be hard but ultimately it makes you consider what you are going to say more. It can serve to give you the moral high ground too! It's ok to have opposing views, it's not ok to call people names because they do, even if it is really annoying. Attack the idea. Obviously, giant multinational corporations and their management are fair game
Bloody Adobe, seriously, I can't think of anything that I allow on my machines on a regular basis that has so many terrifying holes.
Thank god for noscript and its active content control and the mighty adblock, given the amount of malware driveby attacks are coming from syndicated ad banners.
PDF is no longer Portable, it's Proprietary. Adobe doesn't support all platforms so documents produced with the latest versions of Acrobat can't be read on many platforms. This defeats the whole point of PDF. Adobe specualisees in buying up good products and wrecking them.
Following a recommendation elsewhere I installed Foxit a couple of months ago.
Shortly afterwards I deinstalled it and reverted to Acrobat 5.1, over which Foxit had no significant advantages and a number of disadvantages (details of which unfortunately I can't remember).
Foxit may of course be preferably to a recent Acrobat but there are other alternatives too.
They warn us about the vulnerability but the only mitigation in Flash is to use the Release Candidate. Maybe they should patch the actual releases!
And moving a file aside in Acrobat Reader. It's very arguable that Flash shouldn't be in Acrobat Reader but shouldn't they patch this too maybe..
Poor...And an unprofessional approach to security patching!
(Not trying to defend Adobe BTW)
Microsoft have a security problem - We get "it's a popular OS, if your OS was popular you'd be getting hammered too!"
Adobe have a security problem - We get "adobe suck"
Both have an absolutely terrible history security wise, so quite why the difference? There always seem to be plenty of pro-Adobe commenters when it comes to Apple's love(!) of Flash (or are they just siding with Adobe because they dislike Apple?)
If it wasn't for the fact that I get Adobe Acrobat as part of my job I'd use another PDF creation product instead. I agree with those other posters who ask why Adobe thought it a good idea to turn an effective product into a bloated pile o' crap. Most users - myself included - don't bother with the bells and whistles Adobe seem to think we want, and if they pulled the stuff out we wouldn't even notice it was gone. Wake up and smell the coffee Adobe, clean up your act, sort out the security issues, and put Acrobat on a diet to get rid of some of that bloat and maybe then we'll like you again (maybe even Jobs might embrace you again).
I've installed Foxit on a number of machines, but it always feels unfinished, somehow.
A user recently asked for a tool that would let them add "sticky notes" to a PDF file, which led me to try PDFXchange. It's a bit "busy" (half a dozen tool-bars turned on by default), but it's seems to be a much better alternative than Foxit.
I've refused any of their software on any pc I own for more than 10 years. Along with iTunes and QuickTime, and probably RealPlayer back in the day, it's the most bloated, addicted-to-pop-ups pice of software in the history of software. I hope it's software gets knocked extinct soon.