Adobe kills two actively exploited bugs in Reader Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines. Version 9.4.7 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against …
The very features Adobe Reader that make it exceptionally vulnerable? AR is ( as was mentioned below) is so bloated. When I was using a friends PC to compile some LaTeX code it would freak out every time when a doc gets updated. I do it on Debian out of emacs (C-c C-c versus C-c C-f), evince refreshes the document without a problem.
As a matter of fact evince is much more capable, it understands a bunch of different other open formats, like djvu.
Yes indeed, Microsoft is the one to carry most responsibility for the recklessness we see in the IT development and culture. Especially RPC, I am sorry, even this is so much of a beaten place. Everyone knows that it is the most insecure protocols out there.
I would like to know though if you could successfully use one of the vulns on non-Windie machines. It goes without saying, using Adobe is unwise anyways, but stil....
What the hell has happened to Adobe recently?
Flash is well known to cripple browsers on any platform.
Adobe acrobat professional regularly crashes IE on my windows workstation.
Ligtroom 3 crashes if you are tagging photos (at least on Lion).
Photoshop also crashes very often on Lion (and sometimes takes the entire system down).
ADOBE SORT YOUR SHIT OUT !!!
Try http://www.adobe.com/support/security/advisories/apsa11-04.html again
Adobe Reader 9.4.6 is unsafe. You need to get Adobe Reader 9.4.7 if you have a compelling reason not to get Adobe Reader X (10) instead.
And if I read your article right, there's an RPC problem which they cannot have fixed yet.
By the way, I'm assuming that Adobe Reader 8.x and earlier are unsupported, as the web site seems to say, and equally vulnerable. I'm asking because... never mind.
Robert,
You're right. 9.4.7 is the updated version, not 9.4.6 as previously reported. My apologies. The error has been corrected.
As for the RPC vulnerability, Adobe spokeswoman Wiebke Lips wrote in an email to The Register:
"Note: CVE-2011-4369 was reported after the security advisory (APSA11-04<http://www.adobe.com/support/security/advisories/apsa11-04.html>) was published. The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used."
That slip could have been nasty for some.
I thought I detected coyness that usually means it's not fixed yet, so, well done that it is. I'm not sure about Mac and Linux users being safe though, just because there weren't attacks reported, but Adobe and those users know their business best.
Am I straight about Adobe Reader 8 being a really bad idea now?
Is it just me or has Adobe Reader on Linux lagged behind the Mac and Windows versions for a year now? The "X" version isn't available on Linux (is there any technical reason why?) and they don't even bother updating the Linux 9.4.6 release for a month after the Windows one, despite it having the same security issue as the Windows 9.4.6 release!
Sadly, for some PDF documents, Linux alternatives like evince, xpdf and so on aren't good enough (evince in particular is prone to crashes with certain PDFs, which load fine in Adobe's wretched reader).
I've even been desperate enough to try Firefox's pdf.js extension, but it unfortunately honours the browser's font settings (which I set to 16 point - pdf.js should either have its own font settings or ignore the browser's, IMHO), leaving each page a mush of overlarge black text.
BTW, on a slightly different topic, has anyone seen a true 64-bit PDF reader on Windows (i.e. a 64-bit binary)? Nitro PDF "64-bit" version isn't 64-bit - the process is 32-bit. I'm trying to keep Windows 7 "64-bit pure", but bizarrely a 64-bit PDF reader binary doesn't seem to exist!
Spot on. It's definitely a Windows problem and not a "ID10T using Admin account" problem.
One must infer that to think so, you actually also use a root account all day on your OS of choice.
Praise the lord that you can still feel smug despite that, because the odds of some malware of significance and magnitude ever landing on you are very small, because nobody will ever bother with the 0.5% out of the 5% that your tiny userbase represents.
Makes one wonder if besides being jealous of all the apps and games, the minority is now also jealous of our malware... Haters will hate it seems...
As for Adobe "fixing" things, well... hope is the carrot. Mine's the one with Foxit (until i find something smaller and faster and better, who says you can't have all three...).
FFS, is it any wonder the thing has bugs!
Why not just make a version that doesn't include this "optional" crap that a tiny, tiny number of customers are even equipped to use. In the long run, Adobe would be doing themselves a favour if they provided a "Reader Lite" version that supported 99.9% of the real world PDF documents, and let the people who need Universal 3D support install the "full fat" version with all the bells and whistles.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
