back to article Adobe kills two actively exploited bugs in Reader

Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines. Version 9.4.7 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against …

COMMENTS

This topic is closed for new posts.
  1. eulampios

    On Linux or *BSD, who could be using Adobe Acrobat Reader at all, I am wondering?

    1. Ilgaz

      People actually using features

      People using Linux on enterprise desktops and some larger . Edu. Or end users sign docs etc.

      1. eulampios

        useless features

        The very features Adobe Reader that make it exceptionally vulnerable? AR is ( as was mentioned below) is so bloated. When I was using a friends PC to compile some LaTeX code it would freak out every time when a doc gets updated. I do it on Debian out of emacs (C-c C-c versus C-c C-f), evince refreshes the document without a problem.

        As a matter of fact evince is much more capable, it understands a bunch of different other open formats, like djvu.

  2. Anonymous Coward
    Anonymous Coward

    Ahh

    "Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines."

    Windows - ever so secure!

    1. eulampios

      Yes indeed, Microsoft is the one to carry most responsibility for the recklessness we see in the IT development and culture. Especially RPC, I am sorry, even this is so much of a beaten place. Everyone knows that it is the most insecure protocols out there.

      I would like to know though if you could successfully use one of the vulns on non-Windie machines. It goes without saying, using Adobe is unwise anyways, but stil....

  3. BristolBachelor Gold badge
    FAIL

    Adobe

    What the hell has happened to Adobe recently?

    Flash is well known to cripple browsers on any platform.

    Adobe acrobat professional regularly crashes IE on my windows workstation.

    Ligtroom 3 crashes if you are tagging photos (at least on Lion).

    Photoshop also crashes very often on Lion (and sometimes takes the entire system down).

    ADOBE SORT YOUR SHIT OUT !!!

    1. Ken Hagan Gold badge

      Recently?

      Adobe's been the biggest attack surface in the industry for a number of years now, surely?

  4. Anonymous Coward
    Go

    Here Is The Fix

    A) Deinstall Current Acrobat Reader Version

    B) Install the latest Acrobat Fix: http://projects.gnome.org/evince/?guid=ON

    1. eulampios

      Right, but first you have to fix the OS by wiping the MS sh?t out the hdd and install something decent, like *buntu, Mint or whatever.

  5. Wensleydale Cheese

    I haven't used Acrobat Reader for years

    Preview on OS X

    Whatever comes by default on a given flavour of Linux

    Ghostview / Ghostscript or XPDF on a variety of other systems

    Foxit on Windows

    1. Ilgaz

      If you run leopard?

      Apple stopped security updates for leopard including preview and its frameworks.

  6. Robert Carnegie Silver badge

    WRONG

    Try http://www.adobe.com/support/security/advisories/apsa11-04.html again

    Adobe Reader 9.4.6 is unsafe. You need to get Adobe Reader 9.4.7 if you have a compelling reason not to get Adobe Reader X (10) instead.

    And if I read your article right, there's an RPC problem which they cannot have fixed yet.

    By the way, I'm assuming that Adobe Reader 8.x and earlier are unsupported, as the web site seems to say, and equally vulnerable. I'm asking because... never mind.

    1. Dan Goodin (Written by Reg staff)

      Re: WRONG

      Robert,

      You're right. 9.4.7 is the updated version, not 9.4.6 as previously reported. My apologies. The error has been corrected.

      As for the RPC vulnerability, Adobe spokeswoman Wiebke Lips wrote in an email to The Register:

      "Note: CVE-2011-4369 was reported after the security advisory (APSA11-04<http://www.adobe.com/support/security/advisories/apsa11-04.html>) was published. The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used."

      1. Robert Carnegie Silver badge

        Thank you!

        That slip could have been nasty for some.

        I thought I detected coyness that usually means it's not fixed yet, so, well done that it is. I'm not sure about Mac and Linux users being safe though, just because there weren't attacks reported, but Adobe and those users know their business best.

        Am I straight about Adobe Reader 8 being a really bad idea now?

  7. adversecamber

    So?

    I really can't get excited about this - I ditched Acrobat years ago for Foxit Reader and have now got the excellent NitroPDF. Free, fast, small and bug-free. What's not to like?

  8. Tom 7

    pdf2txt

    NPDF

  9. Richard Lloyd
    FAIL

    Adobe Reader and Linux...sigh

    Is it just me or has Adobe Reader on Linux lagged behind the Mac and Windows versions for a year now? The "X" version isn't available on Linux (is there any technical reason why?) and they don't even bother updating the Linux 9.4.6 release for a month after the Windows one, despite it having the same security issue as the Windows 9.4.6 release!

    Sadly, for some PDF documents, Linux alternatives like evince, xpdf and so on aren't good enough (evince in particular is prone to crashes with certain PDFs, which load fine in Adobe's wretched reader).

    I've even been desperate enough to try Firefox's pdf.js extension, but it unfortunately honours the browser's font settings (which I set to 16 point - pdf.js should either have its own font settings or ignore the browser's, IMHO), leaving each page a mush of overlarge black text.

    BTW, on a slightly different topic, has anyone seen a true 64-bit PDF reader on Windows (i.e. a 64-bit binary)? Nitro PDF "64-bit" version isn't 64-bit - the process is 32-bit. I'm trying to keep Windows 7 "64-bit pure", but bizarrely a 64-bit PDF reader binary doesn't seem to exist!

    1. Steve Renouf

      Libre Office?

      Writer does PDFs... and comes in x64 flavours

    2. eulampios

      strange...

      OK, it is first time hear about some pdf docs "crashing" evince... Quite the other way around, for some reason adobe r. would crash if you run pdftex/latex when a doc is opened.

      What kind of document is it? Did you try any of the alternatives, like kpd, gv, xpdf? or docview in emacs?

  10. Anonymous Coward
    Anonymous Coward

    Adobe?

    I am surprised that people are still using the official 'Reader' when there ARE alternatives, oh and hurry up Google with that HTML5 implementation! I don't like the idea of Flash being yet another attack vector.

  11. Nuno trancoso
    Coat

    @AC

    Spot on. It's definitely a Windows problem and not a "ID10T using Admin account" problem.

    One must infer that to think so, you actually also use a root account all day on your OS of choice.

    Praise the lord that you can still feel smug despite that, because the odds of some malware of significance and magnitude ever landing on you are very small, because nobody will ever bother with the 0.5% out of the 5% that your tiny userbase represents.

    Makes one wonder if besides being jealous of all the apps and games, the minority is now also jealous of our malware... Haters will hate it seems...

    As for Adobe "fixing" things, well... hope is the carrot. Mine's the one with Foxit (until i find something smaller and faster and better, who says you can't have all three...).

  12. Tree

    bloat allows vulns to hide

    Adobe reader is too bloated to be used anyway. Why run scripts in a document viewer?

  13. Al Jones

    3D in a PDF document

    FFS, is it any wonder the thing has bugs!

    Why not just make a version that doesn't include this "optional" crap that a tiny, tiny number of customers are even equipped to use. In the long run, Adobe would be doing themselves a favour if they provided a "Reader Lite" version that supported 99.9% of the real world PDF documents, and let the people who need Universal 3D support install the "full fat" version with all the bells and whistles.

This topic is closed for new posts.

Other stories you might like