Acrobat Reader vulnerabilities (again)

Started by Rik, Apr 29, 2009, 09:05:49

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Rik

El Reg is reporting that:

QuoteOnce again, Adobe is scouring its Reader application for bugs following reports that it's susceptible to two vulnerabilities that could allow attackers to remotely execute malicious code on end-users' machines.

Adobe has updated its blog to report that all supported versions of Reader are vulnerable. It plans to publish a time line for patching the holes as soon as possible. Security pros are not aware of any in-the-wild attacks exploiting the bugs. In the meantime, they recommend users disable javascript.

Users looking to protect themselves have at least two options, and neither is particularly effective. One is to switch to a PDF alternative such as Foxit (a more complete list of alternative readers is available here). These readers frequently have their own vulnerabilities, but at least they are less targeted.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

I saw this as well Rik, not a good year for Adobe so far. Saying that it makes a change from Quicktime needing patching all the time ;)
Damned, if you do damned if you don't

Rik

That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball. :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Rik on Apr 29, 2009, 09:21:52
That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball. :(
Seems companies go through bad patches, Adobe will have to pull a patch out faster than 3 weeks this time though, they got enough bad press for that last time around, Rik.
Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Rik on Apr 29, 2009, 09:37:38
Don't hold your breath, Gary.
I wont, I look red enough from the sunburn from last week still  ;D
Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

somanyholes

why adobe don't disable javascript on the default install and provide an option to enable it per document if wanted is beyond me.

somanyholes

answering my own question. Maybe they like to remind you that you have adobe installed on a regular basis, and that they are helping to secure your box  :(

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: somanyholes on Apr 29, 2009, 12:20:36
they are helping to secure your box  :(
I know software companies want to help but that's a bit personal really, I mean I don't even know them, let alone want to let them into my trousers!  ;)
Damned, if you do damned if you don't

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Damned, if you do damned if you don't

Sebby

Where does this leave other readers like Foxit? Do they use the same "engine" as the official Adobe Reader?

Rik

No, but they are considered less vulnerable as, with fewer people using them, they are less targeted. I'm not sure whether that makes me feel safer or not.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Sebby


somanyholes

some of the issues that have affected adobe have also affected foxit. Haven't had a look at this particular one. Disabling javascript is generally a good start though

somanyholes


Rik

The old functionality vs vulnerability issue again, So. :(
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

somanyholes

tbh rik i don't see why javascript's needed on pdf's anyway. I don't think I've ever seen it being used. Anyone here seen it used?

Rik

I haven't, I suppose it depends on how 'clever' the creators choose to be.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Maybe they are on piecework,the more patches they create the more they get paid, so make a few holes, so you can patch it later  :evil:
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.