Acrobat Reader vulnerabilities (again)

Rik · Apr 29, 2009, 09:05:49

El Reg is reporting that:

QuoteOnce again, Adobe is scouring its Reader application for bugs following reports that it's susceptible to two vulnerabilities that could allow attackers to remotely execute malicious code on end-users' machines.

Adobe has updated its blog to report that all supported versions of Reader are vulnerable. It plans to publish a time line for patching the holes as soon as possible. Security pros are not aware of any in-the-wild attacks exploiting the bugs. In the meantime, they recommend users disable javascript.

Users looking to protect themselves have at least two options, and neither is particularly effective. One is to switch to a PDF alternative such as Foxit (a more complete list of alternative readers is available here). These readers frequently have their own vulnerabilities, but at least they are less targeted.

Gary · Apr 29, 2009, 09:11:15

I saw this as well Rik, not a good year for Adobe so far. Saying that it makes a change from Quicktime needing patching all the time

Rik · Apr 29, 2009, 09:21:52

That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball.

Gary · Apr 29, 2009, 09:31:56

Quote from: Rik on Apr 29, 2009, 09:21:52
That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball.

Seems companies go through bad patches, Adobe will have to pull a patch out faster than 3 weeks this time though, they got enough bad press for that last time around, Rik.

Rik · Apr 29, 2009, 09:37:38

Don't hold your breath, Gary.

Gary · Apr 29, 2009, 09:56:52

Quote from: Rik on Apr 29, 2009, 09:37:38
Don't hold your breath, Gary.

I wont, I look red enough from the sunburn from last week still

Rik · Apr 29, 2009, 09:58:44

I tend to a shade of purple more.

somanyholes · Apr 29, 2009, 12:19:11

why adobe don't disable javascript on the default install and provide an option to enable it per document if wanted is beyond me.

somanyholes · Apr 29, 2009, 12:20:36

answering my own question. Maybe they like to remind you that you have adobe installed on a regular basis, and that they are helping to secure your box

Rik · Apr 29, 2009, 12:23:04

I suspect you're right, So.

Gary · Apr 29, 2009, 12:25:22

Quote from: somanyholes on Apr 29, 2009, 12:20:36
they are helping to secure your box

I know software companies want to help but that's a bit personal really, I mean I don't even know them, let alone want to let them into my trousers!

Rik · Apr 29, 2009, 12:26:00

Gary · Apr 29, 2009, 12:28:42

Quote from: Rik on Apr 29, 2009, 12:26:00

I just could not resist it, Rik

Sebby · Apr 29, 2009, 15:16:22

Where does this leave other readers like Foxit? Do they use the same "engine" as the official Adobe Reader?

Rik · Apr 29, 2009, 15:18:07

No, but they are considered less vulnerable as, with fewer people using them, they are less targeted. I'm not sure whether that makes me feel safer or not.

Sebby · Apr 29, 2009, 15:21:36

Thanks.

somanyholes · Apr 29, 2009, 15:32:58

some of the issues that have affected adobe have also affected foxit. Haven't had a look at this particular one. Disabling javascript is generally a good start though

somanyholes · Apr 29, 2009, 15:35:13

then again is windows even affected .... http://www.securityfocus.com/bid/34736/discuss

Rik · Apr 29, 2009, 15:36:04

The old functionality vs vulnerability issue again, So.

somanyholes · Apr 29, 2009, 15:39:10

tbh rik i don't see why javascript's needed on pdf's anyway. I don't think I've ever seen it being used. Anyone here seen it used?

Rik · Apr 29, 2009, 15:42:52

I haven't, I suppose it depends on how 'clever' the creators choose to be.

Glenn · Apr 29, 2009, 16:39:50

Maybe they are on piecework,the more patches they create the more they get paid, so make a few holes, so you can patch it later

Rik · Apr 29, 2009, 16:41:03

Sometimes it feels that way.