Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security News

Adobe Warns of Reader, Acrobat Attack 195

Posted by timothy from the gnome's-reader's-pretty-good-y'know dept.
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
This discussion has been archived. No new comments can be posted.

Adobe Warns of Reader, Acrobat Attack More

Adobe Warns of Reader, Acrobat Attack

Comments Filter:

  • Really... (Score:1, Insightful)

    by Anonymous Coward on Tuesday December 15, 2009 @12:10PM (#30445218)

    Why on earth do you need JavaScript in a PDF?

  • Don't cross streams (Score:3, Insightful)

    by Gothmolly ( 148874 ) on Tuesday December 15, 2009 @12:29PM (#30445520)

    Separate your programs from your data, and your documents from your interactive media.

  • Re:Really... (Score:4, Insightful)

    by Monkeedude1212 ( 1560403 ) on Tuesday December 15, 2009 @12:29PM (#30445522) Journal

    To send an email after filling out a form and clicking sumbit in a PDF.

    Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?

  • Re:Preferences? (Score:3, Insightful)

    by ByOhTek ( 1181381 ) on Tuesday December 15, 2009 @12:40PM (#30445748) Journal

    or Here [foxitsoftware.com]

    Both are good places to start. You can end at the other.

    Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)

  • Re:Look at the Acrobat Reader credits. (Score:4, Insightful)

    by Dunbal ( 464142 ) on Tuesday December 15, 2009 @12:46PM (#30445850)

    If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

          Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.

          Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.

  • Re:Javascript Again (Score:3, Insightful)

    by gad_zuki! ( 70830 ) on Tuesday December 15, 2009 @01:01PM (#30446136)

    What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.

    The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have no legitimate reason for a JS PDF.

  • Re:Anyone still has JavaScript enabled? (Score:2, Insightful)

    by maxume ( 22995 ) on Tuesday December 15, 2009 @01:08PM (#30446258)

    And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.

  • Re:Really... (Score:4, Insightful)

    by kbielefe ( 606566 ) <karl.bielefeldt@gma[ ]com ['il.' in gap]> on Tuesday December 15, 2009 @01:15PM (#30446388)

    Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.

  • Re:Anyone still has JavaScript enabled? (Score:1, Insightful)

    by Anonymous Coward on Tuesday December 15, 2009 @01:18PM (#30446434)
    We tested turning it off. It broke some important applications that use Reader as part of a workflow. There isn't any money in the foreseeable future to replace / rewrite these applications so Javascript is still on in Reader. This type of stuff is also what keeps us from going to alternate PDF readers. That plus the ability to digitally sign and several other things. Often (unfortunately) large companies find ways to use these things that make use of features that home users or smaller businesses find useless or bloat, etc. Heck, even our SOX compliance app uses this and it also breaks with Javascript off.

  • Re:Anyone still has JavaScript enabled? (Score:5, Insightful)

    by jasonwc ( 939262 ) on Tuesday December 15, 2009 @01:26PM (#30446600)

    Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close