Adobe Warns of Reader, Acrobat Attack 195
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
Really... (Score:1, Insightful)
Why on earth do you need JavaScript in a PDF?
Don't cross streams (Score:3, Insightful)
Separate your programs from your data, and your documents from your interactive media.
Re:Really... (Score:4, Insightful)
To send an email after filling out a form and clicking sumbit in a PDF.
Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?
Re:Preferences? (Score:3, Insightful)
or Here [foxitsoftware.com]
Both are good places to start. You can end at the other.
Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)
Re:Look at the Acrobat Reader credits. (Score:4, Insightful)
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.
Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.
Re:Javascript Again (Score:3, Insightful)
What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.
The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have no legitimate reason for a JS PDF.
Re:Anyone still has JavaScript enabled? (Score:2, Insightful)
And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.
Re:Really... (Score:4, Insightful)
Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.
Re:Anyone still has JavaScript enabled? (Score:1, Insightful)
Re:Anyone still has JavaScript enabled? (Score:5, Insightful)
Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.