Forgot your password?
typodupeerror
Security Software News

Adobe Warns of Critical Zero Day Vulnerability 236

Posted by Soulskill
from the might-want-to-just-trademark-that-term dept.
wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."
This discussion has been archived. No new comments can be posted.

Adobe Warns of Critical Zero Day Vulnerability

Comments Filter:
  • by Anonymous Coward on Tuesday December 06, 2011 @09:22PM (#38287064)

    Why on earth isn't "Adobe Reader X Protected Mode" the default?

    • Good I stopped using that blob...

      • by capnkr (1153623) on Tuesday December 06, 2011 @11:24PM (#38287712)
        "Blob" is very apt terminology, yet "(Unecessarily) Giant Blob" might be even more accurate. Not sure if these are exact numbers, but they are probably close. From Wikipedia [wikipedia.org], re: Sumatra PDF:

        It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.

        Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

        What more could you ask for?

        • by FatdogHaiku (978357) on Tuesday December 06, 2011 @11:46PM (#38287824)

          Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

          What more could you ask for?

          Ummm, could you maybe toss in an eternally running updater?
          And if the same people could come up with a useless "download manager", well that would just be peachy!

        • by Anonymous Coward on Wednesday December 07, 2011 @01:17AM (#38288182)

          That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature). I used to work for Adobe and I am not here to defend them but in all fairness, you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing.

          Duane

          • by Mathinker (909784) on Wednesday December 07, 2011 @01:47AM (#38288310) Journal

            > you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing

            Your point is valid, however, how much of that ISO standard is, itself, "ooooh, shiny"-ness which is one of the reasons why Reader has so many more possible places of failure? Before discovering better alternatives for reading PDFs under Windows, the first thing I would do to Adobe Reader was to disable scripting support inside PDF documents.

            In other words, I prefer the non-conforming, because that means that (there is a chance that) the implementers might actually be ignoring stupid things which Adobe pushed into the PDF standard which shouldn't be there.

          • Re: (Score:2, Interesting)

            by MightyMartian (840721)

            You're saying pulling from CRLs requires that many more megabytes?

            Let's be blunt here. Adobe Reader is an obscene piece of bloatware, packaged with all sorts of worthless cruft like the absolutely moronic download manager. I suspect that software developers who were actually interested in delivering a decent product rather than trying to push their vast library of even more bloated applications would try a little harder to bring the size of things down, if for no other reason than an abiding sense of shame

          • by shitzu (931108)

            ISO conformity is no excuse for the amount of vulnerabilities in Adobe Acrobat software. Unless the vulnerability is specified in the ISO.

        • by Eraesr (1629799)
          Installed size of SumatraPDF really is 4.4MB here for me, as the setup file is a ZIP containing a single .exe file. So the install footprint of Adobe PDF Reader is 76 times the size of SumatraPDF. Adobe creates bloatware. Same with Apple and iTunes/QuickTime.
        • by shitzu (931108)

          Dont forget its a zero day vulnerability that is fixed in the next quarterly update.

    • by Calos (2281322) on Tuesday December 06, 2011 @09:41PM (#38287158)

      In my experience it can (or used to) break things when interacting with other programs.

      It broke my LaTeX editor. Couldn't compile a document and automatically have it open in Reader. After some fighting, I think I got it to open, but if you make some edits and recompile... it quickly errors out if you don't manually and completely exit out of Reader first. It's really annoying. Spent far too long reading up on how Reader is supposed to interact with other software and setting my editor to try different commands invoking Reader. No dice, and it looked like the documentation wasn't up to date for all the changes in X yet. But turn off protected mode, and it worked just fine.

      Granted, they might have fixed that in the mean time, I've not used it in a couple months, and don't even have Reader installed any more...

    • Why on earth isn't "Adobe Reader X Protected Mode" the default?

      Wouldn't matter since Reader X crashes on every XP system I've tried it on. That leaves me with Reader 9, and I don't really care to hear any comments about why I shouldn't be on XP. It's not dead or out of support yet and I have my reasons to still be running it.

      My question is: after all of these years, why can't Adobe write a secure version of reader. I mean it's just one program to do basically one simple enough thing. Are they too busy on new development to actually fix their existing product?

      • Hey I don't have a problem with you being on XP friend, if it works why fix it? I have windows 7 on one machine and XP on another, why bother switching the older XP machine?

        My question would be why are you trying to run Adbobe reader at all when there is both Foxit and Sumatra on Ninite [ninite.com]. Just check the box, click the download button and run it, that's it. then you can say goodbye to crappy Adobe Reader.

        As for why Adobe can't build a secure reader? you answered it yourself friend when you said you thought it was " one program to do basically one simple enough thing" when to try to sell copies of Acrobat Adobe has been piling shit into that program for years. That is why frankly for production software like Acrobat i really wish they'd go to a yearly license model like AV companies use. that way instead of being pressured to constantly add new shit to the program so they have an excuse to upsell you they could just focus on making it better and more secure and get paid without having to add crap.

    • by yuhong (1378501)

      It is the default already (I checked using my copy of Adobe Reader X), which is part of why they are delaying the patch for this version until next month.

    • Re: (Score:3, Informative)

      "By default, Adobe Reader 10.0 enables Protected Mode"

      http://kb2.adobe.com/cps/860/cpsid_86063.html [adobe.com]

  • Oh adobe... (Score:4, Informative)

    by mirix (1649853) on Tuesday December 06, 2011 @09:23PM (#38287070)

    You can pretty well set your watch by adobe exploits. Get it together, guys...

    • by Anonymous Coward on Tuesday December 06, 2011 @09:27PM (#38287098)

      If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.

      • by Anonymous Coward on Tuesday December 06, 2011 @10:07PM (#38287244)

        Why is the parent modded flamebait? S/he's telling the truth. We just discussed this very issue: Does Outsourcing Programming Really Save Money? [slashdot.org].

        Somebody please mod the parent up. Sometimes the truth isn't pretty, but it's still the truth. I don't care if feelings get hurt by it. It's still the truth.

        • by hairyfeet (841228) <bassbeast1968@gma i l . com> on Tuesday December 06, 2011 @11:29PM (#38287732) Journal

          Exactly. Nobody is saying the Indians are shit, they are saying that companies that take the lowest priced shit get shit for their money and when we see Indian coders that is EXACTLY what we are seeing, why try to hide it? Good Indian coders cost good money, same as good coders anywhere. These companies don't go to India because they want to hire top notch Indians at a decent wage, these corps want as close to sweatshop as they can possibly get. you know this, i know this, hell didn't anybody watch "How NOT to hire an American"? These corps don't give a shit about quality, its all about cost. This is why our landfills are overflowing with cheap plastic garbage and people are being poisoned in China melting circuit boards for the metals, cheap ass bottom of the line shit. this is just cheap ass bottom of the line software instead of hardware and India is where you go to get a programmer for a price lower than dinner at Mickey D.

          As for TFA this is why i'm so glad i haven't included Adobe Reader on a build of mine since Adobe 6. There are several excellent alternative readers like foxit and sumatra and foxit comes with safe reading on by default, so why would you want the risk that Reader causes? With Flash sandboxed in low rights mode and no reader i don't have to worry about Adobe bugs, which is nice. You'd have to be nuts to want Reader unless you simply have no other choice.

          • by EdIII (1114411) on Tuesday December 06, 2011 @11:48PM (#38287836)

            You'd have to be nuts to want Reader unless you simply have no other choice.

            Acrobat 10. Production environment. Multiple servers for remote desktop sessions. Have to have it. Receive secure documents all the time for markup and endorsements and Foxit can't even open it. Let's not even talk about 3rd party PDF support for electronic signatures from capture pads.

            The NERVE of those fuckers to announce a zero-day exploit in the wild with an expected fix date in a quarterly update.

            What the fuck are they smoking? It's the 6th of December you sadistic moronic fucktards. This is the dark side of vendor lock-in. Till that update I have to wonder about the thousands of PDF documents flowing through into the system and from emails. Believe me, there are some workers that will open anything in an email. So it is a real risk already.

            Not that I don't normally, but there is a big difference between a possible threat and a known one.

            It's just amazing for them to announce that with all the business customers they have. The unmitigated gall of those bastards.

            • by shuttah (2475982) on Wednesday December 07, 2011 @12:27AM (#38287986) Journal

              I agree 110%.

              It's a blatant and inexcusable display of negligence on Adobe's part to schedule an update over a month after telling us that a REMOTE EXECUTION EXPLOIT is confirmed, and is being exploited in the wild. Again, with confirmation. To add to that, this isn't even something where you can advise everyone to turn off javascript and pray everyone follows your instructions while keeping an eye on traffic. It's nothing short of nightmare to be honest. The fact that this software is installed on everything from a consumer's new laptop or desktop, to a hell of a lot of government agencies doesn't sit well with me either.

            • by jroysdon (201893)

              "[T]he company noted that Adobe Reader X Protected Mode and Acrobat X Protected View offer some mitigation against the exploit."

              I'm guessing that while the bug exists in X, it is not exploitable, or at least there is no code in the wild that is able to exploit it.

            • Ohhh yaaaa, get ready for those Fake AVs to pop-up warning users of an infection. Fun times ahead! In all seriousness though, I do feel your pain. Trust me. I too have to deal with similar setups that involve viewing invoices inside of IE. Don't ask, it's all part of the customers CRM package provided by Netsuite.

              Perhaps you already know what I'm about to say, but for those that don't I'll offer some advice anyways. There are some simple steps you can do to at least minimize the threat. All of which require

            • by hairyfeet (841228)

              I feel your pain my brother, and that is one of the reasons i got out of corporate. Sure i don't make as much but i don't look like a walking corpse anymore and the constant headaches went away.

              But your post just proves my point friend, all that shit you listed? SHOULD NOT BE IN PDF. The PDF file was a portable document for PRINTING, that was what it was designed for, that was its purpose. To upsell your employers they constantly tack on extra bullshit that gives it all these features the format was never d

      • Why I Will Never Feel Threatened by Programmers in India [slashdot.org] guy just changed his mind.
      • Re: (Score:3, Informative)

        I tried, but adobe reader crashed when I clicked on "credits". (No joke, 9.4.2 on amd64 Linux)
    • Re: (Score:3, Funny)

      by Anonymous Coward

      >You can pretty well set your watch by adobe exploits. Get it together, guys...,

      My watch doesn't display milliseconds.

    • by fuzzyfuzzyfungus (1223518) on Tuesday December 06, 2011 @10:02PM (#38287214) Journal

      You can pretty well set your watch by adobe exploits. Get it together, guys...

      You actually have several options: If you want it to run fast, set by exploits. If you want it to run slow, set by fixes.

      • by grcumb (781340)

        You can pretty well set your watch by adobe exploits. Get it together, guys...

        You actually have several options: If you want it to run fast, set by exploits. If you want it to run slow, set by fixes.

        Yep. I believe the Mayan calendar cycle is based on Adobe patches....

  • Patched when? (Score:5, Insightful)

    by binaryhat (2494814) on Tuesday December 06, 2011 @09:24PM (#38287078)
    Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad... Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.
    • Re:Patched when? (Score:5, Informative)

      by DERoss (1919496) on Tuesday December 06, 2011 @09:41PM (#38287162)

      If you follow the "exploited to cause a crash ..." link in the initial Slashdot item, you will see that a fix to Acrobat Reader 9 will be available by this coming Monday. You will also see that, unless you disable Protected View in Acrobat Reader 10, you are not vulnerable and thus can wait a month.

      • by yuhong (1378501)

        Actually, Adobe Reader X is vulnerable, but Protected View isolates exploit code.

    • Re:Patched when? (Score:4, Interesting)

      by syousef (465911) on Tuesday December 06, 2011 @10:23PM (#38287354) Journal

      Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad...

      Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.

      You naive sod. You think the DEVELOPERS determine the release schedule? For all you know there are developers there with a fix ready and tested that are agitating and itching for it to go out.

    • by sincewhen (640526)

      Clearly they are too busy coding up new vulnerabilities to have the time for fixes...

  • by jenningsthecat (1525947) on Tuesday December 06, 2011 @09:25PM (#38287092)

    ...leads to increased vulnerability, whether in biology or in software.

    Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.

    On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Not good enough alternatives? FoxIT reader is better imho. Heck, the Ubuntu default document viewer works fine for me. It's a shame that "adobe" has become synonymous with "pdf".

      • by labnet (457441)

        Another vote for Foxit
        I remove adobe PDF from any systems I administer and install Foxit

      • by sdnoob (917382)

        foxit is a little safer, imho, for windows, but doesn't support everything adobe reader does. not that 99% of the people need those extras, though...

        we have run across a few instances where adobe reader (even latest version at the time) would have problems opening up certain files (electronic bank statements were the biggest problem here.. ever since the bank talked dad into going with online-only statements, he'd have problems every month).. while any version of foxit we tried opened them up just fine.

        howe

    • by enoz (1181117) on Tuesday December 06, 2011 @09:43PM (#38287170)

      I recall the Adobe loading screens on older Acrobat versions. One time while waiting for Acrobat to load its bloated carcass into memory I actually paid attention to the loading messages and noticed "movie.api" among others being loaded. That was the nail in the coffin.

      While switching to non-Adobe PDF software may not be in the power of everyone, you can blacklist the Adobe PDF plugin from running in your web-browser. Apart from improving your internet experience it may also help prevent some drive-by PDF exploits.

    • by Anonymous Coward

      I just use the default PDF things that come with Debian Squeeze and OpenOffice. I can read and print anything to PDF (and I can even create PDFs in my PHP code). If you want all the bloat that comes with Adobe software, then yeah there are no alternatives. If you just want to read/write basic PDF documents, then there are enough if you know where to look.

      Without a significant official repository of FOSS and non-free packages that can be browsed with something like Synaptic for Debian, Windows users in parti

      • Some people complain that they can't do everything on Linux that they can do with Windows, but apart from specific games (I love StarCraft)...

        FYI, both SC1 and SC2 run flawlessly in Wine, I've been playing^Wtesting both for years.

    • by mirix (1649853) on Tuesday December 06, 2011 @10:30PM (#38287404)

      Evince [gnome.org] (gtk) and Okular [kde.org] (ex-kpdf, iirc, Qt) both seem pretty usable to me.

      At work, I'm stuck with windows, and the Evince win32 port seems to work quite well there too. Only issue I ran into was that be default it tried to print things in landscape mode or something like that, and I didn't notice.
      A nice feature is that it does djvu and postscript as well, instead of having multiple readers (although I seem to think ps might not work with windows in default, probably relies on ghostscript or so..?).

    • by Mad Merlin (837387) on Tuesday December 06, 2011 @10:50PM (#38287530) Homepage

      Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share.

      Are you kidding me? Acrobat is such a steaming pile of crap that it has bred a completely misplaced hatred of PDF in most Windows users. Ever seen a Slashdot summary with a "(warning, PDF)" note after a link? Only Acrobat can manage to bog down a brand new system opening a 1 page PDF, every other PDF reader in the world will open it instantaneously.

      If anything, Acrobat has single handedly painted PDF into the very niche corner that it's in now. PDF is a good format hobbled by a hopelessly lousy reference implementation.

      • by yuhong (1378501)

        They improved it in Adobe Reader X by among other things finally showing a progress bar.

    • by jezwel (2451108)
      I've requested a review of Adobe Reader/Acrobat by a number of groups in our organisation, as there are continuing issues with security, incompatibility with PDFs created with other products, plus the licence management if you don't have an Adobe enterprise agreement is a massive PITA.

      I'm hoping they choose an alternative product, cause I have a large number of Acrobat purchases to make if not :|

  • by Anonymous Coward on Tuesday December 06, 2011 @09:32PM (#38287128)

    According to the Wikipedia article on Universal 3D [wikipedia.org]:

    The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).

    and

    There are four editions to date.

    The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.

    The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.

    The fourth edition provides definitions for higher order primitives - curved surfaces.

    I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.

    • by Mojo66 (1131579) on Tuesday December 06, 2011 @10:19PM (#38287320)
      Why do we need support for 3D files, embedded file attachments, JavaScript and all that crap in a file format that was originally intended to print documents? I'm glad that there are alternativs to Adobe Reader that just support the old idea of a printable document file format and nothing more, for example Preview on OS X, for other OS see this list [wikipedia.org]. The crazy thing is that Adobe Reader is promoted by a lot of companies that use PDFs to send out bills electronically, i.e. to open the attachment, you need to download Acrobat Reader. Which is not only a wrong statement, but also a suggestion to install an application that has been plagued with security faults.
  • Too late (Score:5, Informative)

    by Natales (182136) on Tuesday December 06, 2011 @09:58PM (#38287196)
    This type of vulnerability is serious enough that I find rather appalling that Adobe is pushing this to their regular "scheduled" quarterly update. If they are serious on being considered as a credible platform, they absolutely need to address these kind of issue with more sense of urgency.
    • by yuhong (1378501)

      They are doing an out of cycle update, but only for Adobe Reader 9 for Windows because that is the version currently exploited.

  • The summary makes no mention of a patch for Reader 9, but some of us have been stuck with Reader 9 because Reader X has no IFilter to allow PDF indexing by search tools [adobe.com] (even worse, installing Reader X removes any older IFilter that you might already have). So we get to choose between having a security hole or an IFilter. Thanks, Adobe.

  • Sumatra (Score:5, Informative)

    by HBI (604924) <kparadine@@@gmail...com> on Tuesday December 06, 2011 @10:05PM (#38287234) Homepage Journal

    It doesn't do everything Acrobat does, but it reads PDFs. Which is enough for me.

  • by Man On Pink Corner (1089867) on Tuesday December 06, 2011 @10:09PM (#38287258)

    ... because Adobe broke the search feature in the versions after 9.4.0 (both 9.x and 10.x) If you search in a .PDF in the newer versions, it will fail to highlight at least some of the matches.

    This is a pretty huge deal and it would be astonishing if it were still broken. Does anybody know if they've fixed the bug?

  • Mac? (Score:4, Interesting)

    by 93 Escort Wagon (326346) on Tuesday December 06, 2011 @10:13PM (#38287278)

    I'd be curious to know how many Mac users install Adobe Reader at all, since Preview does a very good job of basic PDF handling - and loads almost instantly, as opposed to Reader's geologic-era-scale load time.

    • by Mojo66 (1131579)
      I wouldn't underestimate the userbase, because nowadays bills are often attached to an e-mail as PDF, and the mail reads something like to view the attached PDF file you have to install Adobe Reader. The mandatory sound made a not-so-computer-savvy friend of mine install AR on her Mac until I explained to her that Preview would work fine.
      • by shitzu (931108)

        Strange - i have not yet run into a mac user that doesn't clickclick it first. And lets not forget that Mail shows it inline if its single page. Also - for windows users - if you need it to just see bills etc, Chrome handles PDF viewing internally.

    • Re: (Score:3, Informative)

      by ender- (42944)

      I was forced to install it recently. Some PDFs from my state government required it. If I tried to open them in Preview, it complained that it needed a newer version of Acrobat Reader. So I installed it, printed what I needed, then removed it.

      A lot of less technical folks though would have just kept it. Assuming the figured out that they needed to install it in the first place.

      • by hawk (1151)

        a2ps ca do some a amazing stripping; I use it when a client can't handle a scanner well enough to strip permissions control that stops me from filing dockets.

        hawk

    • by antdude (79039)

      With my client's three years old MacBook Pro and Mac OS X 10.5.8, he needed it for some weird Adobe format (forgot which it is). It was like an interactive book/slideshow.

    • by hawk (1151)

      I don't have adobe reader, but acrobat pro 8; it came with my snapscan.

      It does a co hole of things that preview doesn't do or do well, including actually modifying documents (ok, it doesn't Dothan well,but preview doesn't do it at all, save for manipulating entire pages).

      It redacts (properly, now).

      It does better at n-up with small margins, but not as well as accorded Linux.

      It does o r.

      hawk

    • by v1 (525388) on Wednesday December 07, 2011 @01:06AM (#38288138) Homepage Journal

      I'd be curious to know how many Mac users install Adobe Reader at all

      Preview works very well for reading, but Acrobat Pro is currently the best Mac solution for authoring PDFs. Unfortunately. But there you have it. Open a 5mb PDF in word. Edit. Save. Wow, look at that, did you notice, now it's 45mb? It seems that acrobat pro is one of the few editors that recompresses. Now watch the secretary fill out that PDF form in Word and try to email it back to you.

      PDF - Portable Document Format. It does a good job at being universally supported, for reading anyway. Do you want that, or maybe something else proprietary like DOC? (or even better, DOCX) You may hate the reader but the format is very good. It's just insanely bloated with features that are neigh impossible to secure. (it's about as good an idea as when MS added auto running macros to their DOC and XLS spec) So you can count on there being a new exploit almost constantly, and as we're seeing here, a critical exploit every quarter or so.

      I personally do as much as possible in RTF format. It's fairly well supported, and doesn't have security-undermining features in the standard. On the mac, the bundled TextEdit does a marvelous job with RTF, reads and authors in it, and has very similar functionality to PDF. I just wish clicking on an RTF document on a web page would display it inline instead of downloading the bloddy thing to the desktop.

    • by he-sk (103163)

      Installed it recently to read annotated PDFs I receive sometimes. I find that preview does a poor job displaying these annotations and won't even display some at all.

  • by sootman (158191) on Tuesday December 06, 2011 @10:18PM (#38287318) Homepage Journal

    ... or maybe just go back a few versions. No movies, no scripting, no interactivity other than hyperlinks and form elements, no live connection to the Web, no motion of any kind. Just vector shapes and a handful of well-known image formats. Please, just go back to what PDF was originally supposed to be: a virtual print that looked the same anywhere, including a small handful of well-known image formats. Oh, and make it "safe", which it never would have occurred to me to ask for in the past but I guess we need to specifically request that that these days. (Hi, GM, can you please make a car without an array of eight-inch spike in the middle of the steering wheel?) And, as long as I've got this crackpipe, I'll ask them to make the spec simple enough and open enough that anyone can make a program to generate them or read them.

    I don't know what features Adobe is packing into the spec these days but to the best of my knowledge there's nothing I do today that couldn't be handled by PDF 1.2 and Acrobat 3. The only problem is, when people make PDFs, they tick the little box that says "Require Acrobat _ or greater" and I always have to update.

  • by Anonymous Coward

    ...if you're going to follow up your "zero" day announcement to the world with a statement that your "fix" for this is to release a patch that is scheduled for release in a month or so from now. What, is patching out of cycle for a zero-day vuln suddenly against someones religion or something? That's about the only excuse that would seem somewhat sane (if you call organized religion sane) here.

    If I were one of those paranoid type of guys, I would say that Adobe wrote this fucking thing themselves, and w

  • Good God (Score:4, Insightful)

    by tsotha (720379) on Tuesday December 06, 2011 @10:53PM (#38287542)
    It's a freakin' document reader. How did Adobe end up here? Not only is it such a bloated piece of crap it takes forever to open a document, but they seem to have one vulnerability after another. The functionality that they added for 0.0000001% of their customers isn't really worth the price they're paying.
  • by thestudio_bob (894258) on Tuesday December 06, 2011 @11:08PM (#38287618)

    I guess all the good programmers left Adobe years ago.

  • by Rakarra (112805) on Tuesday December 06, 2011 @11:14PM (#38287652)

    I and a bunch of others received emails today claiming to be from Adobe (it wasn't, as mail headers showed) that included an attachment, an .exe in a zip file.

    Of course, you should never run attachments sent via email, even if the source appears trusted.

    • Yeah, so now the blackhats can send exe's in emails but when I want to send an app i've discussed to a relative the stupid fucking email co's including email.com and gmail say I can't send a fucking exe... WTF! My fucking email - my fucking choice, unbelievable that they would censor my emails in such a casual manner.
  • Attack surface (Score:5, Insightful)

    by WD (96061) on Tuesday December 06, 2011 @11:32PM (#38287752)

    I wrote it years ago, but it's still quite relevant:
    http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html [cert.org]

    Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.

  • by Hamsterdan (815291) on Tuesday December 06, 2011 @11:33PM (#38287756)

    Why is it under Preferences | General instead of, I don't know, crazy idea, under Preferences | Security ?

    And 4 weeks? They're leaving that hole open for 4 fscking weeks?

    1- Announce a security flaw
    2- Leave it open for a month
    3- ???
    4- Profit!

  • 1.) Adobe really must employ some of the worst developers in the commercial sector.

    2.) Zero Day is undoubtedly one of the most idiotic labels in the computing sector.

You are in a maze of little twisting passages, all alike.

Working...