Adobe Warns of Flash, PDF Zero-Day Attacks

InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."

Good thing ...

[Anonymous Coward]

... my iPad isn't affected !

Re:

[hedwards]

Um, neither is my FreeBSD box, you make it sound like that's a good thing. As long as the other platforms use Flash, you're just kinda left out in the cold.

Re:Good thing ...

[ushering05401]

It is a good thing when non-technical customers start saying they are sick of the trauma of using a dominant proprietary product. Whether or not that results in a willingness to embrace an alternative is a different matter, but it is a start.

Re:

[MrHanky]

You would have a point if the same non-technical customers weren't happily tied to use iTunes.

Re:

[Vekseid]

Some of my non-technical clients are getting plenty fed up with iTunes. There is plenty of room for something better to come along.

Re:

[Darkness404]

Not if you use an iPod or iPhone.

Re:

[Culture20]

And my non-techy friends are buying android phones and saying they got a phone just like my iPhone. Apple failed to remain different.

Re:

[jo_ham]

Shame they're stuck on 1.6.

*ducks*

Re:

[Wovel]

Your non-techy friends are wrong :)

Re:

[Runaway1956]

Did you just say "jailbreak"? My kid has an iPod that was jailbroken within 4 hours after he got it. (Not a new one - he bought a used one, just so he could jailbreak it. Wasn't worth the risk of bricking a NEW phone!"

Re:Good thing ...

[DJRumpy]

Why would you think you are tied to iTunes with an iPhone. You do realize that the music in the iTunes music store are simple AAC (un-encrypted at that). The iPhone/iPod Touch/iPad hardware will play standard MP3 and AAC without issue, which pretty much covers just about any music store out there. There are also a ton of open source alternatives to iTunes. iTunes exposes a standard XML which can be used to maintain the library with any third party software.

Try harder....

"Not if you use an iPod or iPhone."

Re:

[toriver]

Because iTunes has two roles: One as a music library and player (like WMP), and the other as a sync program for Apple's devices (like HotSync for Flash back in the day).

Other devices come without sync software but just mount as a remote disk, letting the tech-savvy user navigate cryptic folder structures themselves instead.

Re:

[DJRumpy]

http://www.simplehelp.net/2007/07/08/10-alternatives-to-itunes-for-managing-your-ipod/ [simplehelp.net]

They also missed a few others like EphPod:
http://www.ephpod.com/ [ephpod.com]

A few minutes on google will find you a decent depth of choices on Linux, Mac, and Windows.

Re:

[cheeseboy001]

Are we thinking of the same iTunes? Any music from earlier than last year has DRM and will pretty much only work on an iPod. Heaps of other music stores sell music in WMA format with DRM, which decidedly won't work on Apple hardware. The iTunes library format and the iPod syncing protocol are anything but standard, and while there are a few alternatives to iTunes (which in my experience are not that great), they're only around because of the massive reverse-engineering effort the community's put in. I'm no

Re:

[Wovel]

So it is Apple fault that others stores used a proprietary DRM format? DRM was all the record labels decision anyway. Apple removed it and offers a relatively inexpensive upgrade for anything you already own.

Re:

[zippthorne]

iTunes is mediocre, but everything else plain sucks. It's not Apple's fault everyone else is barely even trying.

Re:

[testadicazzo]

No, he has a point whether or not the same non-tech customers are still tied to iTunes.

A step in the right direction is a step in right direction. Maybe getting rid of all proprietary formats would be better, but an improvement is an improvement, whether or not there is more which could be improved.

Re:

[MrHanky]

Not at all. Flash is available for several platforms; iTunes only for Windows and Mac. Flash is a resource hog on OS X and Linux, iTunes is a resource hog on Windows (and possibly on OS X too, but you can't properly remove it, so you would never know). Flash content can be accessed by other clients (gnash and that new plug-in), iTunes actively locks out clients not approved by Apple (like Palm Pre). iTunes is designed to make it difficult for the consumer to switch to less expensive hardware, Flash in't.

Re:

[Wovel]

Real flash content can not be accessed by gnash. I suspect you already knew this, but decided trying to make a point was > than your integrity.

Re:

[MrHanky]

Potentially, it can, depending on man hours (Flash is no less open that Apple's HTML5). Although non-Apple approved hardware "can" access iTunes, Apple actively makes sure it can't. I suspect you already knew this, too. So fuck integrity, eh?

Re:Good thing ...

[AnonymousClown]

As long as the other platforms use Flash, you're just kinda left out in the cold.

Pfft. There's plenty of porn on MP3 and WMV.

Re:

[Quixotic Raindrop]

Wait, so ... Flash is buggy, and a security risk?!? WHO FREAKING KNEW?!? (oh, that's right. Steve Jobs did. Thank God.)

Re:Good thing ...

[paimin]

Where did all the Apple haters go? I thought Flash was "the whole internet" and "drop-dead gorgeous", and big evil Apple was ruining everything by using their mystical powers of mind control and beating up on poor little Adobe.

Oh, I see, everyone just took off their Apple hater hats and put on their Flash hater hats.

Re:

[HiThere]

Largely a different group of people. When you homogenize your idea of the audience, you loose crucial perspective.

FWIW, I use neither Apple nor Flash, and will happily bash either, as appropriate. I consider Flash trashy and a security risk, and Apple has an intolerable EULA, despite the nice hardware.

Re:

[Quixotic Raindrop]

Not everyone.

<-- admits to being an Apple fanboy. I've hated Flash from the outset; nothing against Adobe /per se/, just that from "GO!" Flash was a memory hog, still leaks even today, and was a major security backdoor through which an otherwise fairly secure web browsing experience could be hijacked, and rather easily.

Apple's recent changes to drive lock-in, such as through the App Store, don't sit well with me, but I'll wait and see what the outcome is. Flash is a miserable piece of crap, and alw

Re:

[paimin]

If people hate Apple's tactics, fair enough. What I do think is utterly ridiculous is this recent pro-Flash line that's been going around, as if Flash and Adobe aren't at least as much of a scourge as Apple.

If you hate anything proprietary and any kind of tech lock-in, then you hate both Apple and Adobe. But the Apple-hate crowd jumping on the bandwagon and acting like Flash is getting some kind of raw deal is pure hypocrisy.

Re:

[AHuxley]

Some recall the font wars, we know the lock in of Apple and its itoy range.
I like the webcam broadcast interactivity of Flash.
Then you have the flash cookies and ongoing security issues.
So people enter the debate from different areas and perspectives.

Flash for the iPhone WHEN???

[swb]

Figure it out, Steve. Every other platform is getting Flash, I want the same opportunity for malware exploits that other mobile platforms will be getting.

Re:

[cpghost]

At least, we FreeBSD-ers aren't getting Flash... I guess we were lucky this time.

Re:

[Conley Index]

Why do you think, "we FreeBSD-ers aren't getting Flash"?

I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox. (Of course, it is usually blocked by noscript and flashblock.) A few years ago that might have been difficult to get running, but now it is just ports.

If we really want Flash is another story...

Re:Flash for the iPhone WHEN???

[WrongSizeGlass]

Of course, it is usually blocked by noscript and flashblock.

This appears to be a SWF file being run by Adobe Reader or Acrobat. Browser based plugins aren't going to help when it's opened by a desktop application.

Re:

[hedwards]

I'm finding that gnash seems to fill my needs for things like Youtube, which lets face it is the only real reason why anybody wants flash apart from web games. And with Youtube's owners being interested in ditching flash, I'm not sure how much longer it will even be needed for that.

Re:

[evilviper]

I do have (the Linux version of) Flash 10 installed on my FreeBSD 8 amd64 systems and running it in a native FreeBSD amd64 Firefox.

Unfortunately, those of us on FreeBSD 7.x, 6.x or perhaps even below, are limited to Flash 7. And frankly, I haven't even been able to get that port to work. And that's even after I reluctantly accepted the need to have hundreds of MBs of Linux binaries installed for a single application...

Re:

[toriver]

Since the "open" Flash is only "open" if you want to make dev tools and Adobe maintains a monopoly on making runtimes (Gnash does little more than open FLV container movies), "every other platform" excludes anything Adobe do not see a reason to spend resources on. No Flash on Nintendo DS, Sony PSP, the PS3 browser - the list goes on. Just because the few-ish platforms Flash runs on are dominant does not mean every other platform than the Apple devices has Flash.

And just for you, Adobe

[theolein]

"Go screw yourself" as you said to Apple.

Re:

[davester666]

Steve Nash? I suppose, since the Suns are out of the playoffs and he's got a bit of free time...

Re:

[hedwards]

Nah, it's Steve Wonder, he's kind of pissed about being left out of this whole Flash thing.

The new Jobs equation

[m0s3m8n]

Blu-Ray = Flash = Bag of Hurt.

Re:

[toriver]

Blu-Ray uses Java. Where do you see Flash in Blu-Ray?

64 bit Linux

[Anonymous Coward]

I see the 64 bit Flash plugin for Linux has not been updated. Anyone heard of a timeline for this update?

Re:

[Sir_Lewk]

I see the 64 bit Flash plugin for Linux has not been updated.

Does that really suprize you?

Re:

[0123456]

Perhaps because it appears to be a half-assed gesture to make GNU/Linux users shut up about lack of 64-bit support.

Unlike Windows where there is _no_ 64-bit support.

In any case, I just checked adobe.com and no version seems to have been updated yet.

Re:

[0123456]

Windows users don't expect 64-bit versions, and I don't think you can get Windows without the 32-bit libraries.

My Windows 7 install has 64-bit IE, which is pretty much pointless for the average user without 64-bit Flash. 64-bit Linux can install 32-bit Firefox though I guess you do need to install some 32-bit libraries if the distro didn't do that by default.

Re:

[HiThere]

There actually are plenty of lawyers that have trouble making the rent. They just aren't the ones you hear about.

Re:

[0123456]

Given the processors being sold nowadays I'm really surprised that there are still people installing 32 OS on their 64 bit boxes.

One issue is that 64-bit Windows 7 won't run 16-bit apps; there aren't many that are any use these days, but I'm sure there are still businesses reliant on them and it means you can't run old DOS games without an emulator and Carmageddon, for example, won't run acceptably in any emulator I've tried... either the graphics are corrupt, it's too slow to play on a CPU that's 20x faster than recommended at release, or the game timer counts down at 10x normal speed so you can't finish the race before it runs out.

Current software is fundamentally broken

[hackstraw]

The closest platforms to getting it right are Apple and Linux distros. I say that because they provide a central software base and can push out updates all coming from one place. If you use something like Windows, you have to get updates from Microsoft, your hardware manufactures and then your 3rd party software. AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.

Even if I say that Apple and Linux are better, they too are broken. And then there are 3rd party apps that continually want you to upgrade them before you run them. Its obnoxious. I can't think of any consumer or professional piece of equipment that needs such care and feeding. If my car has issues (yeah car analogy), then there is a recall. Its a big deal. I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.

Re:

[filesiteguy]

Well, IMO, that's not a valid assumption. Adobe pushes out updates all the time on my Wintendo machines. I've been online since last night with two Ubuntu machines and haven't gotten an update yet.

As for third party plugins going away, not bloody likely.

In fact, I'm writing this using Google Chrome browser, which is *supposed* to be a next-gen browser and will handle more plugins than even the ActiveX-ridden Internet Explorer.

Also, the web has moved so far away from HTML/JavaScript only that you are pretty

Re:

[0123456]

Also, the web has moved so far away from HTML/JavaScript only that you are pretty much unable to browse most sites without flash, or some video player or various other plugins.

Strange: Flash is the only plugin I have installed and I have Flash and Javascript disabled on most sites... doesn't seem to be a problem.

Re:

[filesiteguy]

If you're on some very basic sites, that can be done. My home page does not require flash but does have some javascript elements.

This site is heavy with javascript.

Re:

[toriver]

Are you seriously so brainwashed by Flash DUH-signers that you have failed to see how far HTML+Javascript has come? Browsers were able to play video using OBJECT/EMBED ten years ago.

Flash is an abomination on the web, but has its use for simple games and the like. "Most sites" do not rely on Flash for anything more than ads - to blindly rely on Adobe and Flash to remain significant is akin to relying on Ashton-Tate and dBase III/IV to remain the dominant solution for desktop apps. There is no benefit to oth

Re:

[icebraining]

I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"

Bullshit. It's called maintenance, and yes, cars do require it. In fact, it's much more onerous than clicking a few times and call it done - not to mention it's much cheaper.

I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of th

Re:

[mlts]

Why should I trust unknown servers with critical data? If I were forced to use cloud-based services for banking and file storage, I have no clue who has access to the data. Even with the best security, there are some individuals who will happily loan a blackhat their badge, PIN, and offline authentication device in return for a princely sum of cash, and barring that, there are always other exploits.

Cloud services have some uses, but not for everything. Cloud storage is a decent method of keeping files in

Re:

[lgw]

Obviously, you shouldn't store non-public data in public. If you're using "the cloud" to help with bandwidth as you broadcast data you want everyone to see, that's not a problem. Otherwise, it's all about the cryptography, which is all about the key management.

As far as the reliability - again, if you're using "the cloud" in some short-term fashion to process requests, reliability is great. But if you're storing somehting in the cloud long term - who can you trust? In the corporate world, trust is about

Re:

[Chryana]

Your car analogy is terrible (and irrelevant). Nobody is trying to remotely control your car, which is not the case with your computer. The software used in a car is of a very limited scope, so it is much easier to make sure it is running properly. Meanwhile, an operating system is vastly more complicated, with code produced by a number of developers which is probably several orders of magnitude greater and done on a much smaller budget for the code size. Furthermore, if you think that software which doesn'

Re:

[Draek]

The problem of central update mechanisms is when they fail. More specifically, when the one maintaining it decides that fixing bugs is too boring a job and goes off to work elsewhere.

For an example of that, see Java on OSX and its terrible, terrible security record with respect to Linux and Windows all because the latter ports were maintained by Sun themselves rather than our favorite fruit-flavored company.

Re:

[Like2Byte]

Software failure is not a technical problem but a human problem. Michael Crawford realized this and has developed the Crawfordian Psychoanalysis Manifesto which will end the software problem once and for all. He will fix not just bugs in code but bugs in the mind

Look, until this manifesto is released in a PDF I'm not reading it.

HTML5 v. Flash security

[Onymous Coward]

I wonder about this. I'm sure it's a rather complex issue (that will be picked apart time again for years to come), but the one idea that leapt out at me was one you pointed out:

... HTML5 core part of browsers will likely be much better maintained & secured than [Flash], will help.

HTML5 may not be a silver bullet, but my intuition tells me we'll be much better off. But not having a clear idea of exactly why this is and spouting my intuition out, while perhaps a Slashdot tradition, is not very constructive, so I offer this intuition with this disclaimer.

Re:

[Vellmont]

But not having a clear idea of exactly why this is and spouting my intuition out, while perhaps a Slashdot tradition, is not very constructive, so I offer this intuition with this disclaimer.

I'll tell you why. HTML 5 browsers won't be produced by Adobe, that's why.

Software security isn't just about the technology or specifications, or whatever. It's really mostly (no not entirely) about the people who write the stuff. Sendmail (the ever popular SMTP agent) was the giant poster child of how NOT to write s

Re:

[99BottlesOfBeerInMyF]

...my intuition tells me we'll be much better off. But not having a clear idea of exactly why this is...

The difference is Flash is created pretty much just by one company who has complete control. They don't really worry about competition so they have little motivation to fix security problems, or do so in a timely manner. HTML5, on the other hand, is created and implemented by a wide variety of companies and organizations all competing and interested in security and for that matter, other improvements. COMPETITION drives innovation and improvement, which is why Flash and other software where there is no com

Re:

[king neckbeard]

Yes, transitions to HTML5 will not be inherently safer, but just about everyone moves faster than Adobe in security fixes, and the browser market is more diverse than the Flash player market. Both of these things suggest that it would almost certainly be a net improvement to security even if HTML5 has all of the same design flaws as flash

Official Workaround

[Mojo66]

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.

Re:

[HazE_nMe]

You can update to the RC of Flash [adobe.com] and just don't open PDF files from untrusted sources (as usual).

Re:Official Workaround

[joe_frisch]

It seems unfortunate that to have secure code you need to use a pre-release version. There is a need for a secure, but not feature-rich document format - I don't need dancing bears.

Only reading documents from "trusted" sources doesn't work - those sources may have been compromised.

Re:

[nadaou]

There is a need for a secure, but not feature-rich document format

You are in luck: http://djvu.org/ [djvu.org]

All the best (non-Adobe) PDF viewers already support it. It's what the Internet Archive uses for archival. http://en.wikipedia.org/wiki/DjVu [wikipedia.org]

Re:

[Draek]

It's not the format that's insecure, only Adobe's particularly shitty implementation of it. Now, if you *want* Javascript and Flash on your document format you're screwed, but I'd say in that case you are really Doing It Wrong(tm).

Re:

[CondeZer0]

> A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.

Sadly this days that seems to be the trajectory followed by most software projects [cat-v.org].

More and more bloat, more and more useless crap that nobody really needs or wants but that adds more and more complexity and makes systems more and more fragile.

Call me dumb, but...

[Rui Lopes]

It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems.

... how can the DLL affect osx & other unix OSes? And why does it ship on these OSes?

Re:

[marcosdumay]

The DLL is part of Acrobat Reader. I've never saw a Linux that ships with Acrobat, but it is available for most of them (on some it is just a click away). Anyway, very few people do use Acrobat on Linux, unless you are one of those few that got out of your way to install it, it is not an issue.

64-bit Linux

[macemoneta]

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

Re:

[WrongSizeGlass]

If the fix is critical, why is the Linux 64-bit version still at the vulnerable level?

No versions have been fixed yet so all versions are still vulnerable ... this includes Linux 64-bit.

Re:

[macemoneta]

The Flash Player 10.1 Release Candidate "does not appear to be vulnerable," the company said.

The Linux 64-bit version is still at the vulnerable level, and has not been brought up to the non-vulnerable level.

Re:

[macemoneta]

We heard you the first time. Maybe you should *listen* when you read: It's not fixed yet. The 10.1 RC has not been released yet (that's the whole "release candidate" part of it). There is no patch for 10.0.x.x or 9.0.x.x yet so is still vulnerable. Mmm-kay?

I shouldn't respond to anonymous trolls, but the 10.1 RC is available at the Adobe beta site [adobe.com], just not for Linux 64-bit. That was the point of the post. If you're not familiar with Adobe's release process, maybe you should try a google before blowing s

Oh christ, not again

[Nimey]

It's job security for us computer janitors, but still fucking annoying that their security is so bad.

PDF files should not "execute"

[bradley13]

If Adobe had the brains of a hamster, it would prohibit executable content in PDF files. Anything fancier than a fill-in-the-blank form has no place in a document format. Business needs some sort of standardized format in which to exchange written documents electronically, and PDF has fulfilled this role until now (barring the dimwits who still send Word files around). Allowing PDF to include executable content is not only dumb - it will eventually destroy PDF as a trusted format.

Re:PDF files should not "execute"

[Jahava]

Anything fancier than a fill-in-the-blank form has no place in a document format.

That's a slippery slope you're walking there. The second that you open the document up to interaction and editing, you open the platform up to issues like editing capabilities, content type, content validation, and each of those opens up their own can-of-worms.

In my opinion, PDF should do exactly what most people use it for: it should render content in a consistent, platform-independent, and read-only manner. If you need to provide a form to fill out, there are many technologies to solve that problem, but across all of them, Web/HTML stands out as the most appropriate. Web/HTML has numerous different approaches for allowing a user to fill out a form, each richer and more flexible than Adobe's PDF will (er, should) ever be. If you want the fields that are filled out to appear in a read-only document, have the web service generate a PDF document containing your answers when you complete the HTML form.

A perfect example of this is how Google's Spreadsheets [google.com] can present a form view, which is capable of reproducing a significant amount of the capabilities that Adobe's executable content is used for with a concise user interface, and producing a PDF at the end of it.

Re:

[wiredlogic]

barring the dimwits who still send Word files around

I wouldn't completely knock Word. The Word document format maintains its contents as structured data as opposed to lines of text or individually placed glyphs that is all PDF can muster. That's great for consistent page rendering but not so hot for machine processing. Extracting text from PDF is considerably more complicated because paragraphs and blocks of text have to be guessed at by analyzing the page layout. Throw in right to left and vertical scripts and it gets even more complicated. Word may have a

Re:

[faber0]

Leaving out the "executable content" from PDFs does not shield you from exploits at all. Hostile input can still trigger all sorts of bad reactions including complete takeover. A bug can turn any simple viewer into executing the document.

Saint Steve was right!

[lostsoulz]

Sent from my iPhone.

Show us the code Adobe

[Alcoholist]

Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.

Adobe link to Flash Player deemed "safe"

[oDDmON oUT]

Note: This is prerelease code:

http://labs.adobe.com/downloads/flashplayer10.html [adobe.com]

"Flash Player 10 Prereleases

This page contains download information of developer prerelease and beta versions of Adobe® Flash® Player 10 software for Windows, Macintosh, Linux, Solaris, and Android. It is being made available for developers to test their content to ensure new features function as expected, existing content plays back correctly, and there are no compatibility issues. Consumers can try the prerelease of

Re:

[oDDmON oUT]

Damn, clicked Submit instead of Preview. Meant to add this from the advisory:

"Note:
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ [adobe.com] does not appear to be vulnerable.

Adobe Reader and Acrobat 8.x are confirmed not vulnerable."

Hey!

[Wovel]

Thanks Adobe, you help keep the Internet a fun and exciting place for everyone!

Re:Look at the credits for Adobe Reader.

[Bert64]

Problems like this are common because reader and flash are ubiquitous, flash because it has no viable alternatives and reader because most users don't realise that there are far superior pdf viewers out there (i've even seen people install reader on macs where a far superior pdf viewer comes by default)...

Re:Look at the credits for Adobe Reader.

[rudy_wayne]

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

Flaw in the spec

[rsborg]

Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.

I don't doubt there's sloppy programming involved, but this sounds like a flaw in the spec... who the hell reviews the PDF spec and how much does Adobe pay them

So true

[theolein]

I cannot imagine who on earth would want Flash content in PDFs. I imagine it is still some brainless marketing fuck at Adobe who thinks PDfs will trump Powerpoint for presentation and so they have to cram in just as much useless shit as can be crammed into a pptx/pps file.

What truly fucking bothers me is that the "fix" they offer is not a fix at all. Installing a release candidate Flash player across a company will not be easy in many cases and who the fuck is going to go searching for craptasticadobeshit.dll on all their machines. Sadly, this is such a problem that you have no choice, unless you want to block all Flash content and in many industries, such as media or design, that's simply impossible.

Adobe is so fucking lost it's not funny. Their Flash player is a buggy, unsecure piece of shit. Their Acrobat PDF Reader is even worse, slow to start up, full of utterly useless shit that easily 99% of people who need to view a pdf don't need, and regularly an opportunity for malware authors to get at your machine. On top of this, Adobe is so choking on their shit that they coded almost all the dialogs in the new CS5 suite in fucking Flash, leaving previously satisified customers seething with anger because dialogs that were already pretty unstandard in the last two version of the CS ballsup are now more often than not, simply not working anymore.

For the love of God, please someone, anyone, make a decent alternative to the CS suite so we don't have to put up with Adobe's increasingly bizarre attempt to remain relevant by shovelling ever more shit into what were previously perfectly good apps!

Re:

[cusco]

PDF has always seemed to me like a solution in search of a problem. There were plenty of better alternative formats available, both editable and non-editable. Then Adobe helped one of its former executives get elected to the Senate and the gov't suddenly decided that PDF was going to be official format of all government documents forever-and-ever-amen.

One of the first things that I do on my customers' servers (after asking permission, of course) is uninstall Acrobat. They're generally thankful that we

Re:

[mr_matticus]

There were plenty of better alternative formats available, both editable and non-editable.

Such as?

The point of PDF wasn't about editable or not editable, which is probably why you think it was a solution in search of a problem.

The PDF format started out as a way to ensure complete display fidelity across display media and platforms. Unlike a word processor file, you did not have to worry about rendering differences, formatting inconsistencies, whether the destination system had the proper fonts or supported a given typographical control. These were the days before you could embed fonts in your

Re:

[Culture20]

Am I the only one sick of the "zero day" buzzword?

No, but I'm only annoyed when people misuse it. Zero-day [wikipedia.org] has a specific meaning that is an important distinction when talking about vulnerabilities and exploits. When I hear "Zero-day", my immediate response is: "Oh ^&@#$, who put in strange trouble tickets the last few days?" and "Yay, Overtime for out of cycle Microsoft/Adobe patching."

Re:

[TheLink]

Not sure if it's related to the announcement, but today when I opened a whole bunch of Yahoo Finance pages at a go, I got an "open/download p.pdf" prompt. By reflex I cancelled that (and I don't use Adobe for PDF stuff anyway), but it may mean that someone has managed to use popular servers to infect machines.

Perhaps I should have downloaded and tried analyzing it. Not sure where it actually comes from- yahoo may use 3rd party servers for caching, and nowadays stuff like facebook also gets involved etc.

Re:Zero-day?

[Alwin Henseler]

Buzzword or not, "zero day" means a vulnerability that is already being exploited by the time it's published. If vulnerability is published but no exploit exists -> no zero day.

Regardless of what you think of reasons for using that "zero day" label, this is very relevant to end-users: zero day -> you're at risk, NOW. No zero day -> you're probably safe (for the time being, that is).

Re:

[selven]

Zero day -> you're at risk, now.

No zero day -> well, we published the vulnerability, so it'll take 12-48 hours for someone to write and start using an exploit.

Re:

[Leebert]

Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.

So if, for example, someone reported this to Adobe previously, and Adobe hadn't fixed it yet, then it isn't a zero day exploit. If Adobe only found out about the vulnerability because people were exploiting it, it was a zero day vulnerability.

Which might be what you were saying, but it didn't come out unambiguously that way. :)

Re:

[v1]

Not entirely correct, historically it meant an exploit that was discovered by the vendor by the fact that it was being exploited. Meaning, they had zero days to develop a patch.

I would slightly adjust (loosen) that definition and say that it's an exploit for which there is not currently a patch available (number of days the patch has been available: zero) whether or not the vendor is aware of it. (and that has just suddenly started being exploited on a broad scale in the wild)

Reason is, we've many times see

Re:

[cpghost]

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

Re:

[Lars T.]

It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists.

Wouldn't that qualify as a "zero day" sniping attack?

No, the bulletin is already out before the attack. Well, if he's already climbing the stairs, we can talk about it...

Re:

[the_humeister]

What I want to know (but neither the summary nor Adobe's announcement say) is how the exploit actually works. No details are given other than that the reader and flash are vulnerable.

Re:

[dave562]

I present the motion that from this moment, we substitute "fresh no day" for the term "zero day". It was good enough for warez kids so it will be good enough for security researchers.

Re:

[AHuxley]

When developers are allowed to write quality code, test it and use modern operating systems security functionality "zero day" buzzword ...
Long term learn to enjoy "zero day"

Re:

[dotgain]

And how exactly is this a comment? Slashdot posters waffle on about their indifference all the time.