El Reg (http://www.theregister.co.uk/2009/04/28/adobe_reader_flaw/) is reporting that:
QuoteOnce again, Adobe is scouring its Reader application for bugs following reports that it's susceptible to two vulnerabilities that could allow attackers to remotely execute malicious code on end-users' machines.
Adobe has updated its blog to report that all supported versions of Reader are vulnerable. It plans to publish a time line for patching the holes as soon as possible. Security pros are not aware of any in-the-wild attacks exploiting the bugs. In the meantime, they recommend users disable javascript.
Users looking to protect themselves have at least two options, and neither is particularly effective. One is to switch to a PDF alternative such as Foxit (a more complete list of alternative readers is available here). These readers frequently have their own vulnerabilities, but at least they are less targeted.
I saw this as well Rik, not a good year for Adobe so far. Saying that it makes a change from Quicktime needing patching all the time ;)
That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball. :(
Quote from: Rik on Apr 29, 2009, 09:21:52
That's true. Adobe used to be a good company to do business with, they seem to have taken their eye off the ball. :(
Seems companies go through bad patches, Adobe will have to pull a patch out faster than 3 weeks this time though, they got enough bad press for that last time around, Rik.
Don't hold your breath, Gary.
Quote from: Rik on Apr 29, 2009, 09:37:38
Don't hold your breath, Gary.
I wont, I look red enough from the sunburn from last week still ;D
I tend to a shade of purple more. ;)
why adobe don't disable javascript on the default install and provide an option to enable it per document if wanted is beyond me.
answering my own question. Maybe they like to remind you that you have adobe installed on a regular basis, and that they are helping to secure your box :(
I suspect you're right, So. :(
Quote from: somanyholes on Apr 29, 2009, 12:20:36
they are helping to secure your box :(
I know software companies want to help but that's a bit personal really, I mean I don't even know them, let alone want to let them into my trousers! ;)
:rofl: :karmic:
Quote from: Rik on Apr 29, 2009, 12:26:00
:rofl: :karmic:
:ithank: I just could not resist it, Rik :evil:
Where does this leave other readers like Foxit? Do they use the same "engine" as the official Adobe Reader?
No, but they are considered less vulnerable as, with fewer people using them, they are less targeted. I'm not sure whether that makes me feel safer or not.
Thanks. :)
some of the issues that have affected adobe have also affected foxit. Haven't had a look at this particular one. Disabling javascript is generally a good start though
then again is windows even affected .... http://www.securityfocus.com/bid/34736/discuss
The old functionality vs vulnerability issue again, So. :(
tbh rik i don't see why javascript's needed on pdf's anyway. I don't think I've ever seen it being used. Anyone here seen it used?
I haven't, I suppose it depends on how 'clever' the creators choose to be.
Maybe they are on piecework,the more patches they create the more they get paid, so make a few holes, so you can patch it later :evil:
Sometimes it feels that way. :)