Adobe PDF Exploits In the Wild

mambosauce writes "Brian Krebs, via the security fix blog is reporting that the recent PDF vulnerabilities which were patched only for Adobe Reader 8 and not 7 are being exploited via banner ads. As if there haven't been enough banner ad attacks this year now we have another one targeting one of the most popular applications in the world this weekend. At this rate there won't be many safe applications left to use."

Use a different PDF viewer instead

[by Anonymous Coward]

That's what foxit and kpdf are for.

Re:Use a different PDF viewer instead

[ScrewMaster (602015)]

No kidding. FoxitReader is a hell of an improvement over Adobe's crap, even if it isn't open source.

Re:

[Constantine XVI (880691)]

And if you need more OSS in your diet, there's SumatraPDF (http://blog.kowalczyk.info/software/sumatrapdf/ [kowalczyk.info])

Re:

[Zackbass (457384)]

I like Foxit and use it in place of Acrobat Reader, but there's one problem I have with it that makes me have to start up Acrobat Reader sometimes. Some types of PDFs like datasheets seem to cause the program to grind with what looks like completely rerendering the page every time it's scrolled. It gets hung up for a couple of seconds with every motion making it almost unusable for some documents but Acrobat Reader works perfectly with the same files. Anyone have some idea what this is about?

Re:

[Futil3 (931900)]

Sumatra PDF [kowalczyk.info] is a very speedy and free (GPLv2) reader for the Windows people. (no affiliation, just a happy user.)

Re:

[ScrewMaster (602015)]

Might be you have a permissions problem on the program folder or the files. You'd think the installer would have reported that fact, but maybe not. Log in as Administrator and see if it upgrades then.

But Foxit doesn't work!

[Anonymous Brave Guy (457657)]

Foxit is so much faster and less of a resource hog then adobe reader.

It also doesn't work. For example, two-page documents generally start with page 1 on the right, yet in two-page mode Foxit insists on displaying pages 1 and 2 together, 3 and 4 together, etc. I discovered this when I tried it after seeing comments like the parent and GP posts, and also discovered that there have been bugs logged on this for eons but no-one seems to care about fixing it. The software was uninstalled from my PC within two minutes of installing it and filed under "beyond hope".

One of these days, people on Slashdot will realise that something that is free/or more secure is still worthless if it doesn't actually do the job it's supposed to do.

Ah come on...

[Animaether (411575)]

the page layout (right vs left) is hardly a major issue when it concerns Foxit, a PDF -reader-. I can fully understand if you want it to work correctly for a PDF authoring app, so that it comes out the printer the way you see it on screen, but geeze.

It's like calling ThunderBird "beyond hope" because the thunderbird team appear to be unwilling to fix the folder rename issue on the Windows platform (renaming "Test" to "test" will tell you that it already exists. durrr. https://bugzilla.mozilla.org/show_bug. [mozilla.org]

Re:

[milsoRgen (1016505)]

Adobe Reader takes forever to open up (even on my fast computer), but Foxit comes up in seconds.

Ain't that the truth... I remember Maximum PC (or was it CPU?), either way they were able to download, install and run Foxit before Adobe had even finished loading up.

Speed up Acrobat Reader

[plover (150551)]

A long time ago, I learned that Acrobat Reader is so damn slow to launch because of all the crap plugins that are loaded with it. I couldn't remember exactly which of the various modules I removed, but a quick Google gave me this: http://dwtips.com/2006/06/17/how-to-speed-up-pdf-loading-with-adobe-acrobat/ [dwtips.com] It looks like the same type of instructions that I followed way back when.

Re:Use a different PDF viewer instead

[404 Clue Not Found (763556)]

Yes but ...
* Can FoxitReader view Flash. WMV, Real and Quicktime content embedded into PDF files?
* Can FoxitReader edit PDF files if they have been encypted and signed using Reader Extensions Server?
* Can FoxitReader let its user participate in PDF reviews?
* Does FoxitReader support submitting forms to a server backend using XML?
* Does FoxitReader let you participate in online meeting using Adobe Acrobat Connect?
* Does FoxitReader let you condense PDF files into a booklet?
* Can you sign documents with FoxitReader if they have been flagged as such?
* Does FoxitReader support OpenGL acclerated embedded 3D content?
* Does FoxitReader support DirectX and other accelerated graphics API's?

Whoa. When did Emacs get PDF support?

Re:

[iamacat (583406)]

Yeah, Preview is pretty good too. Unlike Acrobat, it starts instantly without the annoying logo popping up for half a minute in the middle of the screen and blocking all the other applications.

Re:

[FudRucker (866063)]

in case anyone is interested kpdf is part of KDE's kde-graphics package...

Re:

[JackieBrown (987087)]

Okular in kde4

I have both...

[SanityInAnarchy (655584)]

Rather, both kpdf and acroread.

The main reason I have acroread is because I can -- it's one less program people can whine about not having on Linux, and you never know when I'll run into something kpdf can't handle.

But I also have it because it has one feature I dearly wish kpdf did: the ability to rotate the rendered PDF. Take a widescreen, clamshell laptop/notebook, turn it on its side, and let a page of a book fill the screen, and you have a pretty nice eBook reader.

Re:

[gEvil (beta) (945888)]

But I also have it because it has one feature I dearly wish kpdf did: the ability to rotate the rendered PDF. Take a widescreen, clamshell laptop/notebook, turn it on its side, and let a page of a book fill the screen, and you have a pretty nice eBook reader.

I did that for a while a few summers ago. Take a Project Gutenberg text file (or any text file), throw it into your favorite word processor/page layout program, choose a nice body font, give it some reasonable margins, stick page # footers in, then e

xrandr

[John Hasler (414242)]

> Take a Project Gutenberg text file (or any text file), throw it into your favorite word
> processor/page layout program, choose a nice body font, give it some reasonable margins,
> stick page # footers in, then export it all out to a PDF. Fire up Acrobat Reader, set the
> background color to a nice cream color, rotate the page 90 degrees, hit fullscreen...

Seems like a lot of wasted effort. Why not just use xrandr to rotate the display?

Re:I have both...

[whoever57 (658626)]

But I also have it because it has one feature I dearly wish kpdf did: the ability to rotate the rendered PDF.

Evince can do this.

Re:

[xaxa (988988)]

one feature I dearly wish kpdf did: the ability to rotate the rendered PDF.

KGhostView will do this. I don't know why Kpdf won't.

Solution:

[CSMatt (1175471)]

Don't use Adobe Reader.

Re:

[zerocool^ (112121)]

Use Foxit Reader.

"Safe" application?

[Chas (5144)]

[Windows User] WUZZAT?

You have a multitude of applications, varying versions of operating systems, and scores of browser versions out there.

Is it REALLY any surprise that there are security holes like this? The miracle is that there aren't MORE.

Note: I'm NOT saying that these holes aren't a bad thing and shouldn't be patched. But this idiotic notion of a "safe" app just irks the shit outta me.

The only "safe" app is one that has absoloutely no interaction with other programs or the user whatsoever. (IOW it don't exist.)

Re:

[youthoftoday (975074)]

If everyone did things in pure functional programming languages there would be no side-effects.

Got one phishing email attachment w/PDF

[JoeCommodore (567479)]

I recently received an email spam with a PDF (not the file.xxx.exe I normally see in such emails), I figured that was one of the exploit files.

Some vague "Your Account" message from "Bank Trust" from some a 3rd party email with the Manual_Invoice.pdf attachment. 134k

Re:Got one phishing email attachment w/PDF

[by Anonymous Coward]

Yeah, I got that one, too. Thing is, I don't remember opening an account with Bank Trust. I went to the website and tried logging in with all my various bank logins, and none of them worked. I think someone at Bank Trust really screwed up when they sent that message out. Morons.

Re:

[sqlrob (173498)]

Possibly infected, possibly not. That's one of the tricks to get around spam filters.

Blocking Banner Ads

[AngelKurisu (1173447)]

This is just another addition to the mounting list of reasons I block most banner ads. Why should I download something that could be dangerous, and adds no value to my browsing experience? I manually un-block certain sites I know to have decent levels of quality assurance in their ads (Penny Arcade, Slashdot, for example). I'd much rather directly micropay for content than be served completely worthless ads anyhow.

Re:Blocking Banner Ads

[calebt3 (1098475)]

I have also unblocked ads for /., but it's kinda pointless because I won't allow doubleclick through NoScript. Why do we need animated ads?

lynx

[acidrain (35064)]

At this rate there won't be many safe applications left to use.

Good old lynx. Surfing the web in text-only since the beginning of internet time.

Re:lynx

[McDutchie (151611)]

Good old lynx. Surfing the web in text-only since the beginning of internet time.

I know you were kidding, but it's still worth pointing out that Lynx is not necessarily safer than any other app [google.com].

If only...

[Darundal (891860)]

...there were web browsers that allowed you to block certain types of code, or had extensions that would perform a similar function...

Yet Another Misleading Headline

[dotancohen (1015143)]

This is NOT "Adobe PDF Exploits In the Wild" but rather "Adobe Acrobat Reader Exploits In the Wild". The problem in is Reader, not in PDF. That's like calling Outlook scripting worms "email viruses". Oh, wait, blame the technology, not the software. Sorry, I forgot.

Re:Theory != practice

[dotancohen (1015143)]

For Joe and Jane Sixpack, PDF=Acrobat, www=IE. Saying that other readers/browsers are safe is irrelevant for the majority of people.

Now why do you think that is? Because of misleading articles like this. When bugs are found in IE, should the media report that the Internet is flawed?

The solution will not be Silverlight

[G3ckoG33k (647276)]

Whatever some companies might want to imply, the solution will not be anything called Silverlight. It would be like replacing Photoshop, because of some vulnerability, with Excel...

Re:

[slaingod (1076625)]

Except the problem is with Acrobat Reader, not Flash.

Proprietary software continues to bite users.

[jbn-o (555068)]

At this rate there won't be many safe applications left to use.

There are plenty of free software programs to use. The issue here has to do with proprietary software restrictions on user's freedoms to inspect, share, and modify programs. Just because Adobe is unwilling to modify older versions of their PDF reader doesn't mean their users should be restricted from doing so.

Re:

[SanityInAnarchy (655584)]

*cough* *sputter* What?

Slashdotters always making me spill my coffee...

Oh, I see... is the issue that people are running older versions of Acrobat?

If they can't be bothered to upgrade to the latest version, what makes you think they'll patch themselves? Are you suggesting that the big advantage of me running Free Software here is that I could be running kpdf 0.2 and patch the security holes? Or are you suggesting that someone who can't be bothered to update their software is going to have a better time of i

Where's the update for v6?

[PingXao (153057)]

I bought and paid for a license for Adobe Acrobat v6. Where's my update? I have no plans whatsoever to pay for an upgrade that consists of bloatware just to get a security fix. The manufacturer, Adobe in this case, should be liable for this flaw since it has now been pointed out to them. For all vulnerable versions.

Re:

[John Hasler (414242)]

> If vendors would be responsible for their faulty software there wouldn't be any of the
> larger software companies around anymore.

And this would be a bad thing why?

Re:

[Sancho (17056)]

There would effectively be no software, and thus no computers.

A luddite might think that's ok....

Benifits of Adobe Reader? Seriously.

[Nemilar (173603)]

Seriously, Adobe Reader has gotten huge in terms of file size, when compared to xpdf/kpdf/foxit/etc. I'm wondering if someone can explain to me what all this extra code is for? Obviously it must be doing something, but personally I've never seen the difference.

Re:

[domatic (1128127)]

Adobe appears to be moving away from PDF as "electronic paper" to "all singing all dancing Internet Document". You can now embed movies, audio, and javascript in PDF to make some sort of "active document". Personally, I think PDF has jumped the shark.

Re:

[B3ryllium (571199)]

DRM, most likely.

Google to the rescue

[plover (150551)]

A quick Google turned up this list [daube.ch] of plugins, so if you want to pick and choose which bits of extreme uselessness you want to avoid, it makes it a bit easier. Seriously, does anybody think it's a good idea to let a PDF send an email?

Anyway, if you remove any of those files from your Reader/plug_ins folder, Acrobat Reader won't load them at launch time. It speeds up loading time of ordinary PDFs tremendously.

What I really really don't understand is why Acrobat Reader doesn't dynamically load those plug-ins only upon demand? Seriously, why does it need to bring in any of that extra code just to display a catalog page from a web site? Digital signatures? If the PDF doesn't have one, I don't need to load the code to verify it. Accessibility? I'm not handicapped, I don't need or use a screen reader, ever. eBooks? I've never bought one, and probably won't for many years to come. And I never, ever, ever want to let a PDF send an email. That's just WRONG.

It's a tremendous load of crap, made worse by their "always load, just in case" philosophy.

Re:Benifits of Adobe Reader? Seriously.

[chubs730 (1095151)]

True. I usually run at least 6 boxes at a time, just to cover all the major operating systems. I'd never want to be without the software clones I need!

disable javascript

[bcrowell (177657)]

The article doesn't say explicitly, but I'm assuming this is related to the fact that the default configuration of AR will execute javascript that's embedded in pdf files. This is both a privacy issue (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

There have been a lot of posts along the lines of "why the hell even use AR?" Well on Linux, I actually have Firefox set to open pdf files in xpdf, because it's faster, and I also habitually use xpdf to view pdf files when I'm not in a browser. (Evince is a little slower, but a little more full-featured and modern.) But I also have a copy of AR 8 installed on my Linux box, because it has some features that I find really useful once in a while, and also I want to be able to test my pdf files sometimes and make sure they'll look right for AR users. It's one of only two proprietary apps I have on my machine, the other being Flash. It would be great if the OSS community could produce a pdf viewer that was just a little more full-featured than Evince. (Flash is a whole different issue -- many of the things Gnash can't do, it can't do because of patents.)

What???

[Jane Q. Public (1010737)]

Maybe I misunderstood... but who the hell uses .pdf for banner ads anyway?

I, for one, would also recommend other readers. The most recent incarnation of Adobe Reader is even slower than before, and they took a perfectly usable interface and messed it up.

Whatever happend to, "If it ain't broke, don't fix it!" ??

Hello? Flash?!

[Dachannien (617929)]

People have been doing this with Flash (another now-Adobe product) for ages. One flash ad redirects you to a second flash widget on a malicious website to get around Adobe's lame attempts at cross-site protection, and that second flash ad gives you the business.

Malware, that is. Intarweb gold. Russian tea.

No more safe apps

[nurb432 (527695)]

"At this rate there won't be many safe applications left to use."

One can only hope this comes to pass. Perhaps if mostly everything on the planet is compromised people will actually care enough to do something about it.

Amusing coincidence.

[John Pfeiffer (454131)]

Funny that I should read this headline RIGHT NEXT to an Adobe Acrobat ad being run on /.