Adobe Confirms Unpatched PDF Backdoor 170
50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."
Yay! (Score:1, Troll)
Alternative PDF viewer? (Score:2)
Karma Terrorist! (Score:2)
Cheers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Regardless
If it's only a problem on XP (Score:2, Troll)
Re:If it's only a problem on XP (Score:5, Insightful)
Re: (Score:2)
Secunia [secunia.com] disagrees with you.
What's disgraceful about this is that it's an exploit that's been known since April at least, and neither Microsoft nor Adobe have patched it.
Re: (Score:2)
Re: (Score:2, Informative)
Other security sites do call it a Vista [securityfocus.com] issue. It looks like Vista is only OK if IE7 is running in protected mode.
Re: (Score:2)
This doesn't mean IE7 on Vista in "protected mo
Re: (Score:2)
However, looking at the details referenced from that page, it's not quite so clear who is responsible. It's a judgment call. This could be considered either an OS bug or a browser bug depending.
I would argue that it's the browser's job to sanity-check the URL before handing it to the OS. However, if the OS is going to process URLs (and everyone know
Re: (Score:2)
Re: (Score:2)
Well, as one of those programmers, I'd say it's guaranteed that I'm incompetent and ignorant when any of my stuff runs on a proprietary system like Vista. Since the OS's inner workings are intentionally kept secret from me, there's no way that I can (legally) know for certain what any of my code can do if it calls anything from any system library.
If you want competent, knowledgeable programmers, the only
Re: (Score:2)
Any program that is intended to be launched from a browser is going to be launched with untrusted parameters. This means that they have to validate them. There's just no way for the browser to know what parameters are valid for Adobe Reader or Macromedia Flash.
These are programs that were designed to be
Re: (Score:2)
Has this been confirmed?
Unsupported workaround? (Score:2, Interesting)
I'm confused... (Score:2)
To be honest, though, the subject sounds a lot like joke fodder [wikipedia.org]....
What About Foxit? (Score:5, Interesting)
Re:What About GSview? (Score:2)
I use GSview [wisc.edu]. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything special with URLs.
Re: (Score:1)
> special with URLs.
It doesn't do anything special with printers either - took me 20 mins to print a 40 page document that just whizzed through using Reader.
Re: (Score:1)
Re: (Score:1, Interesting)
I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).
Sumatra Re:What About Foxit? (Score:2)
My first attempt at using FoxIt wouldn't even open a PDF (open - not print), because apparently they didn't support my default printer.
Re: (Score:1)
For a very slim PDF viewer, it appears to be quite nice (and GPL to boot). Thanks to the parent for bringing it up.
Re: (Score:3, Interesting)
Re:What About Foxit? (Score:5, Insightful)
To Microsoft. If a PDF reader can crash the OS, it's their bug.
Re: (Score:2)
Re:What About Foxit? (Score:5, Informative)
Pretty wide defintion of 'interaction' (Score:4, Informative)
Alternatives?
http://en.wikipedia.org/wiki/DjVu [wikipedia.org]
A great open source, (except under Windows, see Lizardtech), format for scanned files.
Not for Mac users, tho', see:
http://slashdot.org/article.pl?sid=06/02/20/1449226 [slashdot.org]
For a discussion of this and other pdf 'alternatives'. Still, 'security by obscurity'?
Finally, no
http://en.wikipedia.org/wiki/List_of_PDF_software [wikipedia.org]
Re: (Score:2, Informative)
Re: (Score:2)
I, too, have switched to Foxit. I love it! I actually own Acrobat 7 (the writer), but I've found that, for what I need to do with PDF, anyway, PDFcreator (check Sourceforge) and Foxit meet my needs faster and more elegantly.
Huzzah!
Re: (Score:2)
See screenshot [bayimg.com] [bayimg.com]
Any ideas? I like FoxIt, but I can't use it!
Note: The zoom is set to the same on both, zooming on FoxIt doesn't help the issue. Also sorry the screenshot is so small, I uploaded a larger one bu
Dear Industry: (Score:1, Insightful)
Define low volume (Score:2)
Sysadmin? What sysadmin? (Score:2)
The system administrator should be able, when installing *any* application, to specify what privileges it should have and not have -- just as he can do for users when creating their accounts.
True, an OS could allow a computer's administrator to install each application into a "jail" or "sandbox" with only those capabilities [wikipedia.org] that the program needs. But do home or home office personal computers have a "system administrator" worthy of the title? What kind of user interface do you envision for creating such jails in a home environment?
plus about running into this on Vista (Score:5, Informative)
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
People will install anything if it promises naked pictures.
Not a backdoor (Score:5, Informative)
A backdoor is an intentional feature that one puts so that they can take over you computer.
Re: (Score:1)
Re: (Score:2)
Microsoft shares the blame, Apple blindly copies. (Score:4, Insightful)
Re:Microsoft shares the blame, Apple blindly copie (Score:4, Interesting)
RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)
Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.
I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.
Re: (Score:1, Insightful)
My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".
Re: (Score:2)
Ever thought why IE does it this way? It's because the servers (*cough* Apache *cough*) have historically, and still have plenty of the mime types wrong. They report mime type, but the wrong one. Anything that's not image or html is text
Re: (Score:2)
In Opera it can be configured from opera:config [opera] under User Prefs -> Trust Server Types. I can't find an equivilent in Firefox.
Re: (Score:3, Interesting)
This is not up to the browser (Score:2)
It doesn't matter what the browser does. The problem is that when the browser goes to resolve a URI, it sees one list of URI and mime-type handlers (and, in the case of Windows, ActiveX controls) that are used both for local content (for example, "help:" on OSX and the ".chm" handler on Windows) and global (for example, "http:" or ".html").
Applications, like a help viewer, that are not
Re: (Score:2)
I have never thought that it is UNIX way to not to check and sanitize input. Have I done wrong all these years when I've checked everything that user, be it real person or another app, inputs?
Re: (Score:2)
What the hell are you talking about?
What I wrote was that the UNIX "exec" API passes strings through to the called program without having to concatenate them into a command line that is then parsed by the called program and separated out into separate parameters again. That is, the calling program does not have to guess how the called program will parse quotes. It's got nothing to do with "sanitizing": the calling program itself actu
PS - the value of trust. (Score:2)
That means, a downloaded file is not unpacked, installed, or otherwise opened unless there is a trusted viewer that maintains a hard sa
That shouldn't have an effect on security. (Score:2)
If the OS and the browser were configured correctly, and the browser maintained a hard sandbox and the OS made it possible for it to know reliably what helper applications and plugins also maintained a hard sandbox, then it wouldn't matter whether the MIME type was guessed or not.
Re: (Score:2)
If you only use (Score:2)
Re: (Score:2)
Can you run Adobe reader as a limited account on XP? I thought it would need power user priviledges at the very least...
XP, LUAs, and malware (Score:2)
As for the grandparent's question, the answer is "kind of."
There's nothing about a limited user account that prevents a hijacked process from doing anything it wants within the context of that account (deleting that account's files, catching keystrokes, capturing the screen, uploading data, etc.). Just like in Linux or Max OSX, malware running with standard user privileges can still wreak havoc on that account's data--but, in the real world, malware wri
Perhaps this would also be a good time... (Score:2)
If only Adobe hadn't purchased Macromedia....FlashPaper had such promise...
Sklyarov? (Score:5, Funny)
Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?
"computers with Internet Explorer 7 installed" (Score:2)
Please recommend a good non-adobe reader (Score:2)
Just like Openoffice is immune to Word virus's--- is there a recommended non-adobe pdf reader folks would recommend?
I'm getting tired of the "Please upgrade to version 7" warnings anyway.
Re:Please recommend a good non-adobe reader (Score:4, Informative)
Re: (Score:2)
http://blog.kowalczyk.info/software/sumatrapdf/ [kowalczyk.info]
William
Re: (Score:2)
Obviously, you've been wise enough not to do this. That's a good thing, because in addition to more bloat, V7 of Reader also enables all your Adobe applications (like PhotoShop and FrameMaker) to call home. Both at work and at home, those two apps started trying to contact the Adobe mothership every time they started. (I believe this is due to a new "feature" Adobe calls "Adobe Online".)
At first I backed out V7 and tried Foxit. It's p
Re: (Score:1)
I've used Brava Reader [bravaviewer.com] for a while now. It views PDF's and lets you print a region of a page, as well as "calibrate" a measurement tool against a known dimension on the page.
Useful if you're working with PDF's of house plans, which I frequently am.
It's free, but the software expires periodically and you have to download and install a newer version.
kpdf (Score:2)
Stop external links? (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Aaaaand... (Score:2, Funny)
Interesting (Score:2)
The official Adobe advisory [adobe.com] states: "Vista users are not affected".
Now let the downplay begin.
Re: (Score:2, Funny)
They are lying (Score:2)
Vista is just as much affected, the bug is there, just that Vista by default with UAC ON it can't do much more then write to the tmp folder. IF UAC is turned off, you are vulnerable to whatever somebody can cook up.
Since UAC is one of the more hated elements of Vista I would guess that a lot of people got it switched off. So the bug is still there, just that it can do less direct harm (do you really want a malicious coder to be able to write anything at all to your HD?)
Re: (Score:2)
Any reference to back up what you claim?
too security too dangerous (Score:1)
Control me (Score:4, Funny)
I had to snap a shot before Adobe pulls their ad.
So now we know (Score:2)
The fix is edit a registry key that doesn't exist? (Score:2)
Adobe Reader 8.1 and earlier versions
Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
Adobe Acrobat 3D
OK, so I am running a nice copy of Acrobat 6.0 Pro. That's an earlier version.
.... I dunno what to make of it.
The registry key they want changed simply doesn't exist on my system. Either the fix doesn't apply to this old version, or it's different, or
Re:browser or plugin issue (Score:3, Informative)
Re: (Score:1, Insightful)
Re: (Score:2)
Re: (Score:1, Offtopic)
Simpler and cheaper if you are a Windows user.
Re: (Score:2, Informative)
Cheaper? Foxit Reader for Windows is listed as $39.00 [foxitsoftware.com].
Adobe Acrobat Reader is free. How is that cheaper? Am I missing something?
Re: (Score:1)
Re:solution (Score:5, Informative)
Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:
* View or print PDF document
* Basic PDF form operations i.e. filling out PDF forms and printing them out
* Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
* View PDF as text
* Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc
The followings are several examples of non-free, advanced add-ons:
* Foxit Reader Pro Pack is not free. It includes the following functions:
o Annotation
o Text viewer and text converter
o Form filler
o Spell checker
o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more
Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.
Re: (Score:2)
Note that the Ghostscript program allows conversion (writing) of a file format such as Word into Acrobat by printing to an Acrobat fi
Re: (Score:2, Informative)
The non-commercial licenced one gets new code first it seems.
See here [wisc.edu].
Re: (Score:2)
Re: (Score:2)
Yes, the price is for the "Pro" version, which includes: Annotation, Text viewer and text converter, form filler, etc. etc. etc.
The free version, if you're only reading and printing PDF's, should suffice.
Re: (Score:3, Funny)
Low RAM usage = human progress (Score:2)
Re: (Score:2)
Re: (Score:2)
I measure human progress in how many things a computer can do for its user at once, and for a given configuration of paid-for hardware, less RAM use per program means more progress.
Your reasoning is broken.
Welcome... (Score:5, Funny)
Re:Welcome... (Score:4, Funny)
Re: (Score:3, Informative)
While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.
Have they fixed the weblink bug yet?
Re: (Score:1)
Re: (Score:2)