Adobe PDF Exploits In the Wild 150
mambosauce writes "Brian Krebs, via the security fix blog is reporting that the recent PDF vulnerabilities which were patched only for Adobe Reader 8 and not 7 are being exploited via banner ads. As if there haven't been enough banner ad attacks this year now we have another one targeting one of the most popular applications in the world this weekend. At this rate there won't be many safe applications left to use."
Use a different PDF viewer instead (Score:5, Informative)
Re:Use a different PDF viewer instead (Score:5, Insightful)
Re: (Score:1)
But Foxit doesn't work! (Score:5, Insightful)
Foxit is so much faster and less of a resource hog then adobe reader.
It also doesn't work. For example, two-page documents generally start with page 1 on the right, yet in two-page mode Foxit insists on displaying pages 1 and 2 together, 3 and 4 together, etc. I discovered this when I tried it after seeing comments like the parent and GP posts, and also discovered that there have been bugs logged on this for eons but no-one seems to care about fixing it. The software was uninstalled from my PC within two minutes of installing it and filed under "beyond hope".
One of these days, people on Slashdot will realise that something that is free/or more secure is still worthless if it doesn't actually do the job it's supposed to do.
Ah come on... (Score:2)
It's like calling ThunderBird "beyond hope" because the thunderbird team appear to be unwilling to fix the folder rename issue on the Windows platform (renaming "Test" to "test" will tell you that it already exists. durrr. https://bugzilla.mozilla.org/show_bug. [mozilla.org]
Re: (Score:2)
Speed up Acrobat Reader (Score:3, Insightful)
Re: (Score:2)
First of all, what does it matter which side it's on, if you're reading it the same anyway :s
Because some documents use double-page spreads for their layout? Of the four things I was looking at that day, three of them happened to be like this, which is why Foxit was pretty much useless for me.
Re: (Score:2)
First of all, what does it matter which side it's on, if you're reading it the same anyway :s
It matters when you're reading book-like documents where odd pages are supposed to always be on the right.
Second of all, it's a huge improvement. Adobe Reader takes forever to open up (even on my fast computer), but Foxit comes up in seconds.
I agree - personally, I use Acrobat, but I put Foxit on my parents' computer, which is old and slow, and they like it much better. Before they would always complain about opening PDFs.
No, it doesn't (Score:2)
It does have a two-page side-by-side display, which is what I need.
However, that feature does not work like the corresponding features of other software products, or indeed the accepted standard for centuries in real world publishing. You can call that a missing feature all you like, but it's still a bug to anyone who wants to use the feature that's already there, and as the Foxit forums demonstrate, there are a lot of such people.
Re: (Score:2)
Just to be clear, I'm not claiming Foxit is useless for everyone. But people tend to present it as a direct substitute for Adobe Reader, which it demonstrably isn't.
For what it's worth, I've never understood the complaints about Reader's speed. The old version on my old PC fired up within a second or two. Version 8 on my new PC fires up within one second. I once had an in-between version installed on an old machine at work that seemed to take an irritating amount of time to load a bunch of plug-ins, but e
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
It's been around that long? The Acrobat Reader is a funny piece of software. The first 3 versions were complete crap. Then it got good for about two versions, then they turned it back into crap. That's the one thing I've found about a lot of commercial software... they can never leave well enough alone because they need to force the upgrade cycle, so even once you get a good version, it just as liable to get completely rui
Re: (Score:2)
acrobat upgrade. (Score:2)
Re: (Score:2)
Re: (Score:2)
View OpenGL content embedded in PDFs. For fucks sake.
Re: (Score:2)
Yeah, that was kinda my reaction as well.
Comment removed (Score:5, Funny)
Re: (Score:2)
You can make the same claim about any lightweight application compared to any overloaded kitchen-sink program that grew out of control. FoxitReader does what most people want a PDF reader to do: it reads PDFs. It does so reasonably well, and it's free. Furthermore, as other posters have pointed out, there are many similar programs that do what Adobe's reader used to do, so there's obviously a demand for something that Adobe no longer offers. As it happens FoxitReader serves my limited requirement
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I have both... (Score:2)
The main reason I have acroread is because I can -- it's one less program people can whine about not having on Linux, and you never know when I'll run into something kpdf can't handle.
But I also have it because it has one feature I dearly wish kpdf did: the ability to rotate the rendered PDF. Take a widescreen, clamshell laptop/notebook, turn it on its side, and let a page of a book fill the screen, and you have a pretty nice eBook reader.
Re: (Score:2)
I did that for a while a few summers ago. Take a Project Gutenberg text file (or any text file), throw it into your favorite word processor/page layout program, choose a nice body font, give it some reasonable margins, stick page # footers in, then e
xrandr (Score:2)
> processor/page layout program, choose a nice body font, give it some reasonable margins,
> stick page # footers in, then export it all out to a PDF. Fire up Acrobat Reader, set the
> background color to a nice cream color, rotate the page 90 degrees, hit fullscreen...
Seems like a lot of wasted effort. Why not just use xrandr to rotate the display?
Re: (Score:2)
In my case, because I didn't know about xrandr, originally did this on OS X, and I really only want to rotate that one book. I'd rather not have to rearrange the rest of my windows.
And I didn't use the cursor, I used spacebar, I think. Nice, big target.
Re:I have both... (Score:4, Informative)
Re: (Score:2)
Solution: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Use Foxit Reader.
One of the most popular? (Score:1)
"Safe" application? (Score:4, Insightful)
You have a multitude of applications, varying versions of operating systems, and scores of browser versions out there.
Is it REALLY any surprise that there are security holes like this? The miracle is that there aren't MORE.
Note: I'm NOT saying that these holes aren't a bad thing and shouldn't be patched. But this idiotic notion of a "safe" app just irks the shit outta me.
The only "safe" app is one that has absoloutely no interaction with other programs or the user whatsoever. (IOW it don't exist.)
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:1)
In fact, there is a company which specializes in writing damn-near absolutely safe, bug-free apps. They do it in about as much time as the competition writes buggy, insecure apps, because the lack of bugs in the first place means less of a debugging cycle. They charge about twice as much, because very few other companies provide that much quality.
Can't remember their name now, though.
Got one phishing email attachment w/PDF (Score:2)
Some vague "Your Account" message from "Bank Trust" from some a 3rd party email with the Manual_Invoice.pdf attachment. 134k
Re:Got one phishing email attachment w/PDF (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Blocking Banner Ads (Score:4, Insightful)
Re:Blocking Banner Ads (Score:5, Insightful)
Re: (Score:2)
lynx (Score:4, Funny)
Re:lynx (Score:4, Informative)
I know you were kidding, but it's still worth pointing out that Lynx is not necessarily safer than any other app [google.com].
Re: (Score:2)
Nothing stops you from setting lynx to use Adobe Acrobat Reader for pdf files, just like you set Firefox to use Adobe Acrobat Reader for pdf files. No difference there, except that Acrobat Reader does the configuration of Firefox for you automatically. But if you're a lynx user, it would likely take you less tim
Well that explains the 32mb update (Score:1)
If only... (Score:5, Funny)
Re: (Score:1, Redundant)
Firefox [getfirefox.com]
Re: (Score:1)
Yet Another Misleading Headline (Score:5, Informative)
Theory != practice (Score:2)
Re:Theory != practice (Score:4, Insightful)
Re: (Score:2)
The question is whether we needed another such format, when there already was PostScript.
Re: (Score:2)
Re: (Score:2)
The PDF combines three technologies:
* A sub-set of the PostScript page description programming language, for generating the layout and graphics.
* A font-embedding/replacement system to allow fonts to travel with the documents.
* A structured storage system to bundle these elements and any associated content into a single file, with data compression where appropriate.
So it seems that the document structure is a subset of PS, but in addition to that subset of PS, PDF has the ability to generate tar-type files that contain the PS code, the necessary fonts, and possibly other data (images? music? scripts?).
The solution will not be Silverlight (Score:2)
Re: (Score:2, Informative)
Re: (Score:1)
Proprietary software continues to bite users. (Score:2)
There are plenty of free software programs to use. The issue here has to do with proprietary software restrictions on user's freedoms to inspect, share, and modify programs. Just because Adobe is unwilling to modify older versions of their PDF reader doesn't mean their users should be restricted from doing so.
Re: (Score:3, Informative)
Slashdotters always making me spill my coffee...
Oh, I see... is the issue that people are running older versions of Acrobat?
If they can't be bothered to upgrade to the latest version, what makes you think they'll patch themselves? Are you suggesting that the big advantage of me running Free Software here is that I could be running kpdf 0.2 and patch the security holes? Or are you suggesting that someone who can't be bothered to update their software is going to have a better time of i
Re: (Score:2)
Re: (Score:2)
I don't agree with RMS; I think that's entirely their right. As a user, it means I'm much more likely to use KPDF, but at no time do I think they "shouldn't do that".
I'm not sure if this is still the case when a monopoly is in effect -- for instance, I do consider it a bit unethical the way the Flash specs are presented, especially when it seems to be wanting to replace the Web. (Entirely -- Flash itself has a plugin
Re: (Score:2)
But I don't think for a second that it has anything to do with the software being open. After all, the same mechanism delivers updates to my proprietary nvidia drivers.
Re: (Score:2)
Again, nothing to do with it being Free Software.
Re: (Score:2)
Nope, it'd be a nag-you security update. No matter how easy, you're still going to have users who just refuse to click on the thing.
Using Kubuntu, and I've used (and developed for) Gentoo. I know how package managers work.
Where's the update for v6? (Score:2)
Vendor responsibility? Hahahahaha (Score:1)
It would be a much better world if software engineering would grow up and would be kept to the same standards as "proper" engineering though.
Re: (Score:2)
> larger software companies around anymore.
And this would be a bad thing why?
Re: (Score:2)
A luddite might think that's ok....
Re: (Score:2)
All the software I use would still be available. So would most closed-source software: most does not come from the "larger software companies".
Re: (Score:2)
I've rethought things, though, and I think that what would really happen is that only large software houses would exist, and they'd have to carry insurance on their products. That's effectively how they'd deal with being responsible for flaws. Software prices would be higher because of this, an
Re: (Score:2)
Benifits of Adobe Reader? Seriously. (Score:4, Informative)
Re: (Score:1)
Re:Benifits of Adobe Reader? Seriously. (Score:5, Funny)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
"Warning: PDF" (Score:2)
First you downloaded the upgrade installer for 7.0. It rebooted the computer. Then 7.0 started up, and downloaded the upgrade installer for 7.0.1. Then it rebooted the computer. Then 7.0.1 started up, and downloaded the upgrade installer for 7.0.2. Then it rebooted the computer. Then 7.0.2 started up, and downloaded the upgrade installer for 7.0.3. Then it rebooted t
Re: (Score:2)
Google to the rescue (Score:4, Informative)
Anyway, if you remove any of those files from your Reader/plug_ins folder, Acrobat Reader won't load them at launch time. It speeds up loading time of ordinary PDFs tremendously.
What I really really don't understand is why Acrobat Reader doesn't dynamically load those plug-ins only upon demand? Seriously, why does it need to bring in any of that extra code just to display a catalog page from a web site? Digital signatures? If the PDF doesn't have one, I don't need to load the code to verify it. Accessibility? I'm not handicapped, I don't need or use a screen reader, ever. eBooks? I've never bought one, and probably won't for many years to come. And I never, ever, ever want to let a PDF send an email. That's just WRONG.
It's a tremendous load of crap, made worse by their "always load, just in case" philosophy.
Re: (Score:2)
http://www.youtube.com/watch?v=F2dKBYRQj68 [youtube.com]
It's nice when you can grab a part and spin it virtually to see exactly how the assembly should look.
Re: (Score:2)
Funny thing is - if you remove all those extra plugins so that it has as much functionality as kpdf and foxit reader it has a smaller memory footprint and loads faster than either.
disable javascript (Score:5, Informative)
The article doesn't say explicitly, but I'm assuming this is related to the fact that the default configuration of AR will execute javascript that's embedded in pdf files. This is both a privacy issue (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
There have been a lot of posts along the lines of "why the hell even use AR?" Well on Linux, I actually have Firefox set to open pdf files in xpdf, because it's faster, and I also habitually use xpdf to view pdf files when I'm not in a browser. (Evince is a little slower, but a little more full-featured and modern.) But I also have a copy of AR 8 installed on my Linux box, because it has some features that I find really useful once in a while, and also I want to be able to test my pdf files sometimes and make sure they'll look right for AR users. It's one of only two proprietary apps I have on my machine, the other being Flash. It would be great if the OSS community could produce a pdf viewer that was just a little more full-featured than Evince. (Flash is a whole different issue -- many of the things Gnash can't do, it can't do because of patents.)
What??? (Score:2)
I, for one, would also recommend other readers. The most recent incarnation of Adobe Reader is even slower than before, and they took a perfectly usable interface and messed it up.
Whatever happend to, "If it ain't broke, don't fix it!" ??
Hello? Flash?! (Score:3, Informative)
Malware, that is. Intarweb gold. Russian tea.
Sorry, you lose (Score:2)
No more safe apps (Score:2)
One can only hope this comes to pass. Perhaps if mostly everything on the planet is compromised people will actually care enough to do something about it.
Amusing coincidence. (Score:2, Funny)
Acrobat? (Score:2)
Adobe eBook DRM status? (post-Sklyarov) (Score:2)
While Touretzky prefaces his page on the subject with "Computer professionals who have examined these mechanisms have found them easy to defeat" [cmu.edu], I miss something able to decrypt or print the latest crop -- where APDFPR [elcomsoft.com] says
Yet I see some nicely decrypted ones floating around. E.g.
Removing old versions of Reader? (Score:2)
Does anyone have good resources for removing old versions of adobe reader manually?
Adobe website comes pretty much empty when looking for cleanup tools.