Adobe Acrobat JavaScript Execution Bug

QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched.

Re:Probably Acrobat 8 is safe?

[origamy]

People *would* upgrade their Acrobat Reader, if they hadn't turned off that horrendous update screen that pops up every single time you open a PDF file.
Adobe could surely learn how to make a more user friendly "update is available" screen, kinda like Firefox does.

The whole architecture is fatally flawed

[Anonymous Coward]

Pardon me, but I am just sick of all this javascript nonsense. While the goal is notable, the design REALLY needs to be rethought and redone, from scratch. But this time with security in mind. It's quite clear that the original designers didn't have a clue about security. And the current batch, I'm sad to say, still doesn't take it seriously.

Yes, I know that those are strong words. But there has never been a secure implementation of anything where security was an afterthought, and bolted on later. Javascript is no exception.

Javascript has well shown that its approach can be very useful. But honestly, right now it seems almost as problematic as Microsoft Windows, when it comes to security issues. Frankly, the Open Source community really ought to be doing better here.

This is (IMHO) the biggest problem with the current implementation of all the Web 2.0/AJAX approaches. And until it's PROPERLY addressed, we're going to see a continual repeat of security issues, just like we see with MS Windows. It's not new; people have been saying this for years. And we still keep seeing these problems.

Pardon the rant, but I really do get tired of seeing this stuff when it should never have happened to begin with.

FIle Under, "Duh"

[ewhac]

It was inevitable this would happen ever since Adobe made the impossibly stupid move of adding JavaScript to their reader. Really, I can't heap enough well-deserved derision on this boneheaded, lame-brained, imbecilic, preposterous, self-serving, idiotic, fucktarded idea.

Every time I install Acrobat Reader, I dive through the preferences panel and fix all the incorrect defaults. One of the things I turn off, and which should be off by default, is JavaScript execution. Whether turning this off will protect against the described vulnerability, I don't know, but it's probably a reasonable first line of defense.

A lot of the factory-default settings in Acrobat Reader are (stupidly) wrong. You should review all of them.

Schwab