Forgot your password?
typodupeerror
Security Bug

Adobe Acrobat JavaScript Execution Bug 94

QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched.
This discussion has been archived. No new comments can be posted.

Adobe Acrobat JavaScript Execution Bug

Comments Filter:
  • Foxit? (Score:3, Interesting)

    by phalse phace ( 454635 ) on Wednesday January 03, 2007 @05:24PM (#17450434)
    Does this also affect Foxit reader, or is this just exclusive to Acrobat?
  • Which Versions? (Score:1, Interesting)

    by born4fun ( 1045582 ) on Wednesday January 03, 2007 @05:28PM (#17450492)
    The story doesn't tell which versions are hit. Is it the latest version (8)?
  • I don't like PDF (Score:5, Interesting)

    by LiquidCoooled ( 634315 ) on Wednesday January 03, 2007 @05:57PM (#17450946) Homepage Journal
    I recently signed up for the "send your name to wherever" thing pointed out on slash (its in my comment history somewhere)
    The PDF was formed with parameters linking to a second pdf base document.

    From Firefox on Windows with internet explorer disabled the pdf opened inside acrobat then proceeded to display the resulting PDF file in internet explorer.

    I haven't seen IE now for ages and that made me nervous as hell.
  • by abigor ( 540274 ) on Wednesday January 03, 2007 @06:23PM (#17451280)
    It was addressed back in the '90s. It's called client-side Java. The VM was slow to start up (it still is), and it faced hostility from Microsoft. But security was an uppermost concern, and the whole architecture is pretty nice. Maybe if the start-up problems in the VM are addressed, client-side Java will return (it's wholly server-side now, except for a few standalone apps here and there) and we'll see an end to this silly Ajax stuff.
  • by trianglman ( 1024223 ) on Wednesday January 03, 2007 @06:40PM (#17451498) Journal
    From what I have been reading on this it is a bug in how the browser and the reader integrate, not just with the browser and not just with the reader. And I agree, it pains me to say it but it seems that IE handles this correctly (tested myself just to be sure), but I do have to wonder why.
  • by Heembo ( 916647 ) on Wednesday January 03, 2007 @09:25PM (#17452976) Journal
    OMG you are smoking Java crack there boy. Client side Java has more vulnerabilities than... Javascript. I love Java, but keep it on the server where it belongs. MySpace is getting ready to consider migrating from .NET to Java, it's solid on the server. But on the client... nope.

    Take this from the LAST sunsolve weekly report:

    Newly Released Sun Alert Notifications

    Sun Alert ID: 102729 (RESOLVED)
    Synopsis: Security Vulnerabilities in the Java Runtime
                                  Environment may Allow Untrusted Applets to Elevate
                                  Privileges and Execute Arbitrary Code
    Product: Java 2 Platform, Standard Edition
    Category: Security
    Date Released: 19-Dec-2006
    Date Closed: 19-Dec-2006

    To view this Sun Alert document please go to the following URL:
    http://sunsolve.sun.com/search/document.do?assetke y=1-26-102729-1 [sun.com]

    Sun Alert ID: 102731 (RESOLVED)
    Synopsis: Security Vulnerabilities Related to Serialization
                                  in the Java Runtime Environment may Allow Untrusted
                                  Applets to Elevate Privileges
    Product: Java 2 Platform, Standard Edition
    Category: Security
    Date Released: 19-Dec-2006
    Date Closed: 19-Dec-2006

    To view this Sun Alert document please go to the following URL:
    http://sunsolve.sun.com/search/document.do?assetke y=1-26-102731-1 [sun.com]

    Sun Alert ID: 102732 (RESOLVED)
    Synopsis: Security Vulnerabilities in the Java Runtime
                                  Environment may Allow an Untrusted Applet to Access
                                  Data in Other Applets
    Product: Java 2 Platform, Standard Edition
    Category: Security
    Date Released: 19-Dec-2006
    Date Closed: 19-Dec-2006

    To view this Sun Alert document please go to the following URL:
    http://sunsolve.sun.com/search/document.do?assetke y=1-26-102732-1 [sun.com]

I am the wandering glitch -- catch me if you can.

Working...