Adobe Confirms Unpatched PDF Backdoor - Slashdot

Please create an account to participate in the Slashdot moderation system

×

Adobe Confirms Unpatched PDF Backdoor 170

Posted by CmdrTaco on Monday October 08, 2007 @10:29AM from the machines-wide-open dept.

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

This discussion has been archived. No new comments can be posted.

Adobe Confirms Unpatched PDF Backdoor

Search 170 Comments Log In/Create an Account

Comments Filter:

Unsupported workaround? (Score:2, Interesting)

by techpawn ( 969834 ) writes: on Monday October 08, 2007 @10:37AM (#20898675) Journal

In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers
So they want me to do what with my what? Isn't that like your mechanic telling you to do something but "if they ask, [they] didn't tell you"

Share
twitter facebook
What About Foxit? (Score:5, Interesting)

by Lagged2Death ( 31596 ) writes: on Monday October 08, 2007 @10:43AM (#20898771)

I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader [foxitsoftware.com], which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?

Share
twitter facebook
Re:What About Foxit? (Score:1, Interesting)

by Anonymous Coward writes: on Monday October 08, 2007 @11:18AM (#20899195)

No, people just like foxit and wonder why Adobe would be used.

I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).

Parent Share
twitter facebook
Re:Microsoft shares the blame, Apple blindly copie (Score:4, Interesting)

by jonwil ( 467024 ) writes: on Monday October 08, 2007 @11:23AM (#20899265)

Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder.
RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)

Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.

I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

Parent Share
twitter facebook
Re:What About Foxit? (Score:3, Interesting)

by Hatta ( 162192 ) writes: on Monday October 08, 2007 @11:51AM (#20899651) Journal

I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?

Parent Share
twitter facebook
Re:Microsoft shares the blame, Apple blindly copie (Score:3, Interesting)

by Fweeky ( 41046 ) writes: on Monday October 08, 2007 @12:44PM (#20900371) Homepage

Grr, that link should be opera:config#Trust%20Server%20Types -- Slashdot ate my #

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"