Adobe Confirms Unpatched PDF Backdoor 170
50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."
Unsupported workaround? (Score:2, Interesting)
What About Foxit? (Score:5, Interesting)
Re:What About Foxit? (Score:1, Interesting)
I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).
Re:Microsoft shares the blame, Apple blindly copie (Score:4, Interesting)
RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)
Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.
I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.
Re:What About Foxit? (Score:3, Interesting)
Re:Microsoft shares the blame, Apple blindly copie (Score:3, Interesting)