Homemade PDF Patch Beats Adobe By Two Weeks

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

Registry hack

[coulbc]

We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

Re:Feature Request

[Anonymous Coward]

I'm going to have to disagree...

Allowing some scripting in a document is great. For example, I'm writing a math textbook [wordpress.com]. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technically illiterate. For that matter, my working draft (not the one on the website) uses PDF attach to include the TeX source and the GFDL.

In conclusion, it's my opinion that that having a PDF scripting language as long as it can't, you know, do anything but modify that one file. The problem is that Adobe seems to be trying to include the kitchen sink...

Patch?

[noidentity]

So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!

Why doesn't anyone think javascript is useful?

[UtucXul]

I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

I've also seen lots of forms that do some math or validation. How do people think that happens?

Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

Re:Feature Request

[Ihmhi]

Feature request: a NoScript equivalent for Acrobat Reader.

Re:Feature Request

[Aragorn DeLunar]

And this is why we need to get away from labeling dialog box buttons "Yes", "No", "Cancel", etc. We can label them anything we want, so why not be descriptive? Try "Safe", "Unsafe", "Really Stupid", "Don't click this -- ever!"

The same applies to the save dialogs. I like how OO.org 3.0 handles the "Do you want to save?" dialog when closing the program: The buttons are labeled "Save", "Discard", and "Cancel". Of course, "Cancel" could be better described as "Return to Program."

Re:There's a simple reason for that.

[Anonymous Coward]

I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

Oh? Well, when Adobe/Microsoft/whoever next put out a patch that breaks something critical to your companies usage of the product, causing hundrds/thousands of complaints to you, pissed off superiors, and potentially a loss of revenue, however, small, I'll be sure to point you to your former comment.

Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.

Re:Feature Request

[Idiomatick]

http://www.foxitsoftware.com/pdf/reader_2/reader-interstitial.html [foxitsoftware.com]

Or just make google open all your pdfs so that you aren't forced too even if its ugly its fast and secure.

Re:Feature Request

[Anonymous Coward]

PDFs are garbage and should never be used in any situation.

Eh? What would you suggest instead?

A Word document? OpenDocument? Postscript? DVI? Any of them would cause considerable difficulty for some fraction of the audience (which, we may assume, contains both clueless Windows users and people who run OpenBSD on their toasters.)

Raster images containing the complete text of a book would be gargantuan, and wouldn't allow the user to copy or search for text.

HTML isn't a document presentation format, and there's no good way to do math in it.

For what PDF is designed for, I cannot think of anything better. (It's true that PDF can be misused... so, come to think of it, can pretty much every other file format in existence.)

Re:It's been Two Weeks since you made the patch ..

[Anonymous Coward]

Exactly. And yet all the little kneejerk-anti-software-company idiots on this site tag the story "humiliation". Yeah, real humiliating to make a patch cross-platform and tested. Imagine if Adobe had rushed out a windows patch but nothing for OSX and Linux, we'd have a whole different set of basement dwelling crybaby shit. Slashdot gets continually more pathetic.