Foxit One-Ups Adobe In Blocking PDF Attack Tactics 112
CWmike writes "Foxit Software, the developer of a rival PDF viewer to Adobe's vulnerability-plagued Reader, released an update on Tuesday that blocks some attacks with a 'safe mode' that's switched on by default. Foxit Reader 3.3 for Windows' 'Trust Manager' blocks all external commands that may be tucked into a PDF document. 'The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,' the update's accompanying text explains. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe's and Foxit's software. That flaw in the PDF specification's '/Launch' function was disclosed in late March by Belgium security researcher Didier Stevens, who demonstrated how he could abuse the feature to run malware embedded in a PDF document. He also reported he had figured out how to change Adobe Reader's warning to enhance the scam."
Adobe is down down down (Score:5, Informative)
Is it a coincidence that I read that Adobe is losing the grip on PDF just a few days after I read Job's "Thoughts on Flash [apple.com]", essentially dumping Flash from iPhones/iPads, and burning it at a stake? Or is Adobe's strategy really failing spectacularly before our own eyes?
I should've seen it coming -- I haven't used Acrobat Reader for years. PDF Xchange Viewer [docu-track.com] is my current favorite, though Foxit was my first off-Adobe alternative, back when.
Re:Sort of... (Score:3, Informative)
-Extremely few-, if you're talking about correct SQL management. The only one that comes to mind among serious RDBMSs (DB2, Sybase, SQL Server, Oracle, Postgres...) was a datatype exploit in Oracle that only worked locally, AND was more theoritical than anything.
Parameterized queries (the only good way of handling "sql sanitization") are virtually flawless. Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)
Re:FoxIt for Linux? (Score:5, Informative)
Re:FoxIt for Linux? (Score:3, Informative)
Just install Xpdf/evince and be happy. You don't need embedded crap in your documents.
And if cross-platform is what you're worried about, install evince on Windows. http://download.gnome.org/binaries/win32/evince/2.30/evince-2.30.0.msi [gnome.org]
Re:Adobe is down down down (Score:1, Informative)
I'll probably need to get a Core i7 box because I NEED Photoshop
No you don't. I'm sure I read somewhere that newer versions of Photoshop support hardware acceleration using recent GPU's (Nvidia 8x 9x) either directly or through a plugin (I'm pretty sure Nvidia made a plugin for Photoshop to make use of CUDA).
Re:This is why PDF should be abandoned (Score:4, Informative)
Since I can't change behavior... (Score:5, Informative)