Adobe Finally Fixes Remote Launch 0-Day 82
Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.
Re:It's not a 0-day anymore.... (Score:4, Informative)
Another PDF reader (Score:1, Informative)
Missing from the summary is gsview. It makes a very secure pdf reader that works on windows, although it certainly isn't anything nice to look at. Uses ghostscript for the backend.
The Microsoft Word of PDF viewers (Score:5, Informative)
Re:Still I don't know (Score:2, Informative)
Re:It's not a 0-day anymore.... (Score:4, Informative)
The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.
Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.
Re:I Uninstalled Adobe Reader (Score:4, Informative)
It's not like Foxit is completely without security flaws either.
Re:I Uninstalled Adobe Reader (Score:5, Informative)
And doing just a bit of research - Foxit only fixed this exact same bug 2 weeks earlier than Adobe.
MSP installer (Score:5, Informative)
Side rant: Why does Adobe still only offer the unpatched versions of Reader on their front page?
Re:Still I don't know (Score:4, Informative)
Apparantly, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works - I thought this was the vulnerability inherent in the PDF spec (Foxit had a patch out the same week this was disclosed).
Re:It's not a 0-day anymore.... (Score:3, Informative)
Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.
Of course, we've seen (here on slashdot) what happens when you try to do that too often ... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.
Re:It's not a 0-day anymore.... (Score:4, Informative)
Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.
No, zero-day exploits are are... (wait for it) actively exploited in the wild before the first 'look what I found' ever appears.