Adobe Warns of Security Flaw in Reader - Slashdot

Follow Slashdot stories on Twitter

×

Adobe Warns of Security Flaw in Reader 20

Posted by Zonk on Thursday July 07, 2005 @04:02PM from the quick-fix dept.

isusmiley writes "Adobe Systems Inc. issued a warning on its Web site Tuesday saying that the flaw affects only the Adobe Reader versions 5.0.9, 5.0.10, which were written for the Unix computer operating system. Adobe has since posted a fix for the vulnerability on its site, and a spokesman said Wednesday he was unaware of any security breaches resulting from the software flaw, which was discovered by the security defense firm IDefense, headquartered in Reston, Va."

This discussion has been archived. No new comments can be posted.

Adobe Warns of Security Flaw in Reader

Load All Comments

Search 20 Comments Log In/Create an Account

Comments Filter:

Note (Score:3, Funny)

by Otter ( 3800 ) writes: on Thursday July 07, 2005 @04:07PM (#13007168) Journal

Current versions for Linux and Solaris seem to be OK, anyway. It's the current AIX and HP-UX versions that are bad.
So much for 2005 being The Year Of AIX On The Desktop!

Share
twitter facebook
Oh good (Score:3, Interesting)

by Dammital ( 220641 ) writes: on Thursday July 07, 2005 @04:19PM (#13007299)

Adobe's recommendation is to replace their vulnerable version 5 reader with the spyware version [lwn.net] 7.
That's progress. Of a sort.

Share
twitter facebook
- Re:Oh good (Score:3, Interesting)
  
  by MoonFog ( 586818 ) writes:
  
  And even with the spyware, the Linux version is still incapable of opening DRM'ed ebooks, seeing how it appears to be locked in with MS passport.
- Just remember... (Score:4, Informative)
  
  by jd ( 1658 ) writes: <imipak@ y a hoo.com> on Thursday July 07, 2005 @04:43PM (#13007548) Homepage Journal
  
  There is a Layer 7 patch for Linux that will allow you to filter network traffic by application type. You should be able to use an unpatched IPTables to filter anything outbound from acroread anyway, but I'm not sure if this would catch everything that can include Acrobat internally. Either way, you can make it very very hard for Acrobat-based spyware.
  
  I would also suggest lobbying the UN to have Javascript declared a crime against humantiy, but that might take longer to be effective.
  
  Parent Share
  twitter facebook
  - Re:Just remember... (Score:1)
    
    by vigilology ( 664683 ) writes:
    
    Could you tell us what patch this is, please?
    - Re:Just remember... (Score:2)
      
      by jd ( 1658 ) writes:
      
      Layer 7 patches [freshmeat.net]
      - Re:Just remember... (Score:1)
        
        by vigilology ( 664683 ) writes:
        
        Thankyou.
        
        Re:Just remember... (Score:2)
        
        by jd ( 1658 ) writes:
        
        Hey, no problem! :) Sorry I didn't have the link in the original post, I'm usually better on doing that.
I didn't know anyone (Score:2)

by VolciMaster ( 821873 ) writes:

was still using versions that old. I've been on 6 and/or 7 (depending on work/home) since they came out and haven't seen the problems mentioned.
I'll see your flaw, and raise you DRM (Score:5, Interesting)

by hacker ( 14635 ) writes: <hacker@gnu-designs.com> on Thursday July 07, 2005 @05:25PM (#13008021)

"Adobe has since posted a fix for the vulnerability on its site, and a spokesman said Wednesday he was unaware of any security breaches resulting from the software flaw..."

Two words: Show me .

Prove that the "flaw" exists. Just saying "Clicking on the whatchamacallit causes bad things to happen, please upgrade." isn't enough.

Show me that this isn't some FUD to force users to upgrade to a version that isn't riddled with the latest DRM that they "forgot" to put into those versions?

Show me that this version doesn't fix a vulnerability that exposes passwords in PDFs read with it.

Show me that this isn't more ass-covering by Adobe, again.

Until then, xpdf, gpdf and other non-Adobe variants are all working fine. Nothing to see here, move along.

Share
twitter facebook
- A real flaw (Score:2)
  
  by SkiifGeek ( 702936 ) writes:
  
  I don't know whether you read the actual details of the flaw, or not. From your response, I doubt that you did.
  
  Essentially, whenever Reader 5.0.9 or 5.0.10 opens a PDF file, it creates a randomly named duplicate in /tmp which can then be read by other users with the appropriate permissions, which makes it a local file disclosure vulnerability. When the file is closed in Reader, the duplicate created is then destroyed.
  In addition to the recommended upgrade to version 7, there is a version 5.0.11 which ad
  - Re:A real flaw (Score:2)
    
    by hacker ( 14635 ) writes:
    
    Essentially, whenever Reader 5.0.9 or 5.0.10 opens a PDF file, it creates a randomly named duplicate in /tmp which can then be read by other users with the appropriate permissions, which makes it a local file disclosure vulnerability.
    
    So in version 7, I see that it creates the temp copy in RAM (mkstmp()), but now its vulnerable to be read in a much different way. On Hyperthreaded processors (i.e. multicore from Intel), since the processor itself has a shared cache, both cores need to be able to read fr
    - Re:A real flaw (Score:1)
      
      by Magic5Ball ( 188725 ) writes:
      
      If one core opens the pdf, any process running on the other core can read the contents as they pass across the cache. Oops!
      
      Not a problem specific to Adobe...
I wish more OS's would do what Apple did (Score:1)

by white1827 ( 848173 ) writes:

Adobe's reader has turned into this huge bloated mess. The more complicated you make the software, the easier it is to have security holes slip by.
Apple has great PDF reading and generation that comes free with OSX so you don't have to use the Adobe Reader. It's so nice to have a simple fast loading pdf solution.
Adobe flaw (Score:1)

by AdminPrep.com ( 898146 ) writes:

hacker (14635), While I see your point that this could be a great way to have users upgrade to the new version I also see the point of not showing how to exploit the flaw as well. If it is indeed a flaw then I'm sure the flaw has been exposed on the Internet or irc channels. AdminPrep.com
Acrobat alternative (Score:1)

by ditto999999999999999 ( 546129 ) writes:

I use Foxit Read (http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]) as a replacement for Acrobat Reader. It seems to be faster, and that makes me happy.

Andy
- Re:Acrobat alternative (Score:1)
  
  by ditto999999999999999 ( 546129 ) writes:
  
  Damnit... there goes my real first name.
Brevity is... (Score:2)

by b00m3rang ( 682108 ) * writes:

Considering the forum, I'm pretty sure the submitter could have said "UNIX" instead of "the Unix computer operating system".

Most of us would have figured that one out.
37MB+ just to open PDFs (Score:1)

by anim8 ( 109631 ) writes:

I couldn't believe my eyes when I saw it. I suppose I'll go bakc to using KPDF or KGhostview.

It's too bad what has become of Adobe. Bloatware + Spyware. It used to be a cool company.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

BLISS is ignorance.