New Adobe PDF Zero-Day Under Attack 203
Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."
Re:No credibility to this story (Score:3, Informative)
Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.
Can there be a 0-day that's not under attack? (Score:2, Informative)
Correct me if I'm totally off base here, but...isn't part of the definition of "zero-day" that the flaw is being exploited? I mean, it's "zero-day" because it's being exploited on "day zero", right?
Dan Aris
Disable Javascript in PDF reader (Score:3, Informative)
A work around for end users is to disable javascript, such as this guide:
http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/
For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):
http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/
Re:What is this stupidity??? (Score:5, Informative)
Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe [google.com] and come up with a variety of alternatives yourself.
Limited? (Score:2, Informative)
Metasploit module [metasploit.com]
Re:What is this stupidity??? (Score:3, Informative)
xpdf [foolabs.com].
Re:What is this stupidity??? (Score:5, Informative)
what alternatives? no, seriously?
The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A [wikipedia.org]), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.
Now, all we need is a PDF reader with an option "only open PDF/A documents"
Re:What is this stupidity??? (Score:1, Informative)
In Gnome use Evince, or in KDE use Okular or KPDF, instead of Adobe Reader (Evince and KPDF are also available for MS Windows, if you must use that buggy software). These GNU/Linux applications are simpler and safer when dealing with PDF files. They support reading PDF files, fillable PDF forms, etc. but not the more fancy stuff that opens security holes.
I wish we had two document standards: PDF and something else, let's call it "PDM" for portable document - multimedia, where Adobe can stick all of the buggy crap they want.
Re:What is this stupidity??? (Score:5, Informative)
Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.
Re:Limited? (Score:3, Informative)
A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.
I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.
Re:What is this stupidity??? (Score:3, Informative)
Comment removed (Score:3, Informative)
Re:Switching between masters is not freedom. (Score:3, Informative)
And it should be observed that Evince [gnome.org] is also available for Windows and is under the GPLv2.
Sumatra's minimalistic and lacks some functionality, if you want the honest appraisal- the dev site openly admits not everything renders correctly. Evince seems to be pretty solid when it comes to rendering content correctly. I've yet to find a document that didn't view and print as the author of the document had intended.
Re:Can there be a 0-day that's not under attack? (Score:3, Informative)
means the code is known and no patch exists..
doesn't matter if you're the only one who knows the code, its still a zero day vuln until its patched.
No, it's just a known vulnerability with no patch. Zero day means it was exploited on day zero—that is, before anyone else knew the vulnerability existed.
Dan Aris