Comments on: Serious security flaw in Adobe Reader and Acrobat http://www.teleread.org/2009/02/20/serious-security-flaw-in-adobe-reader-and-acrobat/ News & views on e-books, libraries, publishing and related topics Sun, 22 Nov 2009 13:03:21 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Garson O'Toole http://www.teleread.org/2009/02/20/serious-security-flaw-in-adobe-reader-and-acrobat/comment-page-1/#comment-1015271 Garson O'Toole Thu, 26 Feb 2009 02:06:36 +0000 http://www.teleread.org/?p=17319#comment-1015271 Further very bad news about the exploit based on poison PDFs has been reported <a HREF="http://www.teleread.org/2009/02/25/pdf-security-issues-yet-again/" rel="nofollow">at TeleRead</A> <a HREF="http://blogs.zdnet.com/security/?p=2690&tag=nl.e589" rel="nofollow">(citing ZDnet)</A>. Disabling Javascript is useful because it blocks some known versions of the exploit, but it is not enough. As noted in the original ShadowServer.org report referenced above there is a problem in a non-JavaScript function call. Now, security firm Secunia has crafted a more deadly version of the exploit: <blockquote>According to this Secunia’s Carsten Eiram, his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled. All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not.</blockquote> Further very bad news about the exploit based on poison PDFs has been reported at TeleRead (citing ZDnet). Disabling Javascript is useful because it blocks some known versions of the exploit, but it is not enough. As noted in the original ShadowServer.org report referenced above there is a problem in a non-JavaScript function call. Now, security firm Secunia has crafted a more deadly version of the exploit:

According to this Secunia’s Carsten Eiram, his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.

All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not.

]]> By: The Taj Mahal http://www.teleread.org/2009/02/20/serious-security-flaw-in-adobe-reader-and-acrobat/comment-page-1/#comment-1014008 The Taj Mahal Fri, 20 Feb 2009 22:08:24 +0000 http://www.teleread.org/?p=17319#comment-1014008 when the patch is going to be released? when the patch is going to be released?

]]> By: Garson O'Toole http://www.teleread.org/2009/02/20/serious-security-flaw-in-adobe-reader-and-acrobat/comment-page-1/#comment-1014004 Garson O'Toole Fri, 20 Feb 2009 21:40:40 +0000 http://www.teleread.org/?p=17319#comment-1014004 Great thanks to Michael Pastore, Paul Biba, ShadowServer.org and the Washington Post for the heads-up on this obnoxious security problem. ShadowServer.org recommends disabling Javascript within the Adobe Reader application:<blockquote>We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader: Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript</blockquote> Why does the Adobe Company expose all the people that use their Reader software to peruse simple documents to the increased dangers inherent in enabled Javascript? Is Javascript really necessary for simple documents? Should Javascript be disabled by default? When using the Firefox browser many people use NoScript to deflect scripting-based attacks. I recommend it. But it won’t protect the user when the scripts are executed by the Adobe software. Great thanks to Michael Pastore, Paul Biba, ShadowServer.org and the Washington Post for the heads-up on this obnoxious security problem. ShadowServer.org recommends disabling Javascript within the Adobe Reader application:
We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Why does the Adobe Company expose all the people that use their Reader software to peruse simple documents to the increased dangers inherent in enabled Javascript? Is Javascript really necessary for simple documents? Should Javascript be disabled by default?

When using the Firefox browser many people use NoScript to deflect scripting-based attacks. I recommend it. But it won’t protect the user when the scripts are executed by the Adobe software.

]]>