Got Adobe Reader and Windows? Worry.

[Alias]

http://www.computerworld.com/action...ArticleBasic&articleId=9129163&intsrc=hm_list

From the article:

"The next day, Wednesday, Belgian security researcher Didier Stevens
said he also had crafted an exploit that triggers the bug without
requiring JavaScript, and backed up his claim by publicly posting
proof-of-concept attack code. His exploit works in the background, and
doesn't require that a user actually open a malformed PDF file."

Alias

 

[Anteaus]

What concerns me most is that if "View PDF in Browser" is active, this could
lend iitself to a drive-by attack in which the user need do no more than
visit a compromised webpage to be Trojanised. They might not even be aware
that a PDF has been downloaded and opened, if (for example) it's done in a
popunder.

 

[VanguardLH]

http://www.computerworld.com/action...ArticleBasic&articleId=9129163&intsrc=hm_list

From the article:

"The next day, Wednesday, Belgian security researcher Didier Stevens
said he also had crafted an exploit that triggers the bug without
requiring JavaScript, and backed up his claim by publicly posting
proof-of-concept attack code. His exploit works in the background, and
doesn't require that a user actually open a malformed PDF file."

Alias

Adobe started investigation (after they had been informed of the
exploit) on Jan 16. After deciding a course of [re]action, they (and
Secunia) made the announcement on Feb 20 that they will release a patch
on March 11. So they spent a month figuring out what was the exploit
and what they might do about it and the impact it would have, and gave
themself another month to write the patch code and test thoroughly due
to the pervasive use of their Reader product before releasing the patch.

You have just 4 days to go unless they are late. Guess they wanted to
schedule their release a day after Microsoft's "Patch Tuesday".
Although the exploit does not require Javascript, all currently known
in-the-wild samples utilize Javascript, so disable Javascript support in
Adobe's Reader (or whatever other PDF reader you use - which you should
do, anyway, as a security measure until and *if* you ever hit a .pdf
file that uses Javascript). The POCs (proofs of concept) examples do
not use Javascript but can obviously be used as templates to produce new
samples that also do not use Javascript. A POC does not indicate actual
implementation.

The exploit makes use of a buffer overrun caused by an out-of-bound
array index when loading JBig2 formatted files. So you could also use a
different PDF utility, like PDF-Xchange or Foxit Reader, to eliminate
the problem. The JBIG2 doc format is not the problem. It is the
decompressor in Adobe Reader, and each program will utilize their own
different code so a flaw in Adobe Reader won't be in other products (but
that also means vulnerabilities in them differ from Adobe Reader).

Secunia: Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability
http://secunia.com/advisories/33901/

 

[Alias]

What concerns me most is that if "View PDF in Browser" is active, this could
lend iitself to a drive-by attack in which the user need do no more than
visit a compromised webpage to be Trojanised. They might not even be aware
that a PDF has been downloaded and opened, if (for example) it's done in a
popunder.

No concerns here. I use Linux.

Alias

 

[Anteaus]

No concerns here. I use Linux.

Then start worrying.

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=unix

The fact that *nix is generally better froma security POV doesn't
necessarily mean that third-party apps written for it are more secure.

For example, recently a hole was discovered that you could drive a truck
through in vmware/linux's security. The flaw meant that any user with a guest
-or even email only- server account had root priveleges to the vmware
console.

 

[Alias]

Then start worrying.

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=unix

The fact that *nix is generally better froma security POV doesn't
necessarily mean that third-party apps written for it are more secure.

For example, recently a hole was discovered that you could drive a truck
through in vmware/linux's security. The flaw meant that any user with a guest
-or even email only- server account had root priveleges to the vmware
console.

I don't use Adobe Reader in Linux and I don't use Vmware. That said,
Linux patches a whole lot faster than Microsoft does and the Vmare
problem requires a person to sit in front of the computer to exploit it.
If I have physical access to a Linux machine, I can get in and get root
privileges with no need for any trucks, holes or exploits.

Alias