vulnerability found in Adobe PDF reader

[Arthur Entlich]

I promise I will not become one of those annoying people who forwards
every known or assumed security risk announcement I come across, but...

....being that this comes from a reliable source, and it potentially
places 61% of all Windows users into a security risk, I thought I would
also pass this to our group.

PDF World Update
=========================================================
1. Adobe Ships Silent Fix for Critical PDF Reader Flaw

Adobe patched a gaping code execution hole in Reader but,
inexplicably, has issued no public documentation on the risk
severity.

http://www.eweek.com/c/a/Security/A...-Critical-PDF-Reader-Flaw/?kc=PZPDFEMNL021208

Art

 

[TJ]

I promise I will not become one of those annoying people who forwards
every known or assumed security risk announcement I come across, but...

...being that this comes from a reliable source, and it potentially
places 61% of all Windows users into a security risk, I thought I would
also pass this to our group.

PDF World Update
=========================================================
1. Adobe Ships Silent Fix for Critical PDF Reader Flaw

Adobe patched a gaping code execution hole in Reader but,
inexplicably, has issued no public documentation on the risk
severity.

http://www.eweek.com/c/a/Security/A...-Critical-PDF-Reader-Flaw/?kc=PZPDFEMNL021208


Art

Hmmm. No mention of a comparable fix for the Linux version of Adobe
Reader 8. Must be it's not needed because the vulnerability is tied to
Internet Explorer, and there is no Linux version of IE - something for
which all Linux users should be profoundly grateful. Firefox is a much
better browser, anyway.

TJ

 

[Arthur Entlich]

They don't mention if it is a vulnerability or not for Linux, just that
no patch was made for Adobe Reader. The fact that they offer patches
for current Windows OSs and the current version of Mac OS doesn't mean
that it isn't a Linux issue, just that they haven't offered a patch for
it (yet?). Or maybe they never made the updated version for Linux at
all and therefore didn't require to fix it?

They don't mention Windows 98 either, but that doesn't mean it isn't
vulnerable, maybe they just never produced an Adobe Reader with the flaw
for it.

Art

 

[measekite]

Hmmm. No mention of a comparable fix for the Linux version of Adobe
Reader 8. Must be it's not needed because the vulnerability is tied to
Internet Explorer, and there is no Linux version of IE - something for
which all Linux users should be profoundly grateful. Firefox is a much
better browser, anyway.

TJ

You have said many things in the past and when I told you that you were
incorrect you still debated. Now you say:
QUOTE
and there is no Linux version of IE
ENDQUOTE

I have run IE under Linux. I only use it as an emergency. I cannot
remember if it is running true native or under its own version of wine
line Picasa.

 

[TJ]

TJ wrote:

You have said many things in the past and when I told you that you were
incorrect you still debated. Now you say: QUOTE
and there is no Linux version of IE
ENDQUOTE

I have run IE under Linux. I only use it as an emergency. I cannot
remember if it is running true native or under its own version of wine
line Picasa.

And I'll debate now, too. What makes you think I'd ever decide I was
wrong just because you tell I am? Sigh. What arrogance!

If you ran IE under Linux, you were using wine, Crossover Office, or
Win4Lin. All are Windows emulators of one sort or another. There is no
version of IE written for Linux, period. At least, none that's ever been
released by Microsoft. Check with Microsoft, if you don't believe me.

I can't imagine what sort of "emergency" would cause you to run IE under
Linux. The only reason I can possibly think of is if you run into a
website that won't work with anything else - and there are a few, but
getting fewer all the time - and I wouldn't classify that as an "emergency."

TJ

 

[TJ]

They don't mention if it is a vulnerability or not for Linux, just that
no patch was made for Adobe Reader. The fact that they offer patches
for current Windows OSs and the current version of Mac OS doesn't mean
that it isn't a Linux issue, just that they haven't offered a patch for
it (yet?). Or maybe they never made the updated version for Linux at
all and therefore didn't require to fix it?

They don't mention Windows 98 either, but that doesn't mean it isn't
vulnerable, maybe they just never produced an Adobe Reader with the flaw
for it.

Adobe Reader 6.x is the last that will work with Windows 98, and like
most other Windows 98 software, it's no longer supported. The way I read
the article, the root flaw is with IE. Adobe Reader just allows somebody
to take advantage of it.

TJ

 

[Tom]

PDF World Update
=========================================================
1. Adobe Ships Silent Fix for Critical PDF Reader Flaw

Adobe patched a gaping code execution hole in Reader but,
inexplicably, has issued no public documentation on the risk
severity.

This is not surprising. Whenever you have 22MB of bloatware there's bound to
be a few problems. I've been using Foxit reader which is 1/10 the size, loads
more than 10 times as fast, and doesn't come with any bundled security holes.
I ditched the Adobe stuff a long time ago and haven't looked back since.

 

[Burt]

I promise I will not become one of those annoying people who forwards every
known or assumed security risk announcement I come across, but...

...being that this comes from a reliable source, and it potentially places
61% of all Windows users into a security risk, I thought I would also pass
this to our group.

PDF World Update
=========================================================
1. Adobe Ships Silent Fix for Critical PDF Reader Flaw

Adobe patched a gaping code execution hole in Reader but,
inexplicably, has issued no public documentation on the risk
severity.

http://www.eweek.com/c/a/Security/A...-Critical-PDF-Reader-Flaw/?kc=PZPDFEMNL021208

Art

Art - immediately after I read this post Adobe auto-updated my Adobe Reader
program.

 

[Arthur Entlich]

They've been watching me ;-0

Art

Art - immediately after I read this post Adobe auto-updated my Adobe Reader
program.

 

[measekite]

TJ wrote: measekite wrote:


TJ wrote:

Hmmm. No mention of a comparable fix for the Linux version of Adobe Reader 8. Must be it's not needed because the vulnerability is tied to Internet Explorer, and there is no Linux version of IE - something for which all Linux users should be profoundly grateful. Firefox is a much better browser, anyway.

TJ

You have said many things in the past and when I told you that you were incorrect you still debated.  Now you say: QUOTE
and there is no Linux version of IE
ENDQUOTE

I have run IE under Linux.  I only use it as an emergency.  I cannot remember if it is running true native or under its own version of wine line Picasa.

And I'll debate now, too. What makes you think I'd ever decide I was wrong just because you tell I am? Sigh. What arrogance!

If you ran IE under Linux, you were using wine, Crossover Office, or Win4Lin. All are Windows emulators of one sort or another. There is no version of IE written for Linux, period. At least, none that's ever been released by Microsoft. Check with Microsoft, if you don't believe me.

I can't imagine what sort of "emergency" would cause you to run IE under Linux. A website I needed was using certain code that did not run properly with Firefox.  Now that has been changed but for a short time I had to us IE for Linux.  And I did tell you it ran may have run under wine.
The only reason I can possibly think of is if you run into a website that won't work with anything else - and there are a few, but getting fewer all the time - and I wouldn't classify that as an "emergency."
If you needed it is can be classed as an emergency.  The other choice was to boot Windows.  This ran seamlessly.

TJ

 

[William R. Walsh]

I guess Adobe forgot that Acrobat 7.0 Professional cost $700 when new. I'm
not buying into 8 just because they screwed up security-wise.

William

 

[William R. Walsh]

and there is no Linux version of IE

There most certainly is not. There never was. I would seriously doubt there
will ever be. You can run the Windows version of Internet Explorer under
Linux using WINE, VMware or other, similar products.

I do remember a Unix version of Internet Explorer (5?) being rumored to
exist, but I've never seen it, even after some looking around. My
understanding is that it was developed for Microsoft by Mainsoft, a company
that specializes (or maybe specialized?) in helping developers convert
Windows applications to Unix.

As usual, I expect that your reply will demonstrate an interesting
alternative reality that only you see!

William

 

[DK]

They don't mention if it is a vulnerability or not for Linux, just that
no patch was made for Adobe Reader. The fact that they offer patches
for current Windows OSs and the current version of Mac OS doesn't mean
that it isn't a Linux issue, just that they haven't offered a patch for
it (yet?). Or maybe they never made the updated version for Linux at
all and therefore didn't require to fix it?

Simple: Acrobat needs to display files and has no business using
Java script. Anyone security - conscious must disable Java script
and rest with a warm feeling that this simple measure removes
99% of the security problems ever related to Acrobat.

DK

 

[Arthur Entlich]

Just wondering, if one removes Java script, what happens when one
encounters websites with Java applets on web pages? Will those no longer
work either?

I seem to have a lot of Java related utilities on my system which take
up a fair amount of storage space on my HD, but I assumed I needed that
stuff to run many of the things that are on the web. The Java coffee
cup icon shows up fairly often when I'm on line.

Art

 

[tinnews]

Just wondering, if one removes Java script, what happens when one
encounters websites with Java applets on web pages? Will those no longer
work either?

Javascript (no space) and Java are completely unrelated - except for
their name. Disabling Javascript will not (in general) have any
effect on Java applets though simple Javascript bits and pieces are
so widely used that disabling Javascript tends to make using the WWW
rather painful.

I seem to have a lot of Java related utilities on my system which take
up a fair amount of storage space on my HD, but I assumed I needed that
stuff to run many of the things that are on the web. The Java coffee
cup icon shows up fairly often when I'm on line.

The Java coffee cup indicates Java, not Javascript.

 

[Arthur Entlich]

Thank you for the clarifications. I had no idea how addicted to coffee
my computer was ;-)

Art

 

[Mickey]

I guess Adobe forgot that Acrobat 7.0 Professional cost $700 when new. I'm
not buying into 8 just because they screwed up security-wise.

William

Jumping in here a little late. If you have any concerns over Acrobat,
why not give Foxit reader a try. It's lean and mean and very fast
compared to Acrobat. You'll be reading your PDF in Foxit while Acrobat
is still loading. Have never found a PDF that Foxit couldn't handle.
And with Foxit reader you can fill out forms and print them. Best of
all it is free. > http://www.foxitsoftware.com/pdf/rd_intro.php

There is also a paid versions where you can even create PDF files.
Prices are low compared to Acrobat price.

I haven't had Acrobat on my machine in a couple yrs and have never
missed it.

Mickey

 

[Bob Eager]

Jumping in here a little late. If you have any concerns over Acrobat,
why not give Foxit reader a try. It's lean and mean and very fast
compared to Acrobat. You'll be reading your PDF in Foxit while Acrobat
is still loading. Have never found a PDF that Foxit couldn't handle.
And with Foxit reader you can fill out forms and print them. Best of
all it is free. > http://www.foxitsoftware.com/pdf/rd_intro.php

There is also a paid versions where you can even create PDF files.
Prices are low compared to Acrobat price.

I haven't had Acrobat on my machine in a couple yrs and have never
missed it.

Neither have I...I use GhostScript, which is free, and allows me to
create PDFs too.

 

[TJ]

Neither have I...I use GhostScript, which is free, and allows me to
create PDFs too.

OpenOffice, also free, will export documents in PDF, too.

TJ

 

[Arthur Entlich]

Thanks for this. I'm gonna try it. I've disliked how bloated Acrobat
Reader has become and how long it takes to load.

Art