Adobe warns over unpatched PDF peril
Happy zero-day. Again
Hackers are exploiting critical, unpatched vulnerabilities in Adobe Reader, Acrobat and Flash Player.
The zero-day vulnerabilities are platform independent and can affect users of Adobe products regardless of whether they run Windows, Mac or Linux systems, Adobe warns.
The software developer reckons that Adobe Reader and Acrobat version 8.x are not vulnerable, but users of the newer version 9.0 of the software are at risk. Adobe has published a workaround involving the deletion of a library file connected with processing Flash content in PDF files pending the development of a more comprehensive fix.
Adobe is yet to publish a timetable of when patches will become available. Adobe Flash Player 10.0.45.2 and earlier versions are vulnerable to the bug. Users of Flash Player 10.1 Release Candidate may be in the clear but that's uncertain, as an advisory from Adobe explains.
The bugs are the latest in a series of security pratfalls to befall Adobe software, joint favourite with Microsoft's browser and applications as the main targets of hacker attacks. The latest flaw can be blamed on the support of exotic files and formats within PDF files, a problem that has cropped up in the past. ®
Who'd have thought that may happen?
@embedded interactive content. WTF!
The whole point of PDF was that is was a read-only document format for sending to printers etc.
So what's the point in adding embedded interactive content to something that should be read-only?
Also PDF's were generally thought of as inert, due to them being read only, adding embedded functionality now means the possibility of executing things inside a PDF, which throws away the safety of the format (what little there was in the first place).
If PDF is going down the interactive route, then perhaps we need a new inert document format.
At the very least the Reader should block all interactive functionality by default, and have to be switched on in order to access any of this. (aka like Macro's in Office etc.)
Bit rambly, sorry.
>“...it really isn't that bad outside of the brainwashed blathering of Jobsian zombies, who are all suddenly raving about Flash being a nightmare at the same time...”
Sorry, it *is* that bad. Most conscientious web designers and developers (hello!) have been decrying the use of non standard web elements, including, Flash since 1998. Although Flash may have improved from an accessibility stand point, it's still not a great solution. It has it's place *at the moment*; mainly as a wrapper for audio and video content. Of all the existing web technologies that exist today, Flash is by far the most loathsome, over-used and abused. Which sys admin in their right mind would allow flash onto the corporate network?
>“Having a zero-day exploit, which happens regularly to Apple products, Microsoft products and everybody else's products, says nothing about the quality of the software and everything about its targetability as a ubiquitous platform.” First of all no-one has said that Apple, Microsoft et al. are free from exploited products and security issues, however so far un-jailbroken iPhones have been free of such issues, the exception being a drive-by and they can affect most browsers, what with it being more of a PICNIC issue rather than a security flaw. Microsofts new mobile OS has got an even better security record. And to the crux of the matter. Adobe's track record is hardly good. How long has 64 bit Flash been in development? It seems that not a week goes past without one report or another warning us of another vulnerable discovered in an Adobe product. Whilst it's fair to point out that Apple's own desktop OS is hardly a model of ironclad security and neither is Microsoft's, it's to be expected in OSs of that size and that age. Microsoft really do a remarkable job with Windows, and Apple are getting better at responding to security issues, but Adobe? It's a fucking runtime! Sun manage to stay on top of Java (although Apple do struggle), Microsoft are doing sterling work with Silverlight. But Adobe? Jobs got it right when he called them lazy! So, let's consider the evidence. Slow to patch software. Slow to implement documented API's. Consistently release half baked software. Security is an afterthought. Haven't yet released a decent *full version* of Flash on a mobile platform. It's not surprising that Apple have said ‘thanks, but no thanks...’ to Adobe. I'd urge Microsoft to do the same, but Ballmer is just stupid enought to allow it onto Microsoft's new mobile OS just to be contrary and personally if I were Adobe, I wouldn't trust those that rule the Mountain View Chocolate Factory as far a coult spit; I'm still waiting for one of those three to aquire Adobe...
Just a bootnote; may I respectfully suggest that you leave behind the ad hominems and inflamatory comment, I copped a bollocking for it, deservedly so, and now trying to avoid it. It can be hard but ultimately it makes you consider what you are going to say more. It can serve to give you the moral high ground too! It's ok to have opposing views, it's not ok to call people names because they do, even if it is really annoying. Attack the idea. Obviously, giant multinational corporations and their management are fair game