News Adobe Reader attacked by JavaScript bug

http://www.bit-tech.net/news/bits/2009/10/12/adobe-reader-attacked-by-javascript-bug/1

Security researchers have identified a Trojan which attacks a flaw in Adobe Reader's JavaScript handling to insert a backdoor - and a patch isn't due until tomorrow.

 

Part of me wonders how angry one can be if this only effects windows versions two iterations old(XP). The other part thinks adobe needs to get it together with their security, and that anyone on windows might as well disable JavaScript permanently with adobe programs.

 

It's about time they revised their javascript code.

 

i dont think this will affect many people on xp becasue most will just disable java for adobe acrobat reader
quite easy if you ask me cause there are programs allready that will do it or just simply stop the program from conecting to the internet

 

Well, Win7 isn't out yet so there's no point in wasting time making sure the exploit works with it. Plus, I'd guess that the user base for XP is still higher than Vista. I know plenty of people who still run XP whilst waiting for Win7. Hell, I know a few people that recently bought new machines with Vista pre-installed, only to wipe the HDD and install a pirate copy of XP!

 

I install legal versions of xp on a quite a few peoples laptops and desktops, from vista factory images. Alot of people seem to still think Vista is full of bugs, and the interface and settings have changed so much that they also feel lost and confused when trying to do anything in it.

As to the Adobe problem, maybe we'll get (un)-lucky(?) and M$ will use this as launchpad to replace Java with a platform of their own?

 

B3ck: Java and Javascript are very different beasts.

It amazes me how often there are 0-day exploits for acrobat - usually concerning some extra stuff they bundle with the reader like javascript or something. They should at least warn users that the PDF is attempting to execute code, rather than blindly trusting that the PDF is non-malicious.

 

Programing and development are not in skill set, yet. Thanks for clearing that up.
Anyone know if the same vulnerabilities exist in the foxit reader?

 

I've had acrobat reader pop up more than once during web surfing. The software definitely has some vulnerable holes in it. So far I've managed to prevent it from executing anything malicious, but I'm still a pissed off that it just pops up while surfing and wants to open a file.

 

I know Foxit has JS capability and its enabled by default.
I also know that in the past, some exploits affecting Adobe's PDF viewer have affected Foxit too.

Bottom line is, why are PDF viewers trying to run code at all?
They are meant to be simple viewers.
They used to be less than a meg to download and now they're huge.
I think Adobe's PDF viewer is the very epitome of bloatware and everyone's security is the resultant victim.

 

Is Foxit PDF Reader also affected though or is this purely an Adobe issue?

I have steadily moved away from Commercial Software and now use mostly open source software with the exception of Windows (for Games) at least until one of the *nix distros and software developers better support games and apps. I also still use Photoshop for the time being, at least until I can get to grips with using Gimp.

 

Not sure, but I'd disable the JS handling in Foxit too unless you need it. Just asking for trouble having it enabled IMO.

Hehe, me too. Give me Steam for Linux and I'll be a very happy man...