1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News New PDF flaw doesn't need JavaScript

Discussion in 'Article Discussion' started by CardJoe, 7 Apr 2010.

  1. CardJoe

    CardJoe Freelance Journalist

    Joined:
    3 Apr 2007
    Posts:
    11,343
    Likes Received:
    292
  2. eddtox

    eddtox Homo Interneticus

    Joined:
    7 Jan 2006
    Posts:
    1,296
    Likes Received:
    15
    No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.
     
  3. cjoyce1980

    cjoyce1980 New Member

    Joined:
    17 Jul 2007
    Posts:
    404
    Likes Received:
    0
    ....and the same with OSX 10.6 and firefox.

    the problem with developers now is that they never apply aggressive programming development any more, because they can always fix it with a patch later.

    image getting a buggy PC/SNES/Mega Drive game back in the 90's! you would go nuts a the store and demand your money back.

    now software development is just like the american society! we can fix everything with a pill! or a patch in softwares case :)
     
  4. Tulatin

    Tulatin The Froggy Poster

    Joined:
    16 Oct 2003
    Posts:
    3,161
    Likes Received:
    7
    I would think it's fairly hard to program something that's bulletproof when there's incentive for millions of crackers out there to find holes in the cheese.
     
  5. feedayeen

    feedayeen New Member

    Joined:
    18 Jun 2008
    Posts:
    204
    Likes Received:
    21
    Nah, it shouldn't be that hard. If you perform proper input validation by treating the contents as data, it will have no impact on the rest of the program. Adobe's problem appears to be feature creep because every year they need to find a new excuse for people to rebuy their products and upgrade. The Portable Document File should never have supported executable code. If you keep it limited to text, images, formating,and hyperlinks, the format would be completely safe provided that proper data validation is performed with the only danger being users clicking on a link leading them to a bad site where they then download the bad stuff. But at that point, it is the user's or web browser's fault, not Adobe's anyways.
     
  6. Redbeaver

    Redbeaver The Other Red Meat

    Joined:
    15 Feb 2006
    Posts:
    2,057
    Likes Received:
    34
    pretty much saying

    which i agree.

    and in fact, it became too cumbersome for me to keep up with all these relatively minor exploits... that id rather find a more effective, manageable fixer-upper solution to deal with damage (if being done at all)
     
  7. airchie

    airchie New Member

    Joined:
    22 Mar 2005
    Posts:
    2,136
    Likes Received:
    2
    Kinda highlights the problem with bloatware and rapid development. :/
     
  8. aussiebear

    aussiebear New Member

    Joined:
    13 Nov 2008
    Posts:
    36
    Likes Received:
    8
    Its nothing to do with popularity. => DO NOT fall for this trivial excuse created by marketing departments of corporations! They use it to deflect away blame and responsibility!

    ...Both suffer from the same issue: Poor design/implementation/default settings.

    (1) Windows
    Throughout Windows's life time, this has never changed. From 1985 to today...Allow-by-default. It has created several generations of computer users who have helped propped up the entire computer security industry! (The anti-virus market relies on you to keep being ignorant and gullible. Every competent hacker knows all AV solutions can be worked around.)

    This situation is only corrected by applying Software Restriction Policy (Set SRP to Disallow in XP, Vista, or Win7) or AppLocker (Win7); Using Limited/Standard user; and changing computer usage habits...So do NOT buy Home Editions of ANY versions of Windows if given the choice! Always stick to Professional/Business versions! (As they have SRP, AppLocker, and Group Policy.)

    Never use Administrator; unless you are installing/updating new or trusted apps/patches OR resolving a computer problem. Always use Limited/Standard User for day-to-day activities.

    (2) PDF
    This is another moronic (security poor) implementation from Adobe. The other is Flash...Why can we embed and execute code with these implementations?

    It really depends on:

    (1) How well the program is thought out.
    => Is it a half-baked, "on-the-go" hack job? Or did someone sit down with a piece of paper and took time to design the thing properly? (with fail-safe defaults as fall-back)...Because the former always results in the end-user suffering. (Endless patches.)

    (2) How experienced the programmers are.
    => Very few programmers really know about the tools they use. Their mathematical background is weaker than building a house on sand. And more often than not, they use programming languages in a very dangerous way. (Too reliant on automated features, lacking in understanding of the actual functions they're calling and the consequences of using them in a certain way, etc.)

    (3) How well the testing validation process is.
    => Does it meet the original goals? Apply "fuzzing" in the testing process to ensure robustness of application? What happens if I...?

    (4) If clueless managers get involved.
    => There is ALWAYS some moron upstairs who insists on adding something that will cause the entire deck of cards to tumble. They are master manipulators of office politics; so its guaranteed that whatever they want will be implemented at the protest of programmers or engineers. (Its the same type of douchebag that caused the Global Financial Crisis.)

    The most problematic is, (as mentioned by feedayeen); feature creep. It is the reason why a good majority of the well known programs we've used throughout the years have turned into bloated cows of BS...This poor behaviour in application development started during the late 1990s and early 2000s.

    There is no real reason for it; other than an avenue to maintain a profit stream.

    If you ever write code; promise the world that you will keep it simple (single purpose) and only functioning as intended.
     
  9. eddtox

    eddtox Homo Interneticus

    Joined:
    7 Jan 2006
    Posts:
    1,296
    Likes Received:
    15
    While I agree with most of your points (especially feature creep) I do think that good security is difficult to implement for the tech-illiterate masses, without making the system virtually unusable to them.

    As for pdf's, I didn't know they could contain executable code. Why?
     
    Last edited: 8 Apr 2010
  10. javaman

    javaman May irritate Eyes

    Joined:
    10 May 2009
    Posts:
    3,426
    Likes Received:
    72
    Problem is no matter how super you code is someone will always find a weakness. Its almost smegs law now =/
     
  11. glaeken

    glaeken Freeeeeeeze! I'm a cawp!

    Joined:
    1 Jan 2005
    Posts:
    2,041
    Likes Received:
    50
    Another reason software has to be patched and is generally buggier than in the early to mid 90s and before, is that the shear size of software has grown exponentially. Many software products have more lines of code that Windows does, preventing bugs/security flaws outright from every corner is near impossible. Also when a product has been around as long as Adobe Acrobat, many people have come and gone during its lifetime, leading to misunderstandings of why a certain section of code does what it does, and (combined with poor internal documentation) no one knows/remembers all the details for every part of the software.
     
  12. CowBlazed

    CowBlazed New Member

    Joined:
    9 Dec 2005
    Posts:
    254
    Likes Received:
    0
    Stuff like this is why I keep UAC enabled on my Windows 7 machine, despite the annoyances. I've had PDF files randomly try and open when browsing and the all too familiar UAC warning allowed me to block it.
     
  13. rmathur

    rmathur New Member

    Joined:
    9 Apr 2010
    Posts:
    1
    Likes Received:
    0
    No matter how big the company gets, they can't guarantee perfect software. Adobe has many big claims yet it can not correct save a PDF document as simple word document - that's why you have to go to online sites who have OCRs -but that's also not perfect and that's why you have to go to online sites which can help you with manual corrections!
     
Tags: Add Tags

Share This Page