News New PDF flaw doesn't need JavaScript

http://www.bit-tech.net/news/bits/2010/04/07/new-pdf-flaw-needs-no-javascript/1

 

No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.

 

....and the same with OSX 10.6 and firefox.

the problem with developers now is that they never apply aggressive programming development any more, because they can always fix it with a patch later.

image getting a buggy PC/SNES/Mega Drive game back in the 90's! you would go nuts a the store and demand your money back.

now software development is just like the american society! we can fix everything with a pill! or a patch in softwares case

 

I would think it's fairly hard to program something that's bulletproof when there's incentive for millions of crackers out there to find holes in the cheese.

 

Nah, it shouldn't be that hard. If you perform proper input validation by treating the contents as data, it will have no impact on the rest of the program. Adobe's problem appears to be feature creep because every year they need to find a new excuse for people to rebuy their products and upgrade. The Portable Document File should never have supported executable code. If you keep it limited to text, images, formating,and hyperlinks, the format would be completely safe provided that proper data validation is performed with the only danger being users clicking on a link leading them to a bad site where they then download the bad stuff. But at that point, it is the user's or web browser's fault, not Adobe's anyways.

 

pretty much saying

which i agree.

and in fact, it became too cumbersome for me to keep up with all these relatively minor exploits... that id rather find a more effective, manageable fixer-upper solution to deal with damage (if being done at all)

 

Kinda highlights the problem with bloatware and rapid development. :/

 

Its nothing to do with popularity. => DO NOT fall for this trivial excuse created by marketing departments of corporations! They use it to deflect away blame and responsibility!

...Both suffer from the same issue: Poor design/implementation/default settings.

(1) Windows
Throughout Windows's life time, this has never changed. From 1985 to today...Allow-by-default. It has created several generations of computer users who have helped propped up the entire computer security industry! (The anti-virus market relies on you to keep being ignorant and gullible. Every competent hacker knows all AV solutions can be worked around.)

This situation is only corrected by applying Software Restriction Policy (Set SRP to Disallow in XP, Vista, or Win7) or AppLocker (Win7); Using Limited/Standard user; and changing computer usage habits...So do NOT buy Home Editions of ANY versions of Windows if given the choice! Always stick to Professional/Business versions! (As they have SRP, AppLocker, and Group Policy.)

Never use Administrator; unless you are installing/updating new or trusted apps/patches OR resolving a computer problem. Always use Limited/Standard User for day-to-day activities.

(2) PDF
This is another moronic (security poor) implementation from Adobe. The other is Flash...Why can we embed and execute code with these implementations?

It really depends on:

(1) How well the program is thought out.
=> Is it a half-baked, "on-the-go" hack job? Or did someone sit down with a piece of paper and took time to design the thing properly? (with fail-safe defaults as fall-back)...Because the former always results in the end-user suffering. (Endless patches.)

(2) How experienced the programmers are.
=> Very few programmers really know about the tools they use. Their mathematical background is weaker than building a house on sand. And more often than not, they use programming languages in a very dangerous way. (Too reliant on automated features, lacking in understanding of the actual functions they're calling and the consequences of using them in a certain way, etc.)

(3) How well the testing validation process is.
=> Does it meet the original goals? Apply "fuzzing" in the testing process to ensure robustness of application? What happens if I...?

(4) If clueless managers get involved.
=> There is ALWAYS some moron upstairs who insists on adding something that will cause the entire deck of cards to tumble. They are master manipulators of office politics; so its guaranteed that whatever they want will be implemented at the protest of programmers or engineers. (Its the same type of douchebag that caused the Global Financial Crisis.)

The most problematic is, (as mentioned by feedayeen); feature creep. It is the reason why a good majority of the well known programs we've used throughout the years have turned into bloated cows of BS...This poor behaviour in application development started during the late 1990s and early 2000s.

There is no real reason for it; other than an avenue to maintain a profit stream.

If you ever write code; promise the world that you will keep it simple (single purpose) and only functioning as intended.

 

While I agree with most of your points (especially feature creep) I do think that good security is difficult to implement for the tech-illiterate masses, without making the system virtually unusable to them.

As for pdf's, I didn't know they could contain executable code. Why?

 

Problem is no matter how super you code is someone will always find a weakness. Its almost smegs law now =/

 

Another reason software has to be patched and is generally buggier than in the early to mid 90s and before, is that the shear size of software has grown exponentially. Many software products have more lines of code that Windows does, preventing bugs/security flaws outright from every corner is near impossible. Also when a product has been around as long as Adobe Acrobat, many people have come and gone during its lifetime, leading to misunderstandings of why a certain section of code does what it does, and (combined with poor internal documentation) no one knows/remembers all the details for every part of the software.

 

Stuff like this is why I keep UAC enabled on my Windows 7 machine, despite the annoyances. I've had PDF files randomly try and open when browsing and the all too familiar UAC warning allowed me to block it.

 

No matter how big the company gets, they can't guarantee perfect software. Adobe has many big claims yet it can not correct save a PDF document as simple word document - that's why you have to go to online sites who have OCRs -but that's also not perfect and that's why you have to go to online sites which can help you with manual corrections!