15 replies to this topic 1 votes

[+Mephistopheles]

Google warns of using Adobe Reader - particularly on Linux


On its August Patch Day, Adobe has fixed numerous critical memory-related bugs in Reader for Windows and Mac OS X – but has chosen to overlook Linux users. The researchers who discovered the holes now fear that potential attackers could find enough clues to build an exploit by comparing the current Windows version of Reader with the previous one. This would leave Linux users defenceless. On top of that, even the patched versions still contain a total of 16 open security holes.

Google employees Mateusz Jurczyk and Gynvael Coldwind initially examined the PDF engine of the Chrome browser and discovered numerous holes. They then tested Adobe Reader and found about 60 issues that triggered crashes, 40 of which are potential attack vectors. When the two researchers reported their discoveries to Adobe, the company promised to provide fixes – but also indicated that not all the holes would be closed on Patch Day in August.

On Tuesday, that is exactly what happened. Versions 10.1.4 and 9.5.2 were released for Windows and Mac OS X only. Even these patched versions are still vulnerable to 16 of the reported issues that affect Windows, Mac OS X or both systems. To prove this, the Google employees have released obfuscated information concerning the crashes. The security experts say that the unpatched holes could potentially be identified by third parties because they were found by modifying publicly available PDF documents.

Apparently, the researchers' threat to publish all vulnerability details online in accordance with "responsible disclosure" did not worry Adobe. The deadline is set for 60 days after the day on which the researchers informed Adobe about the holes: 27 August. However, Adobe told the researchers that no further updates are planned in that timeframe.

The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader. Those who use a browser other than Chrome can protect themselves by disabling the Reader's browser extension. The extension allows the holes to be exploited with a simple visit to a specially crafted web page.

Windows users who still use version 9 of Reader have been advised to upgrade to Adobe Reader X, because this version contains a sandbox that makes exploiting the holes more difficult. While Linux users can fix two of the holes by deleting the annots.api and PPKLite.api plug-ins from the /path/to/Adobe/Reader9/Reader/intellinux/plug_ins directory, this seems like a drop in the ocean when considering the total number of holes that riddle Reader for Linux.

Source: The H Online

[ichi]

Why would anyone want to use Adobe Reader on Linux anyway?

[Aethec]

ichi, on 16 August 2012 - 09:57, said:

Why would anyone want to use Adobe Reader anyway?

There, fixed it for you.

[StevenJ]

Aethec, on 16 August 2012 - 10:10, said:

There, fixed it for you.

ichi, on 16 August 2012 - 09:57, said:

Why would anyone want to use Adobe Reader on Linux anyway?

I'm forced to use it to fill out any online forms at my university :'(

[Growled]

I stopped using that bug ridden bloatware on all platforms a long time ago.

[The Dark Knight]

Growled, on 17 August 2012 - 02:43, said:

I stopped using that bug ridden bloatware on all platforms a long time ago.

What do you use instead? I am also looking for a good replacement.

[DARKFiB3R]

Are the alternative options really any safer? We're all doomed.

[nub]

The Dark Knight, on 17 August 2012 - 02:54, said:

What do you use instead? I am also looking for a good replacement.

If you're on windows, Sumatra PDF

[siah1214]

The Dark Knight, on 17 August 2012 - 02:54, said:

What do you use instead? I am also looking for a good replacement.

I wish the reader in windows 8 was better..doesn't handle forms very well.

[Growled]

nub, on 17 August 2012 - 03:01, said:

If you're on windows, Sumatra PDF

I alternate between this one and Foxit.

[Ryoken]

I view my PDF's in Google Doc's lol.. but I don't have to deal with PDF's that often, so probably not an option for most

[Javik]

I use Foxit on Windows, haven't used Adobe reader for about 3 years. It's bloated, slow, and now apparently insecure. And I didn't know the PDF plugin in Chrome was made by Adobe, how do I disable it?

[Colin McGregor]

Another vote for Foxit even though we weren't taking a vote.

[Ryoken]

If you want to kill it in Chrome, go to chrome://plugins/

[Marcin Kurek]

Sumatra PDF has been my reader of choice for a while now. Even Foxit seems kinda bloated in comparison.