Google warns of using Adobe Reader - particularly on Linux

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

Google warns of using Adobe Reader - particularly on Linux

On its August Patch Day, Adobe has fixed numerous critical memory-related bugs in Reader for Windows and Mac OS X ? but has chosen to overlook Linux users. The researchers who discovered the holes now fear that potential attackers could find enough clues to build an exploit by comparing the current Windows version of Reader with the previous one. This would leave Linux users defenceless. On top of that, even the patched versions still contain a total of 16 open security holes.

Google employees Mateusz Jurczyk and Gynvael Coldwind initially examined the PDF engine of the Chrome browser and discovered numerous holes. They then tested Adobe Reader and found about 60 issues that triggered crashes, 40 of which are potential attack vectors. When the two researchers reported their discoveries to Adobe, the company promised to provide fixes ? but also indicated that not all the holes would be closed on Patch Day in August.

On Tuesday, that is exactly what happened. Versions 10.1.4 and 9.5.2 were released for Windows and Mac OS X only. Even these patched versions are still vulnerable to 16 of the reported issues that affect Windows, Mac OS X or both systems. To prove this, the Google employees have released obfuscated information concerning the crashes. The security experts say that the unpatched holes could potentially be identified by third parties because they were found by modifying publicly available PDF documents.

Apparently, the researchers' threat to publish all vulnerability details online in accordance with "responsible disclosure" did not worry Adobe. The deadline is set for 60 days after the day on which the researchers informed Adobe about the holes: 27 August. However, Adobe told the researchers that no further updates are planned in that timeframe.

The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader. Those who use a browser other than Chrome can protect themselves by disabling the Reader's browser extension. The extension allows the holes to be exploited with a simple visit to a specially crafted web page.

Windows users who still use version 9 of Reader have been advised to upgrade to Adobe Reader X, because this version contains a sandbox that makes exploiting the holes more difficult. While Linux users can fix two of the holes by deleting the annots.api and PPKLite.api plug-ins from the /path/to/Adobe/Reader9/Reader/intellinux/plug_ins directory, this seems like a drop in the ocean when considering the total number of holes that riddle Reader for Linux.

Source: The H Online

Veteran

The Dark Knight

Posted
Posted

I stopped using that bug ridden bloatware on all platforms a long time ago.

What do you use instead? I am also looking for a good replacement.

Grand Master

Noir Angel

Posted
Posted

I use Foxit on Windows, haven't used Adobe reader for about 3 years. It's bloated, slow, and now apparently insecure. And I didn't know the PDF plugin in Chrome was made by Adobe, how do I disable it?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By PeterTHX · Posted

      If you can't spell a simple word that 2nd graders learn, your entire argument is suspect.
    • UK to ban under-16s from social media following a six-week trial with teenagers

      By FloatingFatMan · Posted

      And here goes the "Won't someone think of the children" brigade. Get stuffed mate. This has NOTHING to do with making the internet safe. It's about tracking adults, spying on your online activity, and sending the boys around when they don't like something you post. Also, again, parliament have voted TWICE against this, and Starmer is going ahead anyway. THAT is anti-democratic bullsh**. They will use this law to track you, they will use this law to control you, and they will use this law to punish you if they don't like what you do, even if it's legal. And your data? Say bye bye to that. It'll be on the darkweb in weeks. I'm not some rando online. I've been an IT professional for 40 years, many of it in security. I know exactly what this means and what will happen to your data. I do not consent and I will not comply.
    • Windows 11 KB5094126, KB5093998 bugging out Office apps but it may not be Microsoft's fault

      By sphbecker · Posted

      "...but it may not be Microsoft's fault" seems like a reasonable way to tease what is going on without leaving the user with a false impression that an update is the problem. A title isn't a summery, it is meant to entice the user to read the article. It should not contain a misleading premise; which this title does not. You could maybe complain that the first paragraph should have included that detail. The writing style popularized over 100 years ago in newspapers will cover the most important information as soon as possible with details and nuance added later; the idea being that with each new paragraph you have less of the reader's focus.
    • Samsung Galaxy XR arrives in the UK with new AI and enterprise features

      By Fiza Ali · Posted

      Samsung Galaxy XR arrives in the UK with new AI and enterprise features by Fiza Ali Samsung is bringing its Galaxy XR headset to the UK several months after the device made its debut as the first headset built on Google's Android XR platform. The headset was first teased in late 2024 alongside Google's introduction of Android XR before making its commercial debut in 2025. Developed in collaboration with Google and Qualcomm, Galaxy XR combines mixed reality experiences with Gemini-powered AI features, allowing users to interact with digital content using voice, gestures, and visual inputs. While the hardware itself remains largely unchanged from the version Samsung unveiled last year, the company is using the UK launch to spotlight several software enhancements that have arrived through recent updates. Among the most notable additions is deeper integration with Google's ecosystem. Galaxy XR users can explore destinations through Google Maps' Immersive View, receiving AI-powered recommendations and contextual information from Gemini while navigating virtual environments. Furthermore, entertainment experiences have also expanded; users can watch 180-degree and 360-degree videos on YouTube, browse spatial content converted into 3D, and ask Gemini questions about on-screen content without interrupting playback. Samsung is also highlighting mixed-reality features such as Circle to Search, which allows users to identify real-world objects through hand gestures while using the headset's video pass-through mode. Another feature automatically converts photos and videos into spatial 3D experiences. Moreover, the headset now also supports Android Enterprise, allowing organisations to manage deployments using existing Android management tools. Annika Bizon, Vice President, Product and Marketing, Mobile Experience, Samsung UK & Ireland, talked about the device, stating: The headset is powered by Qualcomm's Snapdragon XR2+ Gen 2 platform and features dual 4K Micro-OLED displays. The tech giant says that users can expect up to 2.5 hours of battery life. Samsung also confirmed that Galaxy XR will continue receiving software and security updates as the company works alongside Google and Qualcomm to expand the Android XR ecosystem. Galaxy XR is now available for pre-order and will go on sale on 8 July. Customers interested in trying the headset before launch can visit Samsung KX in London and selected Samsung Experience Stores from 17 June. Finally, the company will also host a livestream on 19 June showcasing the headset's capabilities and answering questions from prospective customers.
    • Politically funny images of the World

      By +primortal · Posted

  • Recent Achievements

    • First Post
      Jocimo earned a badge
      First Post
    • Week One Done
      suprememobiles48 earned a badge
      Week One Done
    • One Month Later
      Windows Guy earned a badge
      One Month Later
    • One Month Later
      Prasann earned a badge
      One Month Later
    • Week One Done
      Prasann earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      519
    2. 2
      +Edouard
      174
    3. 3
      PsYcHoKiLLa
      95
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      70
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!