Network News

X My Profile
View More Activity

Adobe PDF Patch Plugs Data Leak Threat

Over the weekend I opened an Adobe PDF document and was greeted with a notice urging me to download an update that fixes some security problems with Adobe Reader, so naturally I immediately responded.

First off, kudos to Adobe: Unlike so many software patches that force you to choose between using the product and applying the latest update, Adobe didn't require me to quit the documents I was reading while it was installing the patch. It did restart Reader afterward, but to Adobe's credit, it promptly re-displayed the documents I'd been working on.

If I had one minor quibble with the whole update process, it would be that the updater kept bugging me to approve different things. I swear it must have prompted me to approve changes to the program at least a dozen times during the update.

According to Adobe, the latest version gets rid of a fairly serious security flaw. By convincing a target to download a specially crafted PDF document, attackers could "discover the existence of local files," -- i.e., read documents on the victim's computer. Adobe says that threat is minimized because the attacker would have to know the exact name and location of the files he was searching for to be able to leverage the security flaw.

Anyway, you can update using the automatic updater bundled with Adobe, or visit Adobe's download site to install the fix manually. Adobe says it is working on a fix for Mac users. If any Mac users are concerned about this vulnerability, this page has instructions on how to disable Javascript in Adobe.

By the way, if you browse the Web using Mozilla's Firefox Web browser and have always had trouble loading PDF documents, you might consider following the advice here to fix the problem. Just scroll down to the question in the FAQ that reads "Why do Adobe pdf files load slowly in Windows?" For the longest time I put off researching a tweak for this problem. Mozilla says it's because Adobe Reader for Windows loads lots of unused plugins on startup.

By Brian Krebs  |  June 20, 2005; 11:59 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Canada, Australia Echo U.K. Cyber Attack Warnings
Next: Help! I Think My Computer Is Infected

Comments

AUTHOR:
EMAIL:
IP: 172.20.72.33
URL:
DATE: 06/20/2005 01:53:43 PM

Posted by: Anonymous | June 20, 2005 1:53 PM | Report abuse

Hello! Would you please make it possible to e-mail your page, as it is possible to do for most pages of the Post's online edition? I often read things in it that I wish to share with others, and for some reason, there is no easy way to do this. I have e-mailed the Post twice with the same suggestion to no avail. Your column is full of useful information, and the most responsible thing to do with it is to disseminate it as widely as possible. Many thanks for a great column!

Posted by: Agathon | June 21, 2005 1:29 AM | Report abuse

If you're trying to email the link to others, just copy-and-paste the link into your email. Even better, try this bookmarklet:

If you're trying to send the entire body in the email, I think you're missing the point. This is a blog. You're supposed to visit the page and view it in context as a living, breathing document -- not disseminate dated material. What happens if Mr. Krebs inadvertently makes a mistake? Well he adds a comment on the main page. But if the original mistake got sent in your email, it will forever remain in their inboxes, doomed to a life of irrelevance.

That is the power of a blog -- it's a community effort. Point your friends to the link and let them interact with it.

Posted by: Ruben | June 21, 2005 11:15 AM | Report abuse

Apparently even links aren't allowed here. Just google for "mailto bookmarklet" and you'll find one on dwelle.org.

Posted by: Ruben | June 21, 2005 11:17 AM | Report abuse

"Adobe says that threat is minimized because the attacker would have to know the exact name and location of the files he was searching for to be able to leverage the security flaw."
I don't see how this would be taken lightly... the whole concept of phishing is based on this. I would guess if you looked in the "My documents" folder for a password.doc file on every windows machine computer out there, you'd get enough to keep yourself quite busy as a hacker.....

Posted by: D. Taylor | June 21, 2005 1:35 PM | Report abuse

HI! I would also like the idea if I could email your page to share with my Friends could you please make this possible? I enjoy your columns very much
THANK YOU THANK YOU for your great columns!

Posted by: Flo | June 21, 2005 2:47 PM | Report abuse

If there's a major quibble I have with Acrobat it's what you mentioned; that so many unnecessary plug-ins get loaded before your document comes up.
Why the heck can't a pdf doc have a little embedded data which allows Acrobat to only open up the plugins it needs for that particular document?

Posted by: Marcus | June 22, 2005 7:58 PM | Report abuse

patches

Posted by: patches | July 9, 2005 1:43 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company