Network News

X My Profile
View More Activity

Adobe Fixes Reader, Acrobat Vulnerabilities

Adobe is offering a software update to fix a security flaw in its Adobe Acrobat and Adobe Reader products -- the latter being free software that many people use to view PDF documents.

The update, which brings the latest versions of both Adobe Reader and Acrobat to versions 8.1.1, fixes a vulnerability that is only a threat to Microsoft Windows XP and Windows Server 2003 users who have Internet Explorer 7 installed. Adobe says the flaw also exists in version 7.0.9 of Adobe Acrobat and Adobe Reader, but that a fix for that version will be released in a separate update.

There has been a great deal of back-and-forth in the tech media over whether Microsoft is really to blame for this and related problems with other third-party software. At any rate, Microsoft has since acknowledged that there may be an issue it needs to address, saying it may soon issue a update to fix a problem on their end.

Incidentally, I long ago removed Adobe from the Windows PCs I use. I simply grew tired of having to update the programs constantly, and of waiting forever for PDF documents to open or close. I've switched over to the free Foxit Reader, which seems to do all the same stuff Adobe Reader did, but is far faster and appears to hog fewer PC resources.

Update, 4:08 PM ET: According to the SANS Internet Storm Center and other security outlets, spam e-mails are now being blasted out containing PDF attachments that take advantage of this vulnerability to install malicious programs that steal personal and financial data from infected PCs. Once again, it appears the malicious files are being downloaded from at least two different Internet addresses belonging to the Russian Business Network, a shadowy service provider that we recently examined in a Washington Post story and in several blog posts.

By Brian Krebs  |  October 23, 2007; 9:44 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: RealPlayer Patch Plugs In-the-Wild Security Exploit
Next: TJX Breach Was Twice as Bad as First Reported

Comments

I have vers 8.1.0 installed. I downloaded vers 8.1.1 updater and double clicked on it per Adobe instructions. I got a message "Windows cannot open this file". I am using a Limited XP account with Firefox but IE7 is installed.

Posted by: Patton | October 23, 2007 10:21 AM | Report abuse

I absolutely second the use of Foxit. It loads in a third of the time, and has worked perfectly in all my applications.

@Patton
Try executing the updater by right clicking and selecting "Run as," then selecting an account with admin privileges. You will need the password (assuming the account has one, as it should). Since installer muck around in the Windows registry, they usually need admin privileges to work properly.

Posted by: Tjohn | October 23, 2007 10:40 AM | Report abuse

"I've switched over to the free Foxit Reader, which seems to do all the same stuff Adobe Reader did, but is far faster and appears to hog fewer PC resources."

Absolutely, Brian.

Adobe Reader is shameful bloatware. Preview on the Mac is a fraction of the size and far faster. And on a PC, Foxit puts Adobe to shame.

However, I have got a machine that I had put Adobe Reader 8 on. I ran update from within it, and it *didn't* update to the patched version (8.1.1) but it *did* -- without asking -- automatically download a load of language packs I didn't want in languages I don't speak and can't read.

I found and uninstalled "Spelling Support for adobe" in Add/Remove programs -- which I guess is these unwanted language packs Adobe forced on me. I then had to download Reader 8.1.1 manually from Adobe's site, since the update appears to be there not to work properly but to annoy me with extras I don't need or want.

Bloatware, egregious bloatware.

More fool me for not putting Foxit on that machine. I'll probably uninstall Reader 8.1.1 later and put Foxit on. but I bet Reader leaves a load of trash in the Windows Registry if I do uninstall it.

Posted by: Mike | October 23, 2007 12:03 PM | Report abuse

Brian, I've been thinking of dropping Adobe reader recently, so it's timely for me that you mention Foxit, as I knew there were other programs out there that do the job, but I wasn't sure which might be best.

The other thing about this though that has made me hesitiate, is that even if I use a different pdf reader, won't it likely also be vulnerable to the same or similar security vulnerabilies as Adobe's? And if that's the case, how likely is it for something like Foxit to provide a timely fix for a sceurity issue that pops up?

Then too, if they do, will you note it (since you're where I find out most of my info about security issues) or how will I find out about it in a timely fashion, when it's not a known name brand porduct that isn't review or reference as much in the media. This seems to me is also an issue with any other of the free or lesser known software out there that replaces well known brands. For instance I want to use something else to replace Quicktime and Real Player to read those files, but whats out there that can be trusted to fix their flaws in a timely manner and such that I can find out about it to update it in a timely manner too? Any input from others out there on this idea would be appreciated too. Thanks

Posted by: M in CT | October 23, 2007 12:09 PM | Report abuse

M in CT> even if I use a different pdf reader, won't it likely also be vulnerable to the same or similar security vulnerabilies as Adobe's?

Though another reader may have vulnerabilities, it's very unlikely they will be the same as the ones in Adobe Reader. The codebases are entirely different. In addition, Adobe's contains a lot more code, which means a lot more opportunity for error, and history shows that Adobe doesn't pass over such opportunities.

M in CT> I want to use something else to replace Quicktime and Real Player

Real Player does nothing unique other than Real format, and that's completely unnecessary since pretty much everyone who offers Real offers something else as well. (Those who don't are idiots and can be safely ignored.)

The only thing I've needed QuickTime for in the last year was to watch the Iron Man trailer, and, though it's a good trailer, I would have lived if I hadn't seen it. Unfortunately, I have to use iTunes, which means I have to use QuickTime. This especially sucks because QuickTime offers no option to set the output audio device (away than the system default), and I have multiple sound cards. Even WinAmp is superior on that count.

Try life without QuickTime for a few weeks (unless you are using iTunes), and see if you really need it.

M in CT> such that I can find out about it to update it in a timely manner too?

In this day and age, any product that doesn't provide an automatic update notification feature is a product you simply shouldn't use. If they can't get that much right, they can't get security right.

Posted by: antibozo | October 23, 2007 12:28 PM | Report abuse

Same message as Patton.

Posted by: brucerealtor | October 23, 2007 1:03 PM | Report abuse

Just a quick heads-up in case others are seeing this....

There seems to be a software conflict of some description between the automatic update feature of Adobe Reader and Sunbelt Software's personal firewall. The firewall seems to block the update mechanism from working and causes adobeupdater.exe to consume 100% of the CPU with no way of killing that process. I had renamed adobeupdater.exe when I experienced this before...but the latest update caused the problem to return.

You'll find that file at C:\program files\common files\adobe\updater5.

No doubt Adobe & Sunbelt are still pointing the finger at one another as this issue seems to have been around for a while now.

I too would love to ditch Adobe Reader but some web sites (e.g. the online forms at my health insurer) will work with nothing else....which kind of sucks. ;-((

cheers

Nick

Posted by: Nick | October 23, 2007 3:09 PM | Report abuse

PopFly+Silverlight makes Flash Obsolete!
At the web 2.0 thingy we gave a preview of "Microsoft Online Composition Media Aggregation Layout Toolset", at the time I wasn't exactly 100% so I couldn't remember the name, so I just told them it was named PopFly. I don't know what made made say that name, but it has gone over well.
So, PopFly! PopFly! PopFly!
Adobe has been an annoyance to me for years, we have tried everything we could to dislodge them but they just keep cranking out good products. We even tried a few sabotage .dll's, but they always figure it out in no time at all and issue a patch.
But I think we now have the right Combination, PopFly and Silverlight. Here's my plan:

Those companies who will not adopt these technologies will be "downlisted" at MS.
IE8 will require it's installation.
The booby-trap .dll's will come out weekly.
Adobe will be marginalized!

It's a beautiful day at Microsoft!

Posted by: Steve Ballmer | October 24, 2007 12:16 AM | Report abuse

Again with the fake Steve Ballmer nonsense. The posting policy clearly states, "Additionally, entries that are unsigned or contain 'signatures' by someone other than the actual author will be removed." Unless Steve Ballmer is really your name, kindly refrain from this misrepresentation.

Posted by: aeschylus | October 24, 2007 12:30 AM | Report abuse

Since we're on the topic of security updates, did I miss it, or have you commented on the latest Firefox 2.0.0.8 update

Posted by: David | October 24, 2007 9:28 AM | Report abuse

I was wondering about the latest Firefox update too. It came up on it's own (automatic download) and seems to have put right the problems brought about by the previous update.

Posted by: Sarah | October 24, 2007 3:02 PM | Report abuse

I am with the Foxit group, works faster than Adobe although my system is reasonable at 2G DDR2 big and frequent PDF's are a breeze with Foxit.

Hadn't noticed any problems like Sarah has.

Like most things what they don't tell you that they have stopped supporting older hardware eg anything older than three years and it is on its own. If it works it works if it doesn't there is nothing wrong must be your system. Most of this comes from the MS end. I rectified a lot of this by switching browser and the move to Focit occured at the same time so maybe it was just coincidence. But I am not returning to the old mix to test that theory. "It ain't broke"

Posted by: anechidna | October 24, 2007 4:43 PM | Report abuse

FYI...

Malicious PDF files being spammed out in volume
- http://www.f-secure.com/weblog/archives/00001303.html
October 26, 2007 - " Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further... The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
More information in our full description*.
More on the scope of the vulnerability from a ZDNet article**."

* http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

** http://blogs.zdnet.com/security/?p=614

.

Posted by: J. Warren | October 26, 2007 1:52 PM | Report abuse

FOXIT?: I use it and like its speed and such. Until just recently I had nothing bad to say. Some things are changing with them, maybe starting with recent version 2.2? Brian, maybe take a look?

First, like others, they no longer seem to offer a purely free download. They point you to a pay version or to a "try our partner site's offerings and sign up for this or that to get our free reader" gibberish. That's marketing, their choice.

Second and serious, version 2.2 seemed nice but quickly I was surprised to find it launched Microsoft Internet Explorer, NOT my default browser, Firefox, when clicking on a link in the pdf. That's infuriating and unsafe.

I uninstalled Firefox and Foxit and reinstalled in varying order and resetting Firefox as my default browser, but couldn't get links in a pdf in Foxit to launch anything but MSIE. Firefox does correctly launch from bookmarks and from links in other non-pdf documents, etc., so I don't blame MSIE. (Using XP SP2 and Firefox 2.0.0.8, BTW)

I was unable to get the Foxit forum's search feature work, but did browse into one post there where a user had my same complaint. The moderator replied he had not heard of the problem, but did suggest going to a third party site who kept old versions if the new one was causing a problem.

I installed version 2.1 and that older version worked for me. I'm trying now to find out if there's a security issue with using the older one or if it's just a features thing.

I also couldn't get the Foxit forum posting system to work for me in order to add a "me too," so maybe there are more of us with similar issues.

Bh

Posted by: Bh | October 28, 2007 3:18 PM | Report abuse

FOXIT?: I use it and like its speed and such. Until just recently I had nothing bad to say. Some things are changing with them, maybe starting with recent version 2.2? Brian, maybe take a look?

First, like some other vendors, they no longer seem to offer a purely free download on their site. The link in the article seems to point to a choise of a pay version link or to a "try our partner site's offerings and give your email address and sign up for this or that to get our free reader." That's marketing, their choice.

I do find a straightforward download via a third-party file hosting site, but not on Foxit's site.

Second and serious, version 2.2 seemed nice but quickly I was surprised to find that for me, it launched Microsoft Internet Explorer, NOT my default browser, Firefox, when clicking on a link in the pdf. That's infuriating and unsafe.

Although I uninstalled Firefox and Foxit and reinstalled in varying order and resetting Firefox as my default browser, I couldn't get links in a pdf in Foxit to launch anything but MSIE. Firefox does correctly launch from bookmarks and from links in other non-pdf documents, etc., so I don't blame MSIE. (Using XP SP2 and Firefox 2.0.0.8, BTW)

I was unable to get the Foxit forum's search feature work, either, but did browse into one post there where a user posted on October 1 that had my same complaint, just a day or three after release. http://www.foxitsoftware.com/bbs/showthread.php?t=6465 ; Oct 1, 2007 entry)

Someplace else there it mentioned that old versions are available via a third party site, Filehippo. I installed the previous version 2.1 (archived on FileHippo). The browser now works correctly again from within pdf's.

Bh

Posted by: bh | October 28, 2007 4:14 PM | Report abuse

Oops. This is to revise my "Bh" post of Oct 28:

I DO find an easy link on the Foxit site to the totally unencumbered Foxit Reader.

Right on the home page as "Downloads" and on the linked page Brian gave as "downloads."

I think at the time I was too freaked and stymied by the browser launching issue and the Foxit forum search, that when I used Brian's link, I got focused on the "Get It Free" button there, which I see now is for a different package, not the free reader. (I got my copy via an authorized 3rd party downloader web site, never visiting the Foxit site before.) My appologies to all, especially Foxit.

But... my main problem continues. The wrong browser (MSIE,not my default browser) still launches with the current Foxit free Reader 2.2.2129.


Posted by: Bh | October 29, 2007 3:13 PM | Report abuse

Hey Bh- I was browsing this latest news about Foxit. I am glad you replied to your previous post. Foxit is working on the browser issue.

Foxit Reader is not susceptible to this vulnerability in the above article.

Posted by: Erik B | October 31, 2007 2:36 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company