Network News

X My Profile
View More Activity

Adobe Warns of Potential Reader Flaw

Adobe Systems Inc. is warning about a potential new security flaw in the latest versions of its Adobe Reader products.

Update, Apr. 29, 8:17 a.m. ET: Adobe has confirmed that this affects all currently supported, shipping versions of Adobe Reader (9.1, 8.1.4, and 7.1.1 and earlier versions) for Windows, Mac and Linux. Adobe recommends disabling Javascript in Reader until it can ship a patch.

Original post:

In its product security incident response team blog, Adobe issued a brief advisory on Monday, saying it is investigating reports of a security hole in Adobe Reader 9.1 and 8.1.4. The company says it will provide an update once it gets more information.

The SecurityFocus submission on this vulnerability indicates that it is a Javascript flaw in Reader for versions designed to run on Linux operating systems, although that advisory suggests that other versions or operating systems may also be affected.

This may turn out to be nothing, but my gut tells me that we may soon be rehashing an incident from February, when malware and hackers were discovered to be using a previously unknown Javascript vulnerability in Adobe Reader to break into machines running the software.

This also reminds me of a question I received in my most recent Security Fix Live Online last Friday:

Denver CO: Because of the recent vulnerabilities discovered in Adobe Reader a lot of tech folks are moving their staff to alternative PDF readers. Do you think using adobe reader and/or adobe acrobat is no longer a good idea?

Brian Krebs: I think diversity is a good thing, especially in computer software and operating systems. Given equal or better alternatives, using a software package that is not the clear market leader is often a smart move from a security perspective.

For some time now, I have recommended the free Foxit Reader over Adobe's PDF reader, which I find bloated and slow. The potential security benefits are an added bonus.

As an alternative, I generally recommend the free and lightweight Foxit Reader (like Adobe's Reader it now comes bundled with a toolbar that you may want to opt out of installing). But there are other free PDF readers, including Sumatra PDF and PDF-XChange Viewer.

Adobe doesn't offer any mitigation tips, probably because it is still checking this out. One avenue is to disable Javascript in Reader (click "Edit," "Preferences," "Javascript," and uncheck the box next to "Enable Acrobat Javascript"). Of course, doing this may not blunt the potential threat from this bug. What's more, disabling Javascript in Reader can cause annoying behavior in the program.

By Brian Krebs  |  April 28, 2009; 10:30 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: 0day, adobe reader, javascript  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Proposal Would Shore Up Govt. Cyber Defenses
Next: Equifax Outage Halts Credit Freezes, Fraud Alerts


I don't know anybody in the Linux community who waste his or her time installing that bloated piece of crap anyway. The document viewer that come with just about every linux Distro can read PDF just fine.

Posted by: johnupnorth | April 28, 2009 12:13 PM | Report abuse

I use SumatraPDF at work, where XP is my OS on a 512 mb ram computer. SumatraPDF runs so much better than Adobe's PDF Reader.

Posted by: jo-ker | April 28, 2009 7:28 PM | Report abuse

It seems that every month Adobe is notified that it has a security issue in its PDF reader. I switched years ago to an alternative PDF reader. Can someone explain to me why, other than a business, should one use Adobe's PDF reader?

Does the average Joe or Jane really need to use this software if security flaws are this prominent?

Posted by: minotisok | April 29, 2009 12:01 PM | Report abuse

PDF is a electronic document standard, not just a proprietary format. Microsoft Office 2007 supports PDF publication. The security problems affect the file format, not simply the Adobe software. Actually, as far as security patches are concerned, you might be better off with Adobe.

The security hole (actually, six; do your homework, Brian -- Adobe owned up to others only in the fine print of the press release that accompanied the patch) was first thought to involve javascript but turned out to run independent of javascript.

It would have been helpful if the article mentioned whether the problem involved the PDF file format, Adobe Reader alone, or Reader and Acrobat. A lot more helpful than Brian's personal software prejudices (large organizations are no more likely to run Foxit over Adobe than they are to run Google apps over MS Office).

Posted by: gbooksdc | April 30, 2009 8:51 PM | Report abuse

Gbooksdc -- You say there are six vulnerabilities here? Are you referring to this vulnerability or the one from Feb?

I mention the Javascript mitigation because it's the best advice there is, save for not running Adobe. In fact, that's the advice Adobe is now giving its customers who are concerned about this. Should people not take that advice, based upon the idea that it might not be helpful 100 percent of the time?

Also, your statement about the fact that large organizations are unlikely to run Foxit just proves the point I was making in the blog. I've recommended Foxit over Adobe mainly because I find Adobe to be bloated, but one bonus from a security perspective is that Foxit has a much lesser market share than Adobe that could also make it far less of a target.

Posted by: BTKrebs | May 1, 2009 12:27 AM | Report abuse

@gbooksdc - while PDF is a standard you are dead wrong about these vulnerabilities being innate to PDF. These vulnerabilities are in Adobe parsing and implementation of the standard not the standard itself. In this case the vulnerability was in all Adobe products that parse PDF documents including Reader and Acrobat.

You're also right that one of the vulns did not require JavaScript however every exploit seen in the wild used it. With PDF exploits it is much easier to use JavaScript than not. Historically over half of the vulns in Adobe products are in Javascript components so disabling is a highly effective mitigation.

As for the preference of reader, you are no more or less secure using Adobe or any other reader. All of them must parse the PDF document and will have vulnerabilities that have yet to be discovered. On one hand Adobe is a large vendor and more likely to produce a patch (albeit slowly) whereas the smaller vendors are more obscure and less likely to be attacked due to small user base.

Posted by: btkd | May 1, 2009 4:40 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company