Adobe/JavaScript Vulnerability (again)

[pendragon]

Adobe Reader JavaScript Handling Remote Code Execution.

Affected: Adobe Acrobat Reader versions 9.1 and prior.
  

Description: Adobe Acrobat Reader is Adobe's viewer for the Portable Document Format (PDF). It contains a flaw in its handling of JavaScript scripts embedded in PDF documents. A specially crafted document containing a malicious script could exploit this vulnerability, and leverage it to execute arbitrary code with the privileges of the current user. PDF documents are often opened upon receipt without first prompting the user. A proof-of-concept for this vulnerability is publicly available and it is believed that this vulnerability is being exploited in the wild.

Status: Vendor confirmed, no updates available. Users are advised to disable JavaScript processing in PDF documents, if possible.

Following is a thumbnail that may help some in changing their Reader preferences.
[attachment=1362:Reader.jpg]

[kbeartx]

FWIW, I have not opened Acrobat in years, since it became clear to me that Apple's Preview did a fine job of opening, displaying, and resizing PDFs.

On another note, I have a problem with the report cited above:

"A proof-of-concept for this vulnerability is publicly available and it is believed that this vulnerability is being exploited in the wild."

Exactly who believes that this 'vulnerability' is being exploited?  

What evidence is there to support this assertion?

And if it wasn't being exploited before, it sure is now that you've published the thing!!!

IMO, 'reports' like this are scare-mongering at least, and reckless endangerment of all computer users at worst.

KB

[kimmer]

KB, it's not scare-mongering or reckless. This has been a known issue for a couple of months now and the news came from Adobe. They've just failed to properly fix the problem.

We originally discussed it here:

http://www.techsurvivors.net/forums/index....p;hl=Javascript

Adobe discusses this latest mess, here.

I don't want to   , but preview doesn't always handle PDF's nicely. Sometimes the fonts wind up too small and unreadable. Windows have to be resized. And other little annoyances. I also found that when I set my system to auto-open all PDF's in Preview, that meant that any doc I turned into a PDF became a Preview document. That's okay for another Mac user, but when sent to win users it creates an enormous amount of problems. Getting info and changing to "open with reader" failed to solve the problems better than 1/2 the time. So it's a matter of how you use Reader and PDF's as to what works.

[Xairbusdriver]

Strange, I've never had any problems having Windows users open a PDF from our Macs. And it shouldn't have anything to do with Preview, anyway, since it is only a reader, not a PDF writer. The PDF writing methods are part of the OS, that's why thay have been available in the Print dialog for so long. However, you might want to check that you don't have any of the Quartz filters enabled in the "Save As..." dialog. Of course, milage on the left-coast may vary...

Also, on a Windows machine (and even on some Macs, when reading Windows documents) the suffix is the only thing that determines what program will used to open a document. No matter what the file, if you change the suffix to ".pdf" the OS will attempt to open it with whatever app the OS thinks should handle them. Its then up to the app to figure out what to do with the file, if it's really a QuickTime movie, it probably will just give up and maybe tell the user they are crazy. In fact, some camera/video makers stick a unique suffix on their files to intentionally force users to use their own "proprietary" programs to view/edit them. In this case, they files are actually mpgs and simply changing the suffix enables any app that can handle that kind of video to work with them. Doesn't make sense why some developer would do that, but it illustrates my point.

So, when sending a file to a Windows user, make absolutely sure that the suffix is not only correct but visible before sending it. And also remember, while PDFs have been a standard in the rest of the world for a long time, Windows has only recently begun to accept that fact. I think XP was the first Windows OS that was even capable of saving a file as a PDF from the Print dialog, maybe it was not until Vista! Of course, there were Adobe apps on that platform that used PDFs, but it was not usually available for any other program. It just wasn't in the OS.

[kimmer]

QUOTE(Xairbusdriver @ May 3 2009, 11:18 AM) <{POST_SNAPBACK}>

Strange, I've never had any problems having Windows users open a PDF from our Macs.

I've had tons of problems. Quite often the recipient wasn't computer savvy, so that always adds to the problems. I can only tell you that by using Adobe Reader to open my PDF's, the system then saves all PDF's as Adobe Reader PDF's and no one has any problems. Your mileage obviously varies, and you may consider yourself fortunate.

QUOTE

However, you might want to check that you don't have any of the Quartz filters enabled in the "Save As..." dialog.

Program being used might cause the variation as I don't remember ever seeing any options when doing a "save as" to a PDF file.  

QUOTE

So, when sending a file to a Windows user, make absolutely sure that the suffix is not only correct but visible before sending it. And also remember, while PDFs have been a standard in the rest of the world for a long time, Windows has only recently begun to accept that fact.

I'm always as careful as I'm capable of being -- and that's not saying much.  I didn't switch to using PDF files for these projects until long after they were acceptable in the win world, so that's never been the issue. It's more likely the cheapskate ... erm ... person who is receiving the file. Can't explain that further - not in public at any rate.  

QUOTE

Of course, milage on the left-coast may vary...

I really don't think it's a coastal thing, I think it's all based on the phases of the moon.  

[Xairbusdriver]

That "Save As..." option is in Preview. And I also note that you are using Tiger. Maybe Apple improved this saving thing in Leopard. I seem to remember that PDF is now the standard printing/display method in Leopard.

Of course, you can always tell the OS to open any document in Reader rather than whatever else you might have been using. It sounds as if you are resending a document that is already a pdf back to a Windows user. Is that correct?

I'm not sure how simply telling the OS what app to use for viewing a pdf would have any effect on sending it back to someone. The settings for the OS and what app to use don't affect the document in question. Not sure if the icon even changes, but even if it does, it's just within your machine/OS. The file won't include the icon in any way that the Windows machine can see it. Windows tacks on whatever icon it would use based on the suffix. The Mac can include that icon, and lots of other info, but it would be in the resource fork which Windows has no idea what to do about. I suspect that your troublesome viewers are simply seeing that resource fork and are trying to use that, instead of the actual pdf.

If the above is the case, I think Mail (and maybe even archaic mail apps! ) has an option to send only "Windows-friendly" files, namely files without any resource fork. That way, Windows users don't have anything to look at except the principle document, whatever its type/kind/gender/flavor/etc.

OTOH, whatever works for you!

[kimmer]

QUOTE(Xairbusdriver @ May 3 2009, 06:14 PM) <{POST_SNAPBACK}>

That "Save As..." option is in Preview.

Okay. I've never used Preview to "save as"; and yes the PDF filter option is there and for filters it defaults to NONE. So I'm good there.  Thanks for learning me something new.

QUOTE

It sounds as if you are resending a document that is already a pdf back to a Windows user. Is that correct?

No. These are docs that I've created in Marine Write, AppleWorks, and/or NeoOffice. They usually involve text and photos.

QUOTE

I'm not sure how simply telling the OS what app to use for viewing a pdf would have any effect on sending it back to someone. The settings for the OS and what app to use don't affect the document in question. Not sure if the icon even changes, but even if it does, it's just within your machine/OS.

I'm not sure either, I can only tell you that it matters. The icon does change, btw. It shows a Preview icon if you have it set to always be viewed that way and the Adobe icon if set that way.

Saving a file as a PDF when my system defaults to open them in Preview means that the doc I've saved has the Preview icon on it. If I get info and change it to always open this one doc with Adobe, the icon changes to the Adobe icon and on my machine it opens in AdobeReader. When shared (either by emailing or putting it up on our site and letting them download it) with a win user, 99% of these cheapskates ... OOPS, there I go again .... ... 99% of these fine folks write me ASAP and complain that they are unable to open the doc. If I change my system settings to always open PDF's with Reader, and then go back and resave the file as a PDF, they can always open the file with no probs.

QUOTE

OTOH, whatever works for you!

It's really what works for the cheapskates.

[Xairbusdriver]

OK, just leave Acrobat Reader as the default. But I still don't think that is the problem. I'm just suborn that way. Please don't confuse me with so-called facts!

Now, I see that you answered/addressed every question I asked except the one about actually sending the file to your cheapskatesfriends. I don't think you are using Mail, but it does have a specific place to make sure any files sent are Windows "friendly." I think that mainly means it will be a flat, one piece data file with the appropriate suffix. I seem to remember that Eudora had the same setting buried deep in its seemingly endless preference list. It won't hurt to check that that preference is set 'correctly' if you intend to keep these cheapskatesfriends friendship.

BTW, in Mail, the setting is Edit->Attachments->Always Send Windows Friendly Attachments. Of course, that is a somewhat more recent application and will take some happy and fun changes in one's ancient habit patterns.

[kimmer]

QUOTE(Xairbusdriver @ May 4 2009, 09:11 AM) <{POST_SNAPBACK}>

OK, just leave Acrobat Reader as the default. But I still don't think that is the problem. I'm just suborn that way. Please don't confuse me with so-called facts!

I agree that might not be the problem, but it seems to solve the problem.  I'd never confuddle you with facts.

QUOTE

Now, I see that you answered/addressed every question I asked except the one about actually sending the file to your cheapskatesfriends.

I use Eudora, and it does have the setting for making things win friendly and I have that set. I'll nevah give up Eudora. Not until it flat out stops working. Nothing compares. Nothing.

This ancient one has no intention of changing her habits/patterns.

[Xairbusdriver]

QUOTE

use Eudora, and it does have the setting for making things win friendly and I have that set. I'll nevah give up Eudora. Not until it flat out stops working.

While I agree that Eudora still reads and writes email just fine, do you think it is even remotely possible that, since your only known problem involves emailing a specific Mac file to a Windows user, AND that is a known problem that has to be addressed with user selected choices, AND that usually means a".plist" somewhere...that moving that plist, for just a few minutes, might, however implausible the idea might be, correct said problem?

Please answer with one sentence, preferably much shorter than mine! HINT: The answer does not have "T," "O" or "N" in it.

[kimmer]

QUOTE(Xairbusdriver @ May 4 2009, 03:14 PM) <{POST_SNAPBACK}>

QUOTE

use Eudora, and it does have the setting for making things win friendly and I have that set. I'll nevah give up Eudora. Not until it flat out stops working.

While I agree that Eudora still reads and writes email just fine, do you think it is even remotely possible that, since your only known problem involves emailing a specific Mac file to a Windows user, AND that is a known problem that has to be addressed with user selected choices, AND that usually means a".plist" somewhere...that moving that plist, for just a few minutes, might, however implausible the idea might be, correct said problem?

Please answer with one sentence, preferably much shorter than mine! HINT: The answer does not have "T," "O" or "N" in it.

Answer:  

Problem doesn't involve only emailing. Happens with those files if I put them up at our web site and let folks download the PDF.

[Xairbusdriver]

Sounds like you need to wipe the drive (I always use some Mr. Clean) and bake it at 350° for 45 minutes or until lightly brown (use a toothpick to test that it is done on the inside). Let it cool for an hour, then take it to the trash. Order a new computer and do a clean install.

You're welcome.