

Zero-Day vulnerability in Adobe Reader - nkhumphreys
http://www.h-online.com/security/news/item/Zero-day-vulnerability-in-Adobe-Reader-1803029.html

======
UnoriginalGuy
Use Chrome (PDF reader built in) and turn on Click-To-Play for all plugins
(e.g. Flash, Java) then add YouTube to your white-list.

Settings->Show Advanced Settings->Content Settings->Plug-Ins->Click to play

Then:

Settings->Show Advanced Settings->Content Settings->Plug-Ins->Manage
Exceptions->[*.]youtube.com->Allow->Ok

You're now fairly safe from MOST drive-by attacks. Except those that impact
Chrome directly.

------
NelsonMinar
After years of consistent security flaws in Flash and Reader, why does anyone
allow Adobe software to accept untrusted input from the Internet?

~~~
saurik
Because most alternative PDF renderers have been worse? Charlie Miller did an
analysis once, fuzzing various engines, and Adobe's actually came out on top.
(Combine this then with personal experience tangentially gained during
JailbreakMe 2.0 and 3.0, and I now refuse to allow Apple's PDF renderer to
ever open a file on my system, and always make certain to have Adobe Reader
installed on my Macs.)

~~~
FreakLegion
There's a difference between theoretical and practical security, though. On
Windows everyone targets Adobe's products, because everyone uses them, thus
they present the biggest attack surface. So while e.g. Acrobat may be more
secure in theory, in practice it's the least secure of all.

If OS X ships with a built-in PDF viewer then it probably presents the bigger
attack surface, thus could be less secure than Adobe's products in that case.
But as an individual (non-enterprise) user, statistically you'd still be
better off with some niche third-party offering.

~~~
saurik
Most of the "niche" renderers use the same codebase (or at best only rely on
large common libraries like FreeType); the JailbreakMe 2/3 exploits, for
example, were able to affect almost all of them (its payload simply assumed it
was trapped in MobileSafari and wanted root on an iPhone, but on systems
without codesign I believe it could have affected just about everyone fairly
generally). The thing that Adobe has going for it is that when there is a bug,
they tend to fix it, they fix it correctly (JailbreakMe 3 shouldn't have been
possible), and the fix is pushed quickly to users via automatic update
prompts.

------
jordan_clark
If you were an enterprising hacker with a lot of time on his/her hands, I
imagine Adobe Reader and Flash Player would be a great place to focus on for
selling software exploits to the US Government. I hear they are paying nicely
these days for verifiable not-yet-released in the wild exploits.

~~~
gyardley
The US government would have to pay each independent discoverer of the not-
yet-released exploit, no? If they said 'no thanks, we've already got that
one,' the second discoverer could just turn around and disclose it, making the
original purchase a lot less valuable.

What, besides their own sense of ethics, stops the original exploit discoverer
from selling the exploit to someone else, who will then resell it back to the
US government? That seems like a lot easier way to get more money from your
exploit than, say, developing contacts with a second government.

The only way I can think of for the US government to effectively prevent you
from reselling your exploits is to monitor your communications and finances
for anything shady - whenever the exploit is independently discovered, they
would have to do some research into your behavior to make sure it was
_actually_ independently discovered. Hell, why wouldn't they do this
monitoring all along to make sure you're not trying to sell it to a foreign
government?

I'm probably just paranoid, but being one of the few people who know something
the US government would like to keep a secret doesn't sound like a good
position to be in. I'd want to be _rather_ well paid.

~~~
kanzure
How exactly do you sell a vulnerability to the US Federal Government?

~~~
m0nastic
You don't (for the most part). You'd actually sell it to one of about a dozen
small firms around the beltway who purchase vulnerabilities (who in turn
either license "exploit-packs" to the government, or who work on specific
tactical campaigns using said exploits).

------
sk5t
I recently switched to Evince - so far so good.

<http://projects.gnome.org/evince/>

~~~
pav3l
I am pretty happy with SumatraPDF on Windows. Orders of magnitude faster than
Reader too.

[http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-
read...](http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html)

------
VeejayRampay
Repost?

This is an attempt at dry humor. Or more accurately in this case, dark humor.

------
hbhanu
I wonder if there are more Pokemon, or zero-day vulnerabilities for Adobe
products... "Gotta catch 'em all!"

