Malcreant's number one choice - Adobe.....

[luntrus]

Hi forum friends,

Forget about Windows, Internet Explorer or QuickTime, cybercriminals exclusively aim at Adobe software, even to the surprise of av-experts. Some are now out on a crusade to convince home users and firm users about the dangers involved with using Adobe Reader and Flash Player. "Adobe should perform a lot better security wise".

Adobe some time ago announced to clean up it's act. So they made a start with introducing their own patch Tuesday and announced they would start safer programming. Because of an emergency patch Adobe had to break this freshly started patch cycle and the next patch date was postponed. We think Adobe is not on the right track with security. Until now Adobe only delivered hollow words."

The new MS
According to some av experts Adobe holds the same position now as MS did before XP SP2, that is now 5 years ago. "Whenever you hear what Adobe has to say, you reckon those people do not really get it." Security is not number one for software firms that aren't under direct attack. "But considering Adobe we know since 2007 that they lay under heavy attack and the situation became unmanageable during the previous 7 months, it is really out of their hands."

A new generation exploit tools is not so much concerned with exploits for Windows or IE. "They only go for PDF and Flash now." Something that makes us wonder. "It shows they are not even considering other exploits." The problem is also caused by Adobe being a monoculture. 80% of internet users uses a broken version of Flash or PDF while online.

Features
The Flash and Adobe updater should check for daily updates, what is not the case now. We think that should be so for all browser plugins and Internet programs. Firefox is already doing this for Adobe. The open source browser warns users if a vulnerable version is being found. Working the browser with NoScript and FlashGot extensions is secure.

Where security is concerned Adobe does not see all this as a first priority issue. Their first priority seems to lay with adding new features. Like adding DRM to Flash Player, and we think that could also be an interesting feature for malcreants. In the past the DRM-function of Windows Media Player has been abused many times. The Adobe implementation is not known yet, but it could complicate the work of the av analysts big time.

First things first
Is Adobe commercially interested in the security of their software or does it act like Microsoft in the past, and MS made a full and complete turn on that attitude" Then there is lack of competition. Foxit reader is around, but only will become targeted if it has a larger market share. For Flash there is no competition. "This could be a problem."

Most exploits are directed at Adobe Reader. Attachers use various exploits at once, making it easier for av vendors to react. If one of four exploits are flagged, the attack is stopped in its tracks and disconnecting will prevent an infection vector to hit home." Most exploits are hidden inside in Adobe's implementation of JavaScript (so that is why we advise to use NoScript inside the Firefox or Flock browser). "Than there is the difference between PDF standards and what Adobe really does, reminding us of MS in that respect." Standars are agreed to on paper but actual adaptations differ. Like the way HTML and executables load inside IE. Also Adobe Teader is bending these rules, so certain things can still be read by the proggie.

Marketleader
Because of all these problems one should expect a good communication between Adobe and av vendors, but that is not the case. It is hard to communicate with Adobe. This because of a number of zero-days that Adobe wished to hush up on earlier this year, it seems advisable for users and firms alike to start looking for alternatives. The ideal situation would be that everybody uses another alternative - larger platforms means more exploits. Another attitude can work a change - IE8 has shown that - the browser seems more secure now compared with the situation of IE7. But with PDF and what the marketleader offers there, you better stay away,

luntrus

[therube]

Flash there is no competition.

MS & Silverlight might want to take issue with that. Though I have never seen nor touched the latter.

Most exploits are hidden inside in Adobe's implementation of JavaScript (so that is why we advise to use NoScript

Though NoScript is not going to have any affect on JavaScript code executing in the realm of the Adobe Reader plugin. You need to (should) disable JavaScript in the Reader itself too.

[Tom T.]

I use Foxit Reader v2.0, which *has no* Javascript support, and hence, no vulnerabilities. It is also two full orders of magnitude smaller than Adobe Reader (3.69 Mb vs. 367 MB). It opens pdf's just fine. I can't imagine why anyone would use Adobe's bloated, overloaded, feature-creeping, security-vulnerable garbage.

[therube]

Just to point out ...

Foxit 2.0 is outdated (not that there is anything necessarily wrong with that)
Current version is 3.1

JavaScript is not included with the default program download
Though if it were required, you would be prompted to download a separate JavaScript component
So, some 2.0 users could in fact have JavaScript enabled in their versions
(the associated files are named; js.dll & Foxit_JS_ExObjects.dll)

[Tom T.]

Foxit 2.0 is outdated (not that there is anything necessarily wrong with that)

Actually, many times it's better, as feature-creep, bloat, and bullet-point marketing supersede safety and ease of use.
I was aware that it is not the most current. But it comes without JS support by default, which is why I recommend it.

Of course, if someone is going to d/l the js support module, they might as well get the latest version. I just can't imagine any possible reason that I would want js running in my pdfs, esp. given that as luntrus pointed out, it's a *huge* attack target now.

FWIW, I have been able to use almost all user-entry pdf forms (where it's a blank that the user can fill in, like the US Income Tax forms), without using or allowing javascript, despite what the document or the pop-up window might say.

If I came across one where it wouldn't work, I'd rather print it out and fill it in manually than run the risks described by luntrus. IMHO. YMMV.

[therube]

I was aware that it is not the most current

That's why I ... Just to point out ... as others may not be, & may download version 3.1 thinking that they've gotten a 2.0 without JavaScript ... .

[Tom T.]

OK, now I gotcha. Thought you were chiding me for not being current.

The "outdated" hooked me. I confuse very easily, so I guess if it were just pointed out that the current version is 3.1, and that you must deliberately obtain 2.0, my feeble mind would have gotten the message the first time.

You're right, I should have made the point in the first post that you must seek v2.0. Thanks.

[therube]

Not to worry, I run plenty of OLD software.
Things like (Microsoft) Multiplan - under Xenix (UNIX) originally .

MS Word you say? Like you've never heard of Vim.

(Though I'm soon to ditch, or a least relegate to 2nd browser, SeaMonkey 1, once I get my office computer switched to SeaMonkey 2.)

[Tom T.]

MS Word you say?

Who, me? I never said MS Word. When have I ever said MS Word?

Been using Open Office for years. I bought my puter in 2005, OEM-preloaded Windows with the "free trial" of Word, and I've never activated it. (Actually, I've deleted it, which is a long and painful process, since "mysteriously", MS won't let you remove Office with Add/Remove Programs.) Why should I pay them $400.00 when OO is free, and 1/3 the size, as it comes?

OO was trimmed further, from 280-300 Mb down to about 90 Mb, or about 1/10 the footprint of Word.

[therube]

Most likely by posing the question in an Adobe related forum, http://forums.adobe.com/index.jspa.

---

Since we're here, Adobe Reader 9.2 has been released.

Security Updates Available for Adobe Reader and Acrobat

"Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat. ..."

[Alan Baxter]

Most likely by posing the question in an Adobe related forum, http://forums.adobe.com/index.jspa.

You replied to spam. It's gone to Asgard now.

[therube]

(Figured as much, but since the thread was bumped, also figured I'd update to inform of the Acrobat update.)