Comments on: Adobe, Make My Day Too…. http://www.welivesecurity.com/2010/06/30/adobe-make-my-day-too/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Leo Davidson http://www.welivesecurity.com/2010/06/30/adobe-make-my-day-too/#comment-2312 Thu, 01 Jul 2010 05:40:44 +0000 http://www.eset.com/blog/?p=4382#comment-2312 Adobe Reader's Javascript setting remained off for me after I installed the latest update and rebooted. I don't know why it would be different for me.
 
(I used its update checker, rather than downloading the installer, but that can't be the difference as Adobe still have the old 9.3.0 installer — missing multiple security updates and full of vulnerabilities — on their website. As usual, you can only get a fully-patched Adobe Reader by installing it and then *manually* updating it (and then rebooting an extra time). Adobe's attitude to security is shameful. They can't even be bothered updating a file on a website, and it's not like Adobe Reader verifies that it's up-to-date when you install it. Adobe are pathetic.)
 
Going back to Javascript in Adobe Reader: It shouldn't be off by default; it shouldn't even exist.
 
Same with Flash-in-PDF and video-in-PDF. (What are Adobe doing, looking for all the things famous for security flaws — PDF, Javascript, Flash, video — and combining them, unnaturally, into a single product nobody actually wants?)
 
PDF is a great format for storing pieces of paper but it perplexes me why anyone would put anything interactive into a PDF and I've yet to encounter anyone doing so (which supports the case that these security-risky features are esoteric and should not be enabled by default, if included at all). If you expect people to view a document on a computer screen, PDF is a stupid format to use. (Documents aimed at computer screens suffer from page breaks, headers, footers, stupid sized fonts, excessive margins, poor scrolling, zoom and selection mechanics… the list goes on.)
 
Oh well… At least Adobe are releasing security updates more frequently now. Much better than when their idea of a fast response was waiting three months. And at least they took the fix I made for their 64-bit preview handler and integrated it into their installer (albeit in a half-wrong way, and still not fixing the thumbnail support like I also did for them). They've definitely got some serious problems in their management and/or development teams, though.

]]>
By: Leo Davidson http://www.welivesecurity.com/2010/06/30/adobe-make-my-day-too/#comment-2311 Thu, 01 Jul 2010 05:38:37 +0000 http://www.eset.com/blog/?p=4382#comment-2311 Adobe Reader's Javascript setting remained off for me after I installed the latest update and rebooted. I don't know why it would be different for me.
(I used its update checker, rather than downloading the installer, but that can't be the difference as Adobe still have the old 9.3.0 installer — missing multiple security updates and full of vulnerabilities — on their website. As usual, you can only get a fully-patched Adobe Reader by installing it and then *manually* updating it (and then rebooting an extra time). Adobe's attitude to security is shameful. They can't even be bothered updating a file on a website, and it's not like Adobe Reader verifies that it's up-to-date when you install it. Adobe are pathetic.)
Going back to Javascript in Adobe Reader: It shouldn't be off by default; it shouldn't even exist.
Same with Flash-in-PDF and video-in-PDF. (What are Adobe doing, looking for all the things famous for security flaws — PDF, Javascript, Flash, video — and combining them, unnaturally, into a single product nobody actually wants?)
PDF is a great format for storing pieces of paper but it perplexes me why anyone would put anything interactive into a PDF and I've yet to encounter anyone doing so (which supports the case that these security-risky features are esoteric and should not be enabled by default, if included at all). If you expect people to view a document on a computer screen, PDF is a stupid format to use. (Documents aimed at computer screens suffer from page breaks, headers, footers, stupid sized fonts, excessive margins, poor scrolling, zoom and selection mechanics… the list goes on.)
Oh well… At least Adobe are releasing security updates more frequently now. Much better than when their idea of a fast response was waiting three months. And at least they took the fix I made for their 64-bit preview handler and integrated it into their installer (albeit in a half-wrong way, and still not fixing the thumbnail support like I also did for them). They've definitely got some serious problems in their management and/or development teams, though.

]]>