Comments on: Current events: Adobe Reader Vulnerability

By: alexmeng

alexmeng — Fri, 13 Mar 2009 14:58:49 +0000

It’s interesting that in Adobe’s attempt to give more functionality to one of its product, Reader, it inadvertently exposed its users’ security on a level they didn’t expect. I wonder during the drafting of the specification of this feature for Reader if security was a point of concern when adding it. Potentially, if they did, they could have anticipated this occurring and done some hardening to prevent this vulnerability to surface?

Overall, I believe this is a great example of illustrating the point that when integrating a new feature into a product, consider not only the functional aspect but also the security aspect as well. And all the other aspects needed when reviewing a new feature.

By: Michelle

Michelle — Sat, 28 Feb 2009 21:28:31 +0000

Wow, I had no idea that a virus could come through PDF, I always thought they were “safe” – I’ll have to think twice next time I open a PDF file!

By: Father_Of_1000000

Father_Of_1000000 — Sat, 28 Feb 2009 08:26:48 +0000

I’ve never thought an attack can happen with a PDF file. Looks like I shouldn’t ignore the Adobe Reader updates in the future anymore. How Adobe Reader does the update seems really annoying — it pops up after I boot up my computer. I would expect some kind of third party application (that’s not even used very often) to only suggest updating when I actually use it.

Although I hear about all these email attacks and such, I’ve never gotten or even seen one in real life. Maybe they go into my spam box through Gmail’s filter.

By: devynp

devynp — Sat, 28 Feb 2009 02:24:56 +0000

It looks like the bug only existed because of the JavaScript support in Adobe Reader. It is interesting that adding a new fancy feature, such as JavaScript, does not absolutely make the application better, but it also opens a new attack hole. Because of its JavaScript vulnerabilities, there may be more attacker who will be tempted to attack the JavaScript side of the Adobe Reader. Looks like Adobe needs to make a strong patch against more malicious attacks..

By: Matt

Matt — Sat, 28 Feb 2009 01:31:58 +0000

one of the main problems with a vulnerability like this is the size of the population using adobe reader/acrobat vs the size of the population who will take security advice into account and respond defensively. Unfortunately, the former set is far larger than the latter set, meaning no matter what recommendations are made concerning the use of DEP and disabling javascript are made. This highlights one of the greatest challenges in security engineering, which is how secure should a system be by default — all the more tricky since the average user will value (overtly) usability over security, and yet will not actively manage their system to mitigate the kinds of vulnerabilities which open up from the increased usability

By: liaowt

liaowt — Sun, 22 Feb 2009 07:00:06 +0000

I do not know there are vulnerabilities on adobe Reader until I read this article. In this post, it mentions that “only open email attachment from people from people they trust”. This is a really hard practice for people.

People like to search online for information. If the search engine finds a good resource of information, people would rather open it for information than think carefully about the security issue. Moreover, if this file is from some website with *.edu as the URL, I believe most of people will trust it. On the other hand, people can create a fake website and spoof people to open the malicious file for attacking victims’ computer.

By: sal

sal — Sat, 21 Feb 2009 05:33:07 +0000

These type of vulnerabilities seem especially dangerous, as many people don’t realize that it is not only executable files can infect their computers and can open pdf files without any suspicion.