A buffer overflow bug has been found in Adobe Reader and Adobe Acrobat versions 7 through 9 that could potentially allow someone to take over your computer if you read a specially crafted PDF file. Adobe says that they expect to have a patch for version 9 by March 11, and for older versions some time after that.

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers.

This alert from the US-CERT National Cyber Alert System (http://www.us-cert.gov/cas/techalerts/TA09-051A.html) includes the details on how to change those preference settings.

-- sidney

A buffer overflow bug has been found in Adobe Reader and Adobe Acrobat versions 7 through 9 that could potentially allow someone to take over your computer if you read a specially crafted PDF file. Adobe says that they expect to have a patch for version 9 by March 11, and for older versions some time after that.

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers.

This alert from the US-CERT National Cyber Alert System (http://www.us-cert.gov/cas/techalerts/TA09-051A.html) includes the details on how to change those preference settings.

-- sidney

Sidney,

thanks much for the warning, I am happy to say that I have moved 100% over to FoxIt for my pdf files.


P.S. It seems I spoke too soon. Slightly unclear, but it seems as though FoxIt 2.xxx has the same problem. Unclear if FoxIt 3.xx is properly patched or not. The literature is not detailed yet.

disable automatic opening of PDF files in Internet Explorer and in other browsers.
-- sidney NoScript will do this in Firefox, if so desired.
DH

A buffer overflow bug has been found in Adobe Reader and Adobe Acrobat versions 7 through 9 that could potentially allow someone to take over your computer if you read a specially crafted PDF file. Adobe says that they expect to have a patch for version 9 by March 11, and for older versions some time after that.

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers.

This alert from the US-CERT National Cyber Alert System (http://www.us-cert.gov/cas/techalerts/TA09-051A.html) includes the details on how to change those preference settings.

-- sidney

Sidney,

After reading all that I could find on this exploit, I have decided that the smart thing to do is to go back to Sumatra PDF Reader and uninstall Foxit Reader until things are resolved.

After reading all that I could find on this exploit, I have decided that the smart thing to do is to go back to Sumatra PDF Reader and uninstall Foxit Reader until things are resolved.Or only open PDFs that you absolutely trust...

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers. -- sidney

Alms for the blind, please. I have Adobe Reader 8, and I don't see javascript to disable. I have IE 7, and I don't see how to disable auto pdf's. It does auto-open them now.

- Jeff

Alms for the blind, please. I have Adobe Reader 8, and I don't see javascript to disable. I have IE 7, and I don't see how to disable auto pdf's. It does auto-open them now.For Javascript in the reader, here are the directions:

Drop down the Edit menu, choose Preferences, choose JavaScript and un-check Enable Acrobat JavaScript.

For IE7, it's not so easy. You need to edit the registry for Windows to fix it. The safest easiest way to do that is to create a plain text file (use Notepad, not Wordpad, or some other plain text editor to create the file) and save it with the extension .REG.

The text of the file should read:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Then double-click on the .REG file to apply the patch to the registry.

Thanks! I never would have found that in the reader, in part because I have never opened the reader directly. Explorer tickles it when I click on a .pdf. As to IE 7, goodgawdalmighty! To disable *automatic* anything requires mucking with the registry? Someone in Seattle needs to be horsewhipped! Making .reg file now.

- Jeff

As to IE 7, goodgawdalmighty! To disable *automatic* anything requires mucking with the registry? Someone in Seattle needs to be horsewhipped!Amazing, isn't it? For all the outing of security protections, this is just plain silly.

Thanks! I never would have found that in the reader, in part because I have never opened the reader directly. Explorer tickles it when I click on a .pdf. As to IE 7, goodgawdalmighty! To disable *automatic* anything requires mucking with the registry? Someone in Seattle needs to be horsewhipped! Making .reg file now.

- Jeff

Jeff,

Never moved past IE6 and even there I use shells to "protect" it as best I can. Really only use it for windows update and the occasional financial site that balks at using a Gecko browser of any ilk.

Or only open PDFs that you absolutely trust...

Judy,

Only opening pdfs that I entirely trust? I wish it were so easy. But, lots of the FAQs out there these days are in pdf format and perhaps I could trust the various sites that post these help files, but then it only takes one mistake to get hammered.

<whine>

Only opening pdfs that I entirely trust? I wish it were so easy. But, lots of the FAQs out there these days are in pdf format and perhaps I could trust the various sites that post these help files, but then it only takes one mistake to get hammered. <whine>True, but you know... with a good set of backups, the damage can be limited, and it's easier to do backups than worry about every possible problem you might encounter out there.

A buffer overflow bug has been found in Adobe Reader and Adobe Acrobat versions 7 through 9 that could potentially allow someone to take over your computer if you read a specially crafted PDF file. Adobe says that they expect to have a patch for version 9 by March 11, and for older versions some time after that.

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers.

This alert from the US-CERT National Cyber Alert System (http://www.us-cert.gov/cas/techalerts/TA09-051A.html) includes the details on how to change those preference settings.

-- sidney
In case it has not been mentioned elsewhere in this thread, "not opening PDF files" is NOT a protection against these exploits!
And the potential damage from this vulnerability, which has come to be known as the JBIG2Decode exploit, is huge: Didier Stevens has demonstrated this bug executing through the Adobe Reader shell extension; all the user has to do is to open a folder (in thubmnail view) that contains a malicious PDF using the attack.

It May Be Time to Abandon Adobe
By Larry Seltzer
http://www.eweek.com/c/a/Security/It-May-Be-Time-to-Abandon-Adobe/?kc=rss
2009-03-07


DH

P.S. I've replaced Adobe Reader with Sumatra, for now, to see how it goes.

In case it has not been mentioned elsewhere in this thread, "not opening PDF files" is NOT a protection against these exploits!


DH

P.S. I've replaced Adobe Reader with Sumatra, for now, to see how it goes.
I gave up on Sumatra, too slow on some files.

I had to re-install Reader 9 twice to get a good install. Don't know if Sumatra had anything to do with that.

I had Reader 8.1.3 before.

I just updated Reader to 9.1.

(Apparently there are some fixes out for Foxit , now , too.)

Adobe Update is finally out, well, some of them
Published: 2009-03-11,
Last Updated: 2009-03-11 21:45:25 UTC
by Joel Esler (Version: 2)
4 comment(s)

...

Adobe has named this release "9.1" for both Adobe Reader and Adobe 9 (Standard, Pro, and Pro Extended). The patch is out for Windows and Macintosh only, however.

Adobe says they plan for updates to Reader 7 and 8 and Acrobat 7 and 8 to be out by March 18th. They also plan to make Adobe Reader 9.1 available for Unix by March 25th.

As a work around, Adobe says to refer to this post for a work around on how to disable Javascript so that you won't be affected, however, as our readers of the Internet Storm Center and the VRT Blog know, this is not a Javascript exploit, and you can still be exploited without javascript turned on!

So, Adobe did fix the issue for users of "9" on Windows and Mac, but the other platforms are still vulnerable. If you are using Adobe 7 or 8, if you can update to 9.1, that would be for the best.
http://isc.sans.org/diary.html?storyid=6004&rss
DH

I gave up on Sumatra, too slow on some files.

I had to re-install Reader 9 twice to get a good install. Don't know if Sumatra had anything to do with that.

I had Reader 8.1.3 before.

I just updated Reader to 9.1.

(Apparently there are some fixes out for Foxit , now , too.)

DH

David,

FoxIt has patched its 2.xx and 3.xx versions. Different bugs than Adobe, but still critical patches.

http://www.foxitsoftware.com/pdf/reader/security.htm

I am happy to say that I have moved 100% over to FoxIt for my pdf files.
Have you looked at PDFXchange Viewer (http://www.pdfxviewer.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer/)? There is a free version, with many more features than Acrobat Reader. For example, one can add comments or sticky notes, add, delete, or highlight text, create or delete hyperlinks, draw/erase on the document, export pages to images or text, and add stamps.

Best of all, it's available as a portable application! This means that one can install it on a USB flash, or simply extract it to a folder on the hard drive, without having to use an invasive installation program.

The publisher has a suite of PDF programs that compete with Acrobat and Nitro.

I now have this as my default PDF viewer, with Sumatra and Adobe on the machine.

Have you looked at PDFXchange Viewer (http://www.pdfxviewer.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer/)? There is a free version, with many more features than Acrobat Reader. For example, one can add comments or sticky notes, add, delete, or highlight text, create or delete hyperlinks, draw/erase on the document, export pages to images or text, and add stamps.From their website it doesn't look like many of those features are available with the free version.

Have you looked at PDFXchange Viewer (http://www.pdfxviewer.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer/)? There is a free version, with many more features than Acrobat Reader. For example, one can add comments or sticky notes, add, delete, or highlight text, create or delete hyperlinks, draw/erase on the document, export pages to images or text, and add stamps.

Best of all, it's available as a portable application! This means that one can install it on a USB flash, or simply extract it to a folder on the hard drive, without having to use an invasive installation program.

The publisher has a suite of PDF programs that compete with Acrobat and Nitro.

I now have this as my default PDF viewer, with Sumatra and Adobe on the machine.

Mike,

Never heard of it before. Took a look and it is promising, but I have settled on Foxit reader/editor and CutedPDF print utility for my PDF needs (along with Snagit which is truly invaluable).

From their website it doesn't look like many of those features are available with the free version.
The items I listed are available with the free version (the comparison chart lumps them all into two categories). There are a lot of other features offered with the paid versions.

If I didn't already have Acrobat Pro, I probably would get Nitro PDF, which gives all the functionality of Acrobat Pro for $99.

The items I listed are available with the free version (the comparison chart lumps them all into two categories). There are a lot of other features offered with the paid versions.Interesting. The website chart (http://files.docu-track.com/FeatureChartEU.pdf) doesn't even list extracting text as an option with the free version.

Interesting. The website chart (http://files.docu-track.com/FeatureChartEU.pdf) doesn't even list extracting text as an option with the free version.
My bad. One can export to image (of multiple types, including PNG, GIF, BMP, JPG, TIFF, etc.), but not to text (which Acrobat Reader does support). The feature chart suggests that even export to image is not available in the free version, but I just tested it.

Another cool feature (even for the free one) is that it quickly finds all the other PDF tools on the system, and has a small button one can click to launch the current document in one of the other programs. And for those without SnagIt or some other screen shot tool, one can take a screen shot of a PDF using this program.

It quickly has become my favorite PDF viewer.

My bad. One can export to image (of multiple types, including PNG, GIF, BMP, JPG, TIFF, etc.), but not to text (which Acrobat Reader does support). That'd be a deal breaker for me with the free version but the paid version looks very interesting.

And for those without SnagIt or some other screen shot tool, one can take a screen shot of a PDF using this program.

SnagIt is a Way Cool Tool, too -- I use it every day, and I absolutely love it.

[Exporting to text]That'd be a deal breaker for me with the free version but the paid version looks very interesting.
One can select & copy text, which I suspect is your real need.

The "export to text" function creates an ASCII-only version of the entire document, which I've never needed. However, I regularly copy a few words, or even a paragraphs or pages of text to paste into another application.

I just tried selecting an entire document (this particular one was 700+ pages), and I was able to copy and paste all of it into a text editor. Would that meet your needs?

SnagIt is a Way Cool Tool, too -- I use it every day, and I absolutely love it.
Same here, except I don't use it every day. I find it priceless when I need it, however!

Same here, except I don't use it every day. I find it priceless when I need it, however!

It's very handy for documenting procedures. Nobody wants to have to bother to read explanatory text any more, they want pictures to show them what to do. Also very handy for documenting problems to report to our banking software vendor.

SnagIt is a Way Cool Tool, too -- I use it every day, and I absolutely love it.Ditto. Wouldn't be without it even with all the other graphics tools I have and use regularly.

I just tried selecting an entire document (this particular one was 700+ pages), and I was able to copy and paste all of it into a text editor. Would that meet your needs?It would indeed. Though since my office provides me with a full edition of Acrobat, this isn't something I'll need for a while!

Though since my office provides me with a full edition of Acrobat, this isn't something I'll need for a while!
Yeah, I have Acrobat Pro on my main machine, but when I replace my notebook, I'll buy and install either PDF Xchange Pro or Nitro PDF so I can have the capabilities at a much lower price.

Nobody wants to have to bother to read explanatory text any more, they want pictures to show them what to do.
Right. I used it regularly on the job--every day! Now that I'm unemployed, I don't have that need every day, but I do have it enough to stay registered!

Yeah, I have Acrobat Pro on my main machine, but when I replace my notebook, I'll buy and install either PDF Xchange Pro or Nitro PDF so I can have the capabilities at a much lower price.Or start teaching somewhere and get all the academic prices!

Ditto. Wouldn't be without it even with all the other graphics tools I have and use regularly.

I do almost all of what graphics work I have to do (none of which requires any great degree of sophistication) with SnagIt, and what I can't do easily with SnagIt, I do with IrfanView.

Right. I used it regularly on the job--every day! Now that I'm unemployed, I don't have that need every day, but I do have it enough to stay registered!

Oh! Right. God yes, I'm sorry--I really put my foot in it, didn't I? :o

I have a personal copy that I use not infrequently on my laptop, but not as much as I use the one at work.

I do almost all of what graphics work I have to do (none of which requires any great degree of sophistication) with SnagIt, and what I can't do easily with SnagIt, I do with IrfanView.Well, I can't say that... I use Photoshop most of the time...

Well, I can't say that... I use Photoshop most of the time...

Yeah, with photographs, I can see why you would want something with more fine control. Most of what I do involves screen shots with highlighting or comments or other such things added. That and size reduction are most of what I do in terms of image manipulation. IrfanView comes in handy if you need to change the format.

Or start teaching somewhere and get all the academic prices!
I suspect the regular price for Nitro/PDFXchange is lower than the academic price for Acrobat Pro!

Besides, right now, there are more teachers than jobs in my area.

No worries!

IrfanView comes in handy if you need to change the format.
I just learned yesterday that IrfanView, via a plug-in called Riot, has the ability to optimize an image for the web! And a more capable version can be installed (http://luci.criosweb.ro/riot/).

Yeah, with photographs, I can see why you would want something with more fine control. Most of what I do involves screen shots with highlighting or comments or other such things added. That and size reduction are most of what I do in terms of image manipulation. IrfanView comes in handy if you need to change the format.I have on occasion used nothing but Irfanview even for photos (usually while I'm on the road). It is such a capable little program.

I suspect the regular price for Nitro/PDFXchange is lower than the academic price for Acrobat Pro!You may well be right about that!

Besides, right now, there are more teachers than jobs in my area.Get certified in math or science and that'll change.

I just learned yesterday that IrfanView, via a plug-in called Riot, has the ability to optimize an image for the web! And a more capable version can be installed (http://luci.criosweb.ro/riot/).

IrfanView has a lot of really neat plugins. I saw something a couple of weeks ago about one that would allow you to play at least some of the RealMedia formats (*.rm and *.ram, I think) with IrfanView. But I couldn't find the plugin on IrfanView's own web site, so I was a little wary of it. Then again, even though IrfanView itself is fantastic software, the plugin part of their website is a mess, I guess in part because there are so many different ones.

Does optimizing an image for the web convert it to a "web safe" color palette? Anything else? Re-sizing, maybe?

Get certified in math or science and that'll change.
I'm sure I can get certified easily. Not so sure if I can be certified as an educator.

Regardless, we're in a situation where school districts are giving pink slips to almost the entire academic staff, then rehiring a subset of them.

Does optimizing an image for the web convert it to a "web safe" color palette? Anything else? Re-sizing, maybe?
No resizing, but IrfanView already supports that. Color reduction depends on the type of image. Full details about the optimization for different image types can be found on the Riot site (http://luci.criosweb.ro/riot/).

No resizing, but IrfanView already supports that. Color reduction depends on the type of image. Full details about the optimization for different image types can be found on the Riot site (http://luci.criosweb.ro/riot/).

Thanks! I'll check it out.

A buffer overflow bug has been found in Adobe Reader and Adobe Acrobat versions 7 through 9 that could potentially allow someone to take over your computer if you read a specially crafted PDF file. Adobe says that they expect to have a patch for version 9 by March 11, and for older versions some time after that.

In the meantime, it is suggested that you disable Javascript in the preferences of Adobe Reader and Adobe Acrobat and that you disable automatic opening of PDF files in Internet Explorer and in other browsers.

This alert from the US-CERT National Cyber Alert System (http://www.us-cert.gov/cas/techalerts/TA09-051A.html) includes the details on how to change those preference settings.

-- sidney

Sidney,

PC World just wrote an article recommending that users shy away from Adobe Reader and offered this non-profit org as a resource for finding alternatives.

http://pdfreaders.org/