Adobe Reader Extremely Critical Vulnerability
 

This is part news part security concern (but I'll post it here because in the news section very few will read it, much less answer my question):
http://www.infoworld.com/article/09/...us_PDFs_1.html

It mentions Window$ XP, but not Linux, does this mean Linux Adobe Reader is safe ?

Now, I don't particularly care, because I don't use it and will never use it. But, I know a lot of people do ... or do they ?

Adobe's relevant security advisory says all platforms.

Considering that this is zero-day (vulnerability is unpacthed and actively being exploited in the wild), I'm gonna make this thread sticky for a couple days. My guess is not too many GNU/Linux users run Adobe Reader (and perhaps after reading this, even less will), but if we can help save a few boxes from getting owned it's worth it.

Oops, I did check that page but I was searching for Linux ... doh ! Anyway, thanks :)

The time has come to make this non-sticky again.

Someone would have to be living under a rock to not have heard of this by now.

Guys, please keep in mind that even if you disable Reader's JavaScript you're still vulnerable. I've seen many blogs where they imply (and some even explicitly state) that by disabling it you're good to go, which is NOT the case.

Technically someone did release a fix ahead of Adobe (who will likely release a fix in a few weeks), but it is only for Window$.

My recommendation, screw Adobe, use xpdf, kpdf, evince, etc.

None of the alternatives work for me, but I also turn all the scripting and plugins off, and I specify a web proxy of my localhost and disable external links, so I don't expect anything is going to get outside my box. Furthermore, I don't just open random .PDFs.

Keep in mind that arbitrary code execution ability allows an attacker to do pretty much anything he wants on your box with the privileges the exploited program is running as. This includes reading and writing to/from files in your home folder (which by itself can be catastrophic) and launching privilege escalation exploits.

The measures you've taken do reduce the risk, of course, but mainly for random attacks. The risk of getting owned by a determined attacker isn't lowered as much. I'm not sure why the alternatives don't work for you, but I highly recommend you try and use them while Adobe releases a patched version.

Ummm...

That would be me. I've been more or less offline for a few days while I moved. This is the first I have heard of it.

Lemme put it this way. I have had a computer of one kind or another in my office and house since 1976. I have had 0 exploits in all the zillions of hours I've been online in my life. I'm not going to start worrying now. Either the reasonable precautions I take work, or I am the luckiest guy on the face of the earth.

I just can not get worked up over all these stupid fear-o-grams. :p

We are talking about one specific vulnerability, not your personal computer use history (which we have no way of verifying). If you wish to make yourself believe that you are safe from having this vulnerability exploited because you "turn all the scripting and plugins off" and "specify a web proxy of my localhost and disable external links", then by all means go right ahead. I, on the other hand, prefer to keep things real instead.

Frankly, only your "I don't just open random .PDFs" actually helps in this case, but like I said, mostly for random attacks. Nothing you've done offers solid mitigation against the threat of having this vulnerability exploited if you are targeted by a determined attacker. Switching to a non-vulnerable PDF viewer while the issue is patched would, however.

It does kinda sound like your "I have nothing to fear" attitude is based on the premise that you have no reason to be targeted. I can totally understand that, but you must also understand that not everyone shares your good fortune and some of us do actually need to take these threats very seriously - even if it seems "stupid" to you.

Ehehehehhh, right on time, /. comes to the rescue:

http://it.slashdot.org/article.pl?sid=09/03/05/1328244

Do you feel lucky now ? Well technically, these have to do mostly with window$, but if it's that vulnerable, couldn't this also happen on Linux ?

Well, Linux does not have the equivalent of Windows Explorer, and I would not know how a shell extension could be made to the various Linux GUIs. So my *guess* would be that there is no comparable vulnerability. However, the only way to find out for sure would be to study the code and try it.

Note: my comment about no equivalent to Windows Explorer means we don't have a tool that does what Explorer does AND is deeply embedded in the system the way Explorer is. We have Konqueror, and Nautilus, and others, but those are apps that sit high in the hierarchy, and don't have tentacles that extend deep into the OS like Explorer does.

I do remember at least one exploit in the past which would use the thumbnail preview feature of Nautilus. I know it's still not the same as Explorer, but it does achieve similar effect. You open Nautilus and there sits the malicious file, whose payload will be launched when it gets rendered by the thumbnailer. I think the specific case I remember was based around a libpng buffer overflow vulnerability from several years ago, although I don't remember exactly.