![]() ![]() So trying something else is not such a wild idea.) If Reader, then there are a lot of alternatives to Adobe's offering. If you're worried, why not drop back to version X? Or use a different PDF reader/maker? (You don't say which product you have. I can advise you, but I can't be certain. * But I don't use Reader or Acrobat since I have OS X, and that has the PDF functionality I require built in, so it's easy for me to say that □Īnd now, I'm afraid, *you have to make your own mind up*. * So I think it is reasonable to assume the patches are safe. * But the patch for Reader and Acrobat doesn't seem to involve a huge amount of change, so Adobe (we hope) would have been able to review the changes thoroughly and should have seen any unauthorised modifications. * Some people are worried about applying Adobe patches right now – what if there is code snuck in there by the crooks? I tried to make it as clear as I could given that no-one (not even Adobe) seems to know how much to trust Adobe's software builds right now. Of course, as an OS X user my PDF needs are met without having Reader or Acrobat installed, so it’s easy for me to say that – a botched release wouldn’t affect me directly.įollow on Twitter for the latest computer security news.įollow on Instagram for exclusive pics, gifs, vids and LOLs! In short, if I were an Acrobat or Reader user, I’d take the update. So it’s reasonable to assume that if Adobe’s recent unauthorised visitors really had made any malware-related modifications, they’d surely have been spotted before release. My own opinion is that this is highly unlikely, not least because modern software engineering tools make it comparatively easy to track the changes to the source code files in a product between builds.Īlso, remember that this patch deals with fixing a regression – “repatching” a previous patch – rather than with a shepherding in a huge raft of changes throughout the product. If they did so, and their changes weren’t spotted, malicious modifications could now be part of an official release. What if the crooks were also able to make commits? (That’s where you save back changes so they can be compiled into the next build.) The company just admitted that hackers were able to break in and exfiltrate 40GB of product source code from the corporate network, almost certainly including Acrobat. Should you patch Reader and Acrobat?Īnd that raises an interesting question: should you apply this patch?Īfter all, some of you might be feeling a bit cagey about accepting Adobe’s patches right now. So will your Adobe PDF plugin, once you’ve updated. JavaScript-based URLs are now considered harmful in your browser’s address bar, and so browsers simply ignore them. → There are hundreds of different legal URL schemes, from aaa: (a protocol to do with login, dealing with authentication, authorisation and accounting) to z39.50: (a search and indexing protocol that was made pointless by the web). The hazards quickly became obvious once scammers starting luring you into “pasting the following web address into the address bar,” but including a JavaScript-based URL, not one that used HTTP. Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this: The scheme in a URI is the part at the beginning, like or mailto:, that tells your browser how to get to the resource you’ve just specified. This update resolves a regression that permitted the launch of Javascript scheme URIs when viewing a PDF in a browser (CVE-2013-5325). If you like, a regression is a sort of anti-patch, where you repeat a mistake you fixed already.Īdobe isn’t giving a lot of detail away, but does say: In programming, a regression is when you make new changes that inadvertently counteract various previous changes and, hey presto, a bug that you thought you’d got rid of returns. If you’re on Reader X or Acrobat X, you’re not affected and can stand down from high alert. The Reader XI and Acrobat XI vulnerability is a little different, and it’s just the sort of bug that Adobe could have done without right now, because it’s what is known as a regression. ![]() The RoboHelp bug allows potential RCE, or Remote Code Execution, so you definitely want the APSB13-24 patch if you’re a RoboHelp user. There’s a RoboHelp update, discussed in APSB13-24, and fixes for Version XI of Acrobat and Reader, discussed in APSB13-25. This is business as usual, promised long in advance and expected toay, so there isn’t anything in it related to the company’s recent network intrusion woes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |