Adobe Acrobat critical vulnerability
In case you haven’t heard yet (I hadn’t – I’ve been busy with other technical problems), there is a critical buffer overflow vulnerability in all versions of Acrobat Reader and Acrobat Standard. This is all platforms, including GNU/Linux, Mac, and Windows. And get this: it was announced February 19, but it’s not due to be patched until March 18! This is apparently the latest in a rash of Acrobat vulnerabilities over the last several months.
Adobe’s response is a huge disappointment. Just about everybody has Acrobat Reader. So the fact that it leaves a hole for crackers to subvert the system it’s on, regardless of operating system, is a HUGE problem and shouldn’t sit open for a full month as a known, widespread, critical vulnerability with no patch. Their announcement says they’ll be patching versions 7 and 8 too… and affected versions are “9.0 and earlier.” Translation: this problem has been around for years – maybe since day one. They’re just getting around to fixing it now, and taking their sweet time too considering how serious it is. That’s a little too careless for my taste. I’ve uninstalled Acrobat for good and will be using KGhostView from now on. There, it’s patched! 🙂
Here’s how to get your “patch” before March 18:
GNU/Linux: In the true spirit of open source, has a wide variety of suitable replacements. Some of the most popular ones are KPDF, Evince, Xpdf, and kGhostView. Just search your package manager for anything with pdf in the description and you’ll probably have at least 2 or 3 choices, with at least one already pre-installed. Much better than downloading and installing the ridiculously fat 47 MB Acrobat Reader file!
Mac: There is a built-in PDF viewer, but you’re not necessarily any safer even if you’re not using Acrobat, because of a PDFKit vulnerability. **UPDATE** – Apple has released a patch – however, despite my best search efforts I couldn’t find a link to post here. Sorry Mac users, I can only point you to Apple’s main website.
Windows: People on the forums are suggesting FoxIt Reader as an alternative. Disclaimer: I haven’t used it, and this program itself had a similar critical buffer overflow issue until May 2008 or so. But hey, at least it’s safer than Acrobat right now. Nice bonus: the file download is a scant 3 MB, compared to the bloated 21 MB of Acrobat Reader.