PDF backdoor (and an XBox 360 laptop)

Put it to me straight. It's IT Blogwatch, in which the PDF document format is revealed to be chock full o' exploits. Not to mention a DIY laptop which will make you the hero of any XBox 360 fan ...

David Kierznowski sounds the alarm over PDFs:

[The attack] affects both Adobe Reader and Adobe Professional. It involves adding a malicious link into the PDF document. Once the document is opened, the user’s browser is automatically launched and the link is accessed. At this point it is obvious that any malicious code be launched. It is interesting to note that both Adobe 6 & 7 did not warn me before launching these URLs.

Mark Collette gives a diagnosis:

Basically, the PDF standard allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.

Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.

JBarnett sounds off:

What the hell is Adobe doing with 27.7MB to read a &8%4# pdf file? Creating Backdoors, that's what!

I like how Acrobat chrugs for 2 minutes before loading and then crashes both IE and Firefox -- that is impressive. Specially when ever other PDF reader on this planet loads almost instantly without probelms (see any PDF reader on linux/unix or foxit).

D.W.'s PDF frustration boiled over a while back:

It took me far too many years to finally get sick of how slow Adobe Acrobat loads PDF files. It was taking between 10 and 30 seconds to load a single file. How could this be? ...

Every time you run Adobe Acrobat up to 20 plugins are loaded unnecessarily - most users do not need even a fraction of them!

... While Geemodo stopped upgrading long ago::

One reason I an still stuck on Acrobat 5.0 is as versions went up, Adobe products became too snoopy ... and started to snoop into users affairs. There are enough Open Source PDF utilities that I rarely use Adobe Acrobat. ...

BFD, says Craig Ringer:

In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.

*yawn*

hairyfeet is one of the many slashdotters who wonders why more people don't use free PDF readers:

I've always wondered why folks would want the bloatware that is Adobe reader when Foxit is faster, smaller and now it looks like it's safer too. Guess some folks are stuck in their ways.Best thing about Foxit (for me) is that it'll run great from a flash drive.I carry it and Portable Abiword with me everywhere to avoid the bloat that is Winword/Adobe reader.

D Webber suggests radical steps to deal with the problem:

Much of the extra unwanted functionality in Adobe reader is provided as plug-ins. Multimedia, Internet search, eBook reading and other capabilities can be disabled by carefully deleting or renaming files in the plug_ins and plug_ins3d directories. Various guides are available around the net describing which ones are safe to disable, and a free tool named Adobe Reader Speedup can automate the process.

Be careful playing around with the plugins: it can completely disable the viewer. The plugins are also re-installed each time the software is updated.

Buffer overflow:

Around the Net

Groklaw: The HP Shareholder Lawsuit - Updated
• Ed Foster: Norton Goes Back on Documented Features
• DMorrill: Lack of IT Skills = Job Burnout
• DMorill: Interesting Post 9/11 swindle
• Rough Type: Office generations

Around Computerworld

• Douglas Schweitzer: Controlling portable storage is big business!
• Sharky: Shark Tank: It's all about status
• Martin McKeay: Diebold says "They're poor researchers"
• Jeff Boles: Virtual maturity
• Robert Mitchell: Getting around Google
• Martin MC Brown: 10 programming languages to learn
• Preston Gralla: Vonage: "Woo-Hoo" ad will help us conquer the world
• C. J. Kelly: More on the HP crime
• Frank Hayes: It's still about physical security
• David DeJean: AT&T announces it is eating its cake and having it, too
• David DeJean: Patent troll? Say it ain't so, Paul Allen
• Angela Gunn: Sweetheart, get me factcheck!

And finally... A home-made Xmas gift every XBoxer will love

Computerworld's Senior Online Projects Editor Ian Lamont compiled IT Blogwatch today. Next Monday, regular Blogwatcher Richi Jennings returns to the fray.