« Acrobat: Making sure you hate Adobe | Main | This is why relying on file extensions is stupid »

If you say the title like the late, great Sam Kinison, you come close to what I'm hearing in my head right now.

So as I talked about before, yay, more Adobe fucking Acrobat security holes. Yah. Hoo. Brian Krebs, being the security guy he is, does his usual excellent job of talking about it. Nothing new there at first, until my feed updates, and in the feed, (But not showing up in the main article yet), I see this:

Update, 4:06 p.m. ET: If you decide to do without Adobe Reader and uninstall it, you might want to nix the Adobe Download Manager as well. Researcher Aviv Raff points to some nifty work he’s done which shows that Adobe’s Download Manager — which ships with all new versions of Flash and Reader — can be forced to reinstall an application that’s been removed, such as Reader. According to Raff, a Web site could hijack the Adobe Download manager to download and install any of the following:

• Adobe Flash 10
• Adobe Reader 9.3
• Adobe Reader 8.2
• Adobe Air 1.5.3
• ARH tool – allows silent installation of Adobe Air applications
• Google Toolbar 6.3
• McAfee Security Scan Plus
• New York Times Reader (via Adobe Air)
• Fanbase (via Adobe Air)
• Acrobat.com desktop shortcut

Raff writes: “So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.” Read more on his findings at this link here.

Ye

Fucking

Gods.

I can't even really rage at it properly. The logic behind what Aviv and Brian are talking about hear fucking beggars me. Is Adobe so eager to be the next Microsoft that they are determined to duplicate every mistake Microsoft ever made?

Comments