I'm no security expert, but here's a counterpoint on why Adobe Reader would be (in my mind) a bigger threat:
* Everybody opens PDFs every day. * There is no "did you want to open this" prompt for a PDF. * There is (as far as I know) no certificated PDF, or if there is, I have never seen it used. The opposite is true for Java. * Java is used every day, but not nearly to the extent of PDF. * Java will ask if you intended to open the plugin. * Java does allow for signed certificates for validation. I am not arguing which one is "worse," because I don't know. But the conversation is interesting to me. --Matt Ross Ephrata School District ----- Original Message ----- From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Wed, 16 Jan 2013 02:39:02 -0800 Subject: RE: FoxIT reader vulnerability > By default yes Adobe renders PDF with Javascript, which allows both good and > evil javascript to execute, as we all know the various flaws in adobe, this > definitely leads to an attack vector which has been exploited time and time > again. > > But seriously I still see Java as the bigger threat, and as others have said > it will continue to be this for years to come. > > Z > > Edward E. Ziots, CISSP, Security +, Network + > Security Engineer > Lifespan Organization > ezi...@lifespan.org > > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Tuesday, January 15, 2013 6:30 PM > To: NT System Admin Issues > Subject: Re: FoxIT reader vulnerability > > Doesn't Adobe (and possibly other PDF viewers) include PDF rendering with > javascript now? > > I just want a "dumb" .pdf reader. Is it just me? > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Ben Scott > [mailto:mailvor...@gmail.com] > To: NT System Admin Issues > [mailto:ntsysadmin@lyris.sunbelt-software.com] > Sent: Tue, 15 Jan 2013 > 14:46:31 -0800 > Subject: Re: FoxIT reader vulnerability > > > > On Fri, Jan 11, 2013 at 10:50 AM, Richard McClary > > <richard.mccl...@aspca.org> wrote: > > > http://www.theregister.co.uk/2013/01/11/foxit_pdf_plugin_vuln/ > > > > > > Just now checked the FoxIT web site. The currently offered version > > > is 5.4.4.1128, which the article mentions as being vulnerable (as > > > are older versions). > > > > > > May end up having to use Adobe anyway… > > > > I strongly suspect FoxIt licenses at least their core code from > > Adobe. Many features and vulnerabilities seem to track on a > > one-to-one basis. > > > > FoxIt is a lot more lightweight, though, so it prolly has a smaller > > attack surface overall. It may be they just don't include all the > > bloat that Adobe does. > > > > -- Ben > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
