On Sat, Feb 21, 2009 at 9:06 AM, John LaCour <[email protected]> wrote:
> And there's very little information about how to mitigate the attack > without > a patch. > > By disabling Javascript in the Reader, you can prevent the known attacks. > The actual vuln isn't in Acrobat javascript - that's just leveraged for > heap > spraying. > > This workaround is utterly unfeasible for some businesses. At $dayjob, we have systems which autogenerate PDF forms, and it turns out they use javascript. I get the impression this is common. Adding insult to injury, the vendors which support these systems don't support Adobe 9 yet, so we're on 8. Adobe 8 gets its fix to "follow soon after" the March 11th date for Adobe 9. Our current mitigation strategy is begging our users to be safe. Ugh. -Nick
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
