"* Java will ask if you intended to open the plugin." Which leads to users spamming yes without thinking.
"* Java does allow for signed certificates for validation." Let's reword this, Java allows for SELF signed certificates for validation. I know someone in the security field that owns an LLC in Ohio called 'Trusted Publisher' and he has self signed certs for Java that say exactly that. Cost him 50 bucks to get it done. Guess what his success rate is on phish emails that link to a java that pops 'Trusted Publisher' on the warning? -----Original Message----- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Wednesday, January 16, 2013 11:33 AM To: NT System Admin Issues Subject: RE: FoxIT reader vulnerability I'm no security expert, but here's a counterpoint on why Adobe Reader would be (in my mind) a bigger threat: * Everybody opens PDFs every day. * There is no "did you want to open this" prompt for a PDF. * There is (as far as I know) no certificated PDF, or if there is, I have never seen it used. The opposite is true for Java. * Java is used every day, but not nearly to the extent of PDF. * Java will ask if you intended to open the plugin. * Java does allow for signed certificates for validation. I am not arguing which one is "worse," because I don't know. But the conversation is interesting to me. --Matt Ross Ephrata School District ----- Original Message ----- From: Ziots, Edward [mailto:ezi...@lifespan.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Wed, 16 Jan 2013 02:39:02 -0800 Subject: RE: FoxIT reader vulnerability > By default yes Adobe renders PDF with Javascript, which allows both > good and evil javascript to execute, as we all know the various flaws > in adobe, this definitely leads to an attack vector which has been > exploited time and time again. > > But seriously I still see Java as the bigger threat, and as others > have said it will continue to be this for years to come. > > Z > > Edward E. Ziots, CISSP, Security +, Network + Security Engineer > Lifespan Organization ezi...@lifespan.org > > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Tuesday, January 15, 2013 6:30 PM > To: NT System Admin Issues > Subject: Re: FoxIT reader vulnerability > > Doesn't Adobe (and possibly other PDF viewers) include PDF rendering with > javascript now? > > I just want a "dumb" .pdf reader. Is it just me? > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Ben Scott > [mailto:mailvor...@gmail.com] > To: NT System Admin Issues > [mailto:ntsysadmin@lyris.sunbelt-software.com] > Sent: Tue, 15 Jan 2013 > 14:46:31 -0800 > Subject: Re: FoxIT reader vulnerability > > > > On Fri, Jan 11, 2013 at 10:50 AM, Richard McClary > > <richard.mccl...@aspca.org> wrote: > > > http://www.theregister.co.uk/2013/01/11/foxit_pdf_plugin_vuln/ > > > > > > Just now checked the FoxIT web site. The currently offered version > > > is 5.4.4.1128, which the article mentions as being vulnerable (as > > > are older versions). > > > > > > May end up having to use Adobe anyway… > > > > I strongly suspect FoxIt licenses at least their core code from > > Adobe. Many features and vulnerabilities seem to track on a > > one-to-one basis. > > > > FoxIt is a lot more lightweight, though, so it prolly has a smaller > > attack surface overall. It may be they just don't include all the > > bloat that Adobe does. > > > > -- Ben > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
