Saturday, July 25, 2009

July's Round of Critical Adobe Vulnerabilities: New, Fresh, Dangerous

For those of you who took earlier advice from Intego or myself and killed off ADOBE READER, good work, because Adobe have released yet-another CRITICAL SECURITY ADVISORY! But this time it also includes FLASH as well as Acrobat. You knew it had to happen. Tsk tsk Adobe.

Here is where you can read all about it. I'm not going to quote the advisory. Just know that it was written by someone who is Windows-centric and it provides NO HELP for Mac users. Brilliant! Typical! ... As they say in Britain.

So I came up with my own stopgap probably sort of solution if you insist upon keeping Adobe Reader, Acrobat and the Flash Plug-in on your system. I originally posted this over at Please note that the preference setting names in Acrobat can be slightly different from the names I provide here for Adobe Reader. Otherwise, the setting changes are identical:
WHAT TO DO, my best guesstimation:

Since the information Adobe provided is Windows-centric and a total FAIL for Mac users, seeing as Mac OS X has no-such-thing as .dll files, here is what I guesstimate is what's required to stop this vulnerability:

1) In Adobe Reader Preferences, go to "Multimedia Trust (Legacy)" and UNCHECK "Allow Multimedia Operations". That should kill running any Flash crap in PDF files.

2) In the Preferences, go to "Trust Manager" and UNCHECK "Allow opening of non-PDF file attachments with external applications". That should prevent any embedded Flash crap from running anywhere else on your computer as well.

3) In the Preferences, go to "JavaScript" and UNCHECK "Enable Acrobat JavaScript". That will disable a PDF from even being able to call the Flash plug-in for embedded Flash crap. (Considering the sewer of malware code that JavaScript has become, thank you Microsoft, I'd leave JavaScript off FOREVER if you want to seriously be safe).

*** Or to be extra special safe: Delete BOTH Adobe Reader AND their Flash plug-in from your computer. :-)

AND! Delete these folders, if you've got them:

/Applications/Utilties/Adobe Utilities/Adobe Updater5
/Applications/Utilties/Adobe Utilities/Adobe Updater6

AND AND! To be extra special safe, do a Get Info on the Adobe Utilities folder, noted above, and LOCK IT! This will prevent any installers from replacing the nasty Adobe Updater folders and the auto-installation garbage they contain, preventing Adobe from reinstalling Adobe Reader or Flash.

RIP Adobe insecure buggy crapware. :-P

NOTE: If you use other Adobe software, be sure to DIY check for updates on Adobe's website regularly. Adobe has some great software! But they also make some crap insecure software. Protect yourself. :-D
Alternatives: Use Apple's Preview to open, view and create PDF files. To play Flash files that are not stuck in web pages, I use MPEG Streamclip. For web page embedded Flash files, you're hosed. Sorry. Write hate mail to Adobe.

(If you really need to view web page embedded Flash files, try using FireFox running with the latest version of the DownloadHelper extension and download them onto your computer. I love it. Extra crunchy. Also be sure to use the NoScript extension for added safety from bad JavaScript. And be super duper safe by adding on the McAfee SiteAdvisor extension. And to have almost god-like security be sure to add in ...).

No comments:

Post a Comment