Learn how to optimize Photoshop for maximum speed, troubleshoot common issues, and keep your projects organized so that you can work faster than ever before!
This vulnerability would cause the application to crash
That explains why Acrobat (7.x, in my case) crashes almost every time after a cold launch. The second time I launch it, it runs normally. Waiting until the 18th of next month for the fix won’t be too bad.
Neil, are you saying that our Macs are threatened, even if we do not offer an administrative password to malware?
How do we know what is an unknown or untrusted source? That is the entire internet. Should we even trust a major company that allowed this vulnerability?
Since only 7, 8 and 9 are being patched, do those of us using Acrobat 6 or earlier need to buy an upgrade and/or do we need to buy AV software?
I provided the best reliable information I could find last night.
Symantec also acknowledges the problem. Adobe says "all platforms" are affected, which would include Macs. Adobe does not say "Windows only" as it would if Macs were immune.
AFAIK, versions 9, 8, and 7 of Reader or Acrobat (including Pro and Extended) are vulnerable, and will remain so until March 11 or March 18 (depending upon version). Disabling JavaScript offers only partial protection. The latest antivirus software updates should address the issue — but I recommend verifying that with your antivirus software developer.
How do we know what is an unknown or untrusted source?
Unknown is what you don’t know; untrusted includes the former, plus sites that you know to be harmful to your machine.
But you knew that, of course. 😐 (Stay away from pornography.)
What I’ve read on the issue so far suggests that both platforms are subject to the crash but, as far as this "vulnerability" being exploited, there’s so far nothing to suggest that Macs are as exposed as Windows boxes.
I’ll just stick to known and trusted sources of PDFs for the time being. 😉
Agreed. Of course, even PDFs from "known" sources can be compromised. IIRC, about 10-12 years ago, Corel distributed their own boxed software with a Mac-only virus actually burned into the CDs by accident.
Agreed. Of course, even PDFs from "known" sources can be compromised. IIRC, about 10-12 years ago, Corel distributed their own boxed software with a Mac-only virus actually burned into the CDs by accident.
So, obviously, downloads from shady sources should always be avoided. Yet, that doesn’t mean we should let our guard down with files sent from clients or file downloads from well-known and respected sources.
Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.
So even major corps and government agencies can harbor malicious PDF documents.
However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk.
Disabling Javascript just lessens your risk. It does not make you entirely safe.
The fact that Acrobat/Reader and Flash have been patched in the past for the very same issue makes me wonder why this particular alert is any more serious. Even Apple has issued security updates to address PDF and SWF in the past.
The increased publicity of this particular warning and the fact that disabling Javascript does not cure everything makes me think that the exploit is probably very simple and could be replicated on a much larger scale than anything prior.
The added risk is not in the exploitation of this vulnerability as it exists so far, it is in it potential of additional (perhaps more serious) exploits possible (and expected) with the current vulnerability.
One temporary option suggested is to open PDFs with Preview, which apparently does not suffer the same vulnerability as Reader or Acrobat do.
The risk is not just in the exploitation of this vulnerability as it exists so far, it is in it potential of additional (perhaps more serious) exploits possible (and expected) with the current vulnerability.
That is the same as it was for previous security updates to Acrobat/Reader. Previous security updates have also been released to prevent the same type of attack. The following (presented in your first link) is not new text.
"This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system"
It is the same problem. The ability to take over a system (of any platform) through Acrobat/Reader has existed for years. The increased hype on this month’s issue is just odd. This makes me think the exploit is much easier this time or else Adobe would not act so panicked.
While we cannot guess Adobe’s motivations in the increased publicity, why are we taking this threat seriously when it is no different than previous security issues with Acrobat/Reader? What has changed? Is it really news that Mac can be exploited?
This forum is filled with posts about how many of us do not care about security because we perceive safety on Mac. So why should we care about this threat when it is no different than all the others in the past?
It seems apparent that the myth about secure platforms is fading, even in this forum. Both OSX and Linux, two of the more ‘secure’ platforms, are clearly vulnerable.
Part of the reason I responded the way I did was to shine a light on the fact that javascript and Java are two different things.
Forcing the issue by the way I worded my reply #22, I’m merely hoping it will prod folks to inventory their own level of understanding, and to explore why I might have made what might seem a pedantic differentiation.
And then to come to realize that it wasn’t pedantic at all, but an important distinction.
I’ve been running and updating latest versions of Norton AntiVirus on a number of systems for years, without any glitches, hiccups or problems. This currently includes various Macs running OS X 10.4.x and OS X 10.5.x. Other folks here may have other software to recommend. Any issues some may have had with Norton AntiVirus years ago are long past.
For OSX risk management I choose to minimize exposure rather than let the a/v designers into the root of my OS. That is not to say that I consider Macs invulnerable, because malware is problematic on any platform; however OSX has yet to see its first successful in-the-wild virus attack.
On Win boxes (with many tens of thousands of successful in-the-wild virus attacks) I maintain 24/7 a/v protection.
however OSX has yet to see its first successful in-the-wild virus attack.
Correction: Allen has yet to see its first successful in-the-wild virus attack. OSX has already been attacked with several exploits. Google it. Anyone just watching for ‘a virus’ is missing the greater security picture. The security issue noted in this thread has nothing to do with a virus. Acrobat is the malware already installed on your computer.
Statistics suck and blow at the same time. Comparing the greater number of viruses on another platform is stupid. It only takes one exploit to affect your own computer. Are you waiting until your house is burglarized before you start locking your doors?
Cindy, if you look around enough, you will find plenty of folks like that guy who are trying to counter Mac security complacency/ignorance. He is definitely ‘on’.
I downloaded this app after reading what I could find on it. It updates definitions regularly so I think this might be enough for me unless I find out otherwise.
Actually the Link that you posted earlier Cindy, was fairly disparaging about ClamXav and suggested using iAntiVirus instead but that appears to OSX 10.5.x only.
2) Go get a decent free anti-malware program. (The term anti-virus is out of date). My only recommendation for a FREE program is iAntiVirus free edition from PC Tools. It is up to date. Do NOT bother with ClamXav. It is well over a year out of date regarding Mac malware. (I have personally attempted to improve this situation but found it fruitless).
Correction: Allen has yet to see its first successful in-the-wild virus attack. OSX has already been attacked with several exploits.
What was hard to understand about "That is not to say that I consider Macs invulnerable, because malware is problematic on any platform; however OSX has yet to see its first successful in-the-wild virus attack."
Allen might like this list of 96 exploits identified for Mac.
That "list of exploits" (none of which is a successful in-the-wild virus attack) is provided by one PC a/v vendor trying to move into the Mac a/v space. Most listed are irrelevant, but in any event proof-of-concept exploits – or even very serious Windows threats like the Conficker worm that Macs can transmit – are not a reason for folks to run out and load a/v software on to their Macs! Antivirus software can be a very bad thing for a Mac. Especially free ones.
Anyone just watching for ‘a virus’ is missing the greater security picture. The security issue noted in this thread has nothing to do with a virus.
Agreed. Computer security is a serious issue that needs careful consideration. Running to antivirus software suits the a/v industry (and works well for Windows with its many tens of thousands of successful in-the-wild virus attacks) but only protects against certain vulnerabilities, while opening the Mac OS to software that may itself be unstable, vulnerable or even suspect.
Also possibly some threat creators and certainly many of the folks who make dire Mac threat warnings are actually involved in the business of trying to sell a magic buy-this Mac-security panacea. Sorry folks, no free lunches.
Also possibly some threat creators and certainly many of the folks who make dire Mac threat warnings are actually involved in the business of trying to sell a magic buy-this Mac-security panacea.
You acknowledge that an app is free but then you suspect commercial motives. Hmmm…
I’d love to know what ‘in-the-wild’ really means. Is there a ranch or sanctuary where viruses are kept safe from the public? Does it have a moat or just a cheap plank fence? That exploit list was not imagined. Only a few are ‘proof of concepts’ (there is, of course, some absurdity in protecting against the Classic viruses at the bottom of the list when the software only runs on 10.5 and Intel). Quite a few of the listed threats are keyloggers. Wouldn’t you like to know if you had a keylogger on your system? Seeing that all it takes to gain administrative access to most Macs is a system DVD, a manager of multiple computers would likely be interested in some sort of protection or analysis tool.
Agreed, the term is poorly defined. In my usage I meant instances where large numbers of random users are affected during their normal daily computer usage, such as the current 9 million Windows boxes estimated infected with the Conficker worm. As opposed for instance to in the lab or at a hack contest at a hackers conference.
a manager of multiple computers would likely be interested in some sort of protection or analysis tool.
Of course we are interested in well proven tools. However the tools themselves are not risk-free, so security implementation is not simple. Tools can be unstable, vulnerable or even suspect.
You acknowledge that an app is free but then you suspect commercial motives. Hmmm…
No. I am especially cautious as regards using free apps due to the probability of generally less stable less well tested code. As to commercial motives, I suspect virus/malware writers and perhaps some a/v firms as well.
