Wednesday, January 10, 2007

Adobe says patch ready. So do it!

I recently posted on what researchers claim to be among the worst security bugs that they've ever observed. "It's the prevalence of it," notes Amol Sarwate, manager of vulnerability research at security services firm Qualys. "There's an Adobe Reader installed on almost every desktop."

"This is so very dangerous because it exploits a random PDF on the Web," says Billy Hoffman, a leading researcher at vulnerability-assessment firm SPI Dynamics. Well, bugs do surface at times, they are not Microsoft (hehe!). However, as promised, Adobe has released its patch late Tuesday this week to fix this XSS thingie.

How to patch
So, here are the alternatives (for Microsoft Windows) - both are very straightforward steps
For more information, visit their support site

(1) As Adobe recommends - Click here to download and install Adobe Reader 8 (any platform) from their website. (27.5 MB)
(2) If you are not able to install version 8, you have to install version 7.0.9 - Go here and choose your OS and then download (27 MB).

For both these downloads, before downloading it, remember to 'uncheck' the box on the page that reads 'Also download Adobe Photo Album Starter Edition' - it's one of their product bundling strategies, and apparently it took me a lot of time. Sure you won't need that when you have Picassa or other free stuff. The whole version 8 installation process took me a total of 26 minutes, but my machine is currently heavy and that includes about 15 minutes of the Photo Album installation. Hope it works good enough as the previous versions...

Server side workaround (for corporations and domains hosting websites)
Adobe has also suggested a server-side workaround - Basically we (at the server side) have to ensure that our users or customers open our PDFs outside of the browser. So, we need to change all the MIME types in the HTTP headers for ALL the PDF files, from 'application/pdf' to a more generic 'application/octet-stream' which would prompt the user to open or save explicitly. 'Opening' from this popup will open in the Acrobat Reader and not the embedded reader (faulty now) from within the browser. This seems the easiest to me - just a one-line change in httpd.conf file (for Apache). Adobe has also suggested other solutions for IIS and Apache web server versions separately, do take a thorough look before implementing the change.



Anonymous Anonymous said...

Thanks. Got it installed in less than 10 minutes

11:46 PM  

Post a Comment

<< Home