Okay - so last month I discovered that Adobe PDFs can contain Java freaking script in them AND that Acrobat has that feature turned ON by default (Edit menu -> Preferrences -> Enable Acrobat Java freaking Script). How could I NOT have known about this? Did YOU know before May that PDFs could run Java freaking script? I guess I don't spend very much time looking at PDFs or exploring the Acrobat UI.
Does anyone not remember VBA in Office being turned on by default circa 2000 and what a great idea THAT turned out to be?
"You can enhance a PDF document so that it contains form fields to capture user-entered data as well as buttons to initiate user actions. This type of PDF document can replace existing paper forms, allowing employees within a company to fill out forms and submit them via PDF files, and connect their solutions to enterprise workflows by virtue of their XML-based structure and the accompanying support for SOAP-based web services."
and I start freaking out again.
The emphasis in bold above is clearly mine.
Reading on you also find this CVE:
"This update resolves an issue that could allow a local user to execute arbitrary code by overwriting a local file. (CVE-2007-5666)"
So much for the "safe word" err path. I meant path!
So I'm already thinking about all of this when today I read about Acrobat 9 which was announced recently I guess.And after reading some articles on it I can't help but hear Cortana in my head saying "This is the way the world ends" with some dramatic Bungie-esque Halo3 theme music playing in the background . . .
Why is that? Because "For the first time, Acrobat 9 provides deep support for Adobe Flash technology, enabling users to include Adobe Flash Player compatible video and application files in PDF documents. Recipients simply need free Adobe Reader(R) 9 software to consume the content. Now, static documents can come to life as dynamic communications."
Anyhoo . . . Adobe appears to be going through some 'interesting' times . . . they patched some code execution bugs in Acrobat that apparently were used in some targeted attacks (according to their bulletin) and we of course all heard about the Flash vulnerability being exploited in the wild last month as well . . . and while we here at Microsoft seem to be doing everything we can do reduce attack surface as much as possible and disable stuff by default . . . our competitors are busy seemingly increasing attack surface and enabling it by default even though it's becoming increasingly clear they are starting to receive some of the same miscreant love and affection that our products have been receiving for the last few years. :)
Time will tell who is making the right decisions here.