The out-of-cycle patch for Adobe Reader and Acrobat do not rectify the main problem that PDF readers are suffering from - the ability of a PDF to launch an executable on the guest computer.

This affects all platforms and all "full" PDF readers - although the PDF would need to be tailored and targeted for Windows, OS X, Linux etc.

Essentially the Adobe format allows a PDF to either call an executable locally stored on the computer or to embed an executable in the document and execute it. This, combined with the PDF format's capability to execute JavaScript have been a thorn in its side recently, along with it having its own version of the Flash engine embedded, for playing Flash objects within a document, which was still vulnerable to the flaws that were patched in the 10.1 release of Flash last week.

The two problems have different workarounds.

The executable and JavaScript vulnerabilities can be resolved by turning off scripting and the launching of external objects in the preferences menu.

The Flash problem is harder to deal with you need to rename the authplay.dll to something else, so that it can't be found by Adobe Reader/Acrobat when it opens the document. This will also scupper any legitimate PDF documents that contain Flash objects - but who in their right mind would bury a Flash object in a PDF anyway?

http://www.zdnet.com/news/researchers-f ... fix/441106

More information here:
http://steve.grc.com/2010/06/06/adobe-f ... -to-v10-1/

Meh. Acrobat Pro was eliminated from my system after the last round of so-called updates screwed everything up.

I haven't missed it.

Out of interest, how does Preview on OS X deal with embedded Flash objects, JavaScript and calls to execute code? It is part of the specification for PDF, so it should cope with it, but I haven't checked to see if it can be disabled...

I haven't a clue. Sorry.

The thing is I use Preview to view PDFs (as well as simple edits to numerous image formats). If I want to see web sites, I use a browser.

But the point is, malicious PDFs are already in circulation, which use the weaknesses identified in the PDF format to execute their payload. As this is a problem with the PDF specification, as opposed to Reader or Acrobat specifically, it "should" affect all PDF readers. FoxIt on Windows is/was certainly affected by this, they have since released a patch.

Edit: From a bit of research, it looks like the Preview.app doesn't have a full implementation of the PDF standard, so it currently isn't affected by this, I think.

Okay, I hear you.

I have never come across any PDFs with embedded Flash or running Javascript. The only interactive PDFs I've used are software/hardware user manuals where the pages are hyperlinked.

Me either, I can't understand why you would want to... Although I suppose you could export a PowerPoint / Keynote presentation to PDF and still have the animations, video etc. in there, but why would you?