NOW PATCHED - Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability

Here's a link to another article, which includes a video-demonstration of the exploit "in action"

http://www.sophos.com/blogs/chetw/g/2010/09/08/adobe-advises-reader-acrobat-vulnerability/

Foxit Reader and the Ask Toolbar

Foxit Reader has always been touted as a small-footprint PDF reader alternative to the bloated and vulnerability-prone Adobe Reader, one of the most currently-targeted 3rd party utilities out there.

Foxit Reader has, however, been tainted by its association with the highly questionable Ask Toolbar, which it has bundled as a pre-checked option in the past. I have always pointed out that an Ask-free version was available for download and easy install, in the *.msi format. Indeed, I have used and updated this version of Foxit, free from any toolbar, for some years now. It has met all my needs as a simple PDF Reader, although it lacked all the full functions of Adobe's product.

Be advised this simple  Foxit *.msi version is no longer freely available from Foxit, as far as I can tell. And while one can still download/install Foxit without the Ask Toolbar, it is far more tricky to do so. (You don't want the Ask Toolbar, as it detected as spyware by many security programs).

Frankly, I don't know what to advise. I can't offer the *.msi version for download, as this is prohibited by Foxit's EULA. I'm not sure I would even recommend Foxit, anymore, given their antics, were it not for the fact it is one of the few simple alternatives to Adobe Reader.

But for those still interested, here are the instructions to get Foxit without any toolbar:

1) go to this site: http://www.foxitsoftware.com/downloads/index.php
2) download: Foxit Reader 4.1.1 (exe) to your desktop
3) doubleclick the Foxit icon "FoxitReader411_enu_Setup.exe"
4) follow the wizard to the window where it asks:
- "Make Ask my browser default search provider" and UNcheck that option
- "Set Ask.com as my homepage" and UNcheck that option
-  Click the [Decline>] button at the bottom of this window. <=most important!
- Continue with the wizard until the Finish>Install buttons.

There are other options out there. If you don't know what a PDF reader is, odds are you might not require it. In this case, go into Control Panel>Add or Remove Programs, and just uninstall Adobe Reader.

I suspect most will still want a PDF reader, and another simple alternative is the Sumatra Reader, available here: http://blog.kowalczyk.info/software/sumatrapdf/index.html

Finally, you can keep Adobe, and accept its risks. I abandoned Adobe long ago, but accept that many might still want and /or require it.

Adobe expects to provide updates for Adobe Reader/Acrobat 9.3.4 during the week of October 4, 2010.

======================================================

Note:   Adobe has also suggested a "mitigation" --- a temporary procedure to limit (or ideally, eliminate) the impact of this vulnerability:   it's something new called "EMET" -- Microsoft's Enhanced Mitigation Evaluation Toolkit

Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx.

I have not personally tested this, nor do I know anything about it.   Caveat Emptor!!

This vulnerability has been patched with the release of Reader 9.4  [ or 8.2.5 ]