There’s a 61% chance the Adobe software you run at work is out of date

I read this week that 61% of Adobe Reader installations in workplaces is out of date.

That’s very bad. Very, very bad. Because Adobe Reader is trivially easy to exploit, and there’s more sensitive information to steal on corporate PCs than there is on home PCs.

Read more

Happy Patch Tuesday, September 2011

Microsoft has five updates and Adobe has two for us on this fine Patch Tuesday, in addition to a patch Mozilla pushed out for Firefox last week.

Don’t get too complacent if you run something other than Windows. If you run Microsoft Office on a Mac, or Adobe Reader or Acrobat on a Mac, or Adobe Reader on Unix or Linux, you’re vulnerable. The vulnerabilities in those affected products are more serious than the vulnerabilities for Windows. So keep that in mind. Don’t be smug about security. It’ll bite you.

Read more

How to view questionable PDFs safely

I said Tuesday that it’s a bad idea to download and view PDF (Adobe Acrobat/Adobe Reader) documents from questionable sources, but I didn’t really elaborate on why, nor did I tell you how to view questionable PDFs safely.

The reason is that pretty much anybody with a little bit of determination and the ability to follow a recipe can plant a trap in a PDF file and use it to gain access to your computer. Adobe Reader is extremely prone to these kinds of attacks, and don’t think you’re safe if you don’t run Windows. There are toolkits that will inject traps that work on Macintoshes and Linux too.

Yes, your antivirus software should catch it. But most antivirus software doesn’t dig deeply enough into PDF files to find it.

Scared yet? You should be. You do have some options.
Read more

More on tiny but potentially modern Linux distributions

I found a couple of interesting things on Freshmeat today.
First, there’s a Linux-bootfloppy-from-scratch hint, in the spirit of Linux From Scratch, but using uClibc and Busybox in place of the full-sized standard GNU userspace. This is great for low-memory, low-horsepower machines like 386s and 486s.

I would think it would provide a basis for building small Linux distributions using other tools as well.

What other tools? Well, there’s skarnet.org, which provides bunches of small tools. The memory usage on skarnet’s web server, not counting the kernel, is 2.8 megs.

Skarnet’s work builds on that of Fefe, who provides dietlibc (yet another tiny libc) and a large number of small userspace tools. (These tools provide most of the basis for DietLinux, which I haven’t been able to figure out how to install, sadly. Some weekend I’ll sign up for the mailing list and give it another go.

And then there’s always asmutils, which is a set of tools written in pure x86 assembly language and doesn’t use a libc at all, and the e3 text editor, a 12K beauty that can use the keybindings for almost every popular editor, including two editors that incite people into religious wars.

These toolkits largely duplicate one another but not completely, so they could be complementary.

If you want to get really sick, you can try matching this kind of stuff up with Linux-Lite v1.00, which is a set of patches to the Linux 1.09 kernel dating back to 1998 or so to make it recognize things like ELF binaries. And there was another update in 2002 that lists fixes for the GCC 2.72 compiler in its changelog. I don’t know how these two projects were related, if at all, besides their common ancestry.

Or you could try using a 1.2 kernel. Of course compiling those kernels with a modern compiler could also be an issue. I’m intrigued by the possibility of a kernel that could itself use less than a meg, but I don’t know if I want to experiment that much.

And I’m trying to figure out my fascination with this stuff. Maybe it’s because I don’t like to see old equipment go to waste.