said by planet:quote:
1) Scripting disabled. (Javascript, not Java).
Wow, so in this case scripting is disabled. I thought javascript would be needed.
Ooops - a booboo - that should be reversed, of course! Thanks for noticing that!
Javascript is required, and with it disabled,
none of those exploits at Foxnews work.
Sorry for the confusion. I changed that in my post.
said by planet:So, if the pdf loads in the browser window, then a software FW configured properly should request permission for adobe to access the net, is this correct?
That is correct.
said by planet:And, what if you are using the latest adobe reader, 9.1, is this exploit still possible?
No, nor are any of the exploits against IE possible if patched.
The problem, of course, is that many exploits go unpatched for a while after they are released in the wild. The recent PDF exploit, if you remember: it was several weeks before a patch was released.
Patching, updating, are certainly preventative measures. Someone mentioned using a Hosts file. The important thing is that everyone understand what they are protecting against and insure that their security setup provides appropriate preventative measures.
This is not always easy because often advisories about a new exploit don't give a lot of information, so you have to do some research.
said by Sentinel:I have Firefox with NoScript and I also don't have Adobe PDF Reader installed on my PC at all. I also have KPF but it does not register anything trying to get in or out.
This exploit works only against the PDF reader, so even if the PDF file loaded in the browser, nothing would happen without the Adobe Reader being installed.
You may remember the most recent PDF exploit used some type of image rendering engine in the Adobe Reader. Foxit also uses something similar and there was concern amongst Foxit readers that they might be vulnerable. Foxit support insured users on their forum that Foxit uses a different engine and was not susceptible to the current exploit.
----
rich