Over the last several months, there have been a number of bad Adobe Acrobat JavaScript bugs, resulting in a number of patches and the recommendation to keep JavaScript turned off in Acrobat. At work, like many companies, we've actually enforced that via policy now.
For some reason, whenever I open Paizo PDFs, it tells me they use JavaScript and would I like to turn it on now? I say "no," but I am wondering what the JS is being used for. Something useful? Something like "tracking when the PDF is used," which would be of grave concern to the privacy of users? Or maybe the message is spurious?
I second your interest.
Is the golem watching us while we-
Oh dear...
|
Over the last several months, there have been a number of bad Adobe Acrobat JavaScript bugs, resulting in a number of patches and the recommendation to keep JavaScript turned off in Acrobat. At work, like many companies, we've actually enforced that via policy now.
For some reason, whenever I open Paizo PDFs, it tells me they use JavaScript and would I like to turn it on now? I say "no," but I am wondering what the JS is being used for. Something useful? Something like "tracking when the PDF is used," which would be of grave concern to the privacy of users? Or maybe the message is spurious?
Though there have been issues with Javascripts exploits in PDFs over the last year, you only need to worry about that from PDFs from unknwown sources. The Trojan needs to be in the PDF itself. You do not need to worry about it from the PDFs of trusted sources like Paizo.
Keeping Adobe Acrobat reader up to date is the best way to combat that problem, as far as I know with the current patchs fix the *Known* Javascipt exploit in PDFs.
That said, it is a good policy of your Job to keep Javascipt turned off in PDFs.
Thanks Gary, good to know.
|
What I'd like to know, is why some of the chapters in the multi-file format are in non-Acrobat form?
The first AP, all files were Acrobat, and I could set to view as Thumbnails, to see a miniature picture of the first page.
Some of the Second Darkness and Legacy of Fire, have a mix of Acrobat and 'other' files, simply listed as file type 'File'. They can be opened in Acrobat, but it adds an extra step, as I am asked which program I want to use, every time, and cannot set the preference to do this every time. It also looks less appealing to have a random mixture of mundane icons and proper thumbnails.
PF 23 I could not open the file for the 'City of Brass' chapter (page 54-59), which was a 'pd' file (not 'pdf').
PF 10, 11 and 12 I couldn't extract the multi-files from the download at all, as it requested a password, which I have not got. My Paizo login password is not it.
The single-file versions are fine, it's just the multi-files that seem to have these glitches.
Chief Technical Officer
|
There's no executable JavaScript code in Paizo PDFs. I believe some of the fancier 0one maps might use JavaScript for interactive features, but the interactivity on Paizo PDFs is limited to bookmarks. You can leave JavaScript turned off with no worries.
I know the PDFs from Triple Ace Games use JavaScript as well. But very few others do.
|
Chief Technical Officer
|
What I'd like to know, is why some of the chapters in the multi-file format are in non-Acrobat form?
The first AP, all files were Acrobat, and I could set to view as Thumbnails, to see a miniature picture of the first page.
Some of the Second Darkness and Legacy of Fire, have a mix of Acrobat and 'other' files, simply listed as file type 'File'. They can be opened in Acrobat, but it adds an extra step, as I am asked which program I want to use, every time, and cannot set the preference to do this every time. It also looks less appealing to have a random mixture of mundane icons and proper thumbnails.
PF 23 I could not open the file for the 'City of Brass' chapter (page 54-59), which was a 'pd' file (not 'pdf').
PF 10, 11 and 12 I couldn't extract the multi-files from the download at all, as it requested a password, which I have not got. My Paizo login password is not it.
The single-file versions are fine, it's just the multi-files that seem to have these glitches.
I think you have three different problems there—missing filetype, truncated filename, and improper file extraction—yet the answer to all three is "try a different unzipping utility." The default Windows unzipper behaves in nonstandard ways when it comes to dealing with folders.
Cool, thanks for the info!
|
|
I think you have three different problems there—missing filetype, truncated filename, and improper file extraction—yet the answer to all three is "try a different unzipping utility." The default Windows unzipper behaves in nonstandard ways when it comes to dealing with folders.
Thanks for the prompt reply.
You'll have to forgive me as being a total techno-n0ob, but can anyone link me to where I could get such a program?
You'll have to forgive me as being a total techno-n0ob, but can anyone link me to where I could get such a program?
For free, or paid for?
Winzip is very popular, but costs money (although you can get a trial version that lasts 45 days, or there are some "subscribe to lovefilm or something and get it free" offers).
Winrar is what I use, and I have an evaluation 'nagware' version which isn't too annoying.
For free there's 7-Zip or lots of others of varying quality and pedigree.
[this suggestion redacted]
Or use the version on your work PC (you do have winzip on your work pc right? And can get files to it without a problem yeah?) Be mindful of the AUP for personal stuff first though!
Up to you!
Why you don't ask me this stuff when you see me I'll never know...
|
Just use 7-zip. Unless you're a real tech geek who seriously cares about how his/her file compression tool does what it does, and how it best works with various file types for Linux, there's just no real point in messing with the other programs. Yeah, it could deal with .rar files better, but... you know. FREE.
Just use 7-zip.
Agreed. There's a link in my post to a direct download for that. The other link is for the brave or foolhardy really!
|
|
For free there's 7-Zip or lots of others of varying quality and pedigree.
Thanks for the link; I'll look into it tonight, after my chores.
And assuming I can get on the PC, between Sophie on CeeBeebies, and Sarah sending hentai to Chris, Flash and Montalve.[redacted suggestion]
And severe disapproval from the publishers of said product, no?
Why you don't ask me this stuff when you see me I'll never know...
Because we have enough interruptions as it is, what with dissecting Lee and John's previous night's Warhammer, and fielding various broken items and feats. I tend to forget to ask.
|
Chief Technical Officer
|
Going back to the topic of malicious JavaScript code embedded within PDFs...
If you have a current/up-to-date AV, would not said AV detect any embedded trojans/virus/worms?
You'd have to make sure that:
A) Your antivirus looks at JavaScript in PDFsand
B) You've actually scanned the file before opening it.
|
You'd have to make sure that:
A) Your antivirus looks at JavaScript in PDFs
and
B) You've actually scanned the file before opening it.
Thanks for the reply...
So how can you tell if your AV is scanning PDFs for JavaScript?
And last question on this topic I promise... 0:-)
If one has failed to scan a PDF or two before opening, but has JS turned off, and all the Adobe security features checked/turned on (within Acrobat itself), would that computer be "relatively" safe even if a "bad" PDF got through?
-That One Digitalelf Fellow-
|
Chief Technical Officer
|
So how can you tell if your AV is scanning PDFs for JavaScript?
You'd have to check with the antivirus publisher.
If one has failed to scan a PDF or two before opening, but has JS turned off, and all the Adobe security features checked/turned on (within Acrobat itself), would that computer be "relatively" safe even if a "bad" PDF got through?
I'm not aware of all of the PDF exploits out there, or how they interact with Adobe's security settings. I know that there are non-JavaScript viruses that use PDF documents, though. I'm sure that every so often, somebody figures out how to sneak something past Adobe's security settings, but as long as you've kept your applications updated, it's pretty unlikely (but not impossible) that you've been hit.
I'd like to clarify, though, that we do scan our files here, and I have no reason to believe that any of our PDF files, with JavaScript or without, have any issues.
Just a reminder that one of the board rules is "Do not advocate illegal activities or discuss them with intent to commit them." As such, I've redacted some discussion above.
It was not my intention to advocate any such thing, nor discuss how to commit such a thing. I do not believe I did so. The "...that way lies madness" comment was a discouragement.
The intent of a discussion is a very subjective thing. I do not appreciate the implied allegation.
|
Chief Technical Officer
|
Just a reminder that one of the board rules is "Do not advocate illegal activities or discuss them with intent to commit them." As such, I've redacted some discussion above.It was not my intention to advocate any such thing, nor discuss how to commit such a thing. I do not believe I did so. The "...that way lies madness" comment was a discouragement.
The intent of a discussion is a very subjective thing. I do not appreciate the implied allegation.
I do recognize that it was borderline. While indeed "that way lies madness" was a discouragement, the "you could..." wasn't as clear, and I wanted to keep the discussion from heading more clearly in that direction.
|
|
The Finnish security company F-Secure has covered pdf vulnerabilities in their blog, see this post or that, and here.
After reading those blogs, I checked out "Foxit", and while it has some of the same exploitable issues as Adobe Reader, it is SOOOOOOOOO much faster at opening and displaying PDFs...
-That One Digitalelf Fellow-
After reading those blogs, I checked out "Foxit", and while it has some of the same exploitable issues as Adobe Reader, it is SOOOOOOOOO much faster at opening and displaying PDFs...
The only problem with Foxit is that it, WinXP, and the Paizo PDFs don't seem to play nice together. There are graphical display issues which mess up the formatting and make it harder to read. Oddly it works just fine in Vista, so that's where I read the Pathfinder stuff. The difference in how fast Foxit runs and handles files makes it worth the hassle.
It also doesn't let you extract the graphics the way Adobe Reader does, but that's not an issue for me since I don't have the time to do it anyway.
After reading those blogs, I checked out "Foxit", and while it has some of the same exploitable issues as Adobe Reader, it is SOOOOOOOOO much faster at opening and displaying PDFs...
The only problem with Foxit is that it, WinXP, and the Paizo PDFs don't seem to play nice together. There are graphical display issues which mess up the formatting and make it harder to read. Oddly it works just fine in Vista, so that's where I read the Pathfinder stuff. The difference in how fast Foxit runs and handles files makes it worth the hassle.
It also doesn't let you extract the graphics the way Adobe Reader does, but that's not an issue for me since I don't have the time to do it anyway.
Most of the Foxit problems have been resolved as of the lastest version (especially the weird graphic not being behind the text issue as well as the upside-down text magnified issue).
Most of the Foxit problems have been resolved as of the lastest version (especially the weird graphic not being behind the text issue as well as the upside-down text magnified issue).
Cool news thanks. I haven't checked the updates for a bit.
I do recognize that it was borderline. While indeed "that way lies madness" was a discouragement, the "you could..." wasn't as clear, and I wanted to keep the discussion from heading more clearly in that direction.
Thank you for replying. I know that you don't know what my next response was going to be (to Snorter) but the discussion would have focused entirely on how mad/idiotic/stupid such action was.
Anyway... water under the bridge. You've explained your actions, I've defended my comments. Nuff said.
|
|
For free there's 7-Zip.
This does seem to have solved the problem.
Curse of the Crimson Throne and Legacy of Fire multifiles now unzipped and saved to disc, like Rise of the Runelords.Second Darkness to follow.