not to minimize this but people i know who are pretty zealous about ITSec simply refuse to have any adobe projects whatsoever on their phones or computers. which is to say, yeah this is egregious, but there are sooo many other super exploitable issues with pdfs as well.

I never understood why there are so many exploits for pdf files. Can you explain in lay person terms why this is?

You asked basically the same question I was going to! Anyone who is an expert in this, would love to have some input....

Adobe Reader (what most of us use to read .pdf's) has JavaScript enabled by default. JavaScript allows access to not only objects within the application that it's using (Reader in this case), but also allows access to other objects within a computer. If malicious code is hidden within the JavaScript, it can compromise the system. Pretty standard mal-ware technique but only recently exploited on Adobe.

this is a big problem but the reality is, its more of a symptom than the core issue.

with regards to why Adobe is the new Microsoft for product vulnerability, it really boils down to decisions made with regards to department management. around 2005, adobe started to outsource its management to india, like, *hardcore*. adobe had outsourced a lot of code dev to india and it was decided that they wanted to continue the trend with regards to cutting cost overhead in the project management/department management vectors. not long thereafter, these indian department heads started to prune their departments of coders from san francisco, san jose, portland, who had been with adobe for ages or had been aquired through the macromedia merger. these coders were replaced with rent-a-coders from, you guessed it, india.

on top of all this, adobe didnt really have a security department as of 2005. they had simply chopped up various components of ITSec (network, application, platform) and made various departments responsible for maintaining the most appropriate facets. eg the network team ran the firewall, the systems admins looked for platform issues, so on.

predictably, this did not work out. they had their hands full with other shit, and security was absolutely ridiculous because of it. they had managed to deploy and maintain a *highly* architected SOX compliant environment which helped sandbox any incidents really well, but their rep took a fucking mauling. exploitable cgis on their websites, XSS attacks on their forums, etc.

anyway, around 2007, they finally formed an actual security department, however they were tasked almost completely with responding to security notifications. in essence, they were a PR wing. they responded to emails and opened tickets with developers.

so why so many problems still?

because adobe cant afford to audit its code, in so many words. adobes stock dropped by something like 50% between 2004 and 2006, it performed a hugely expensive acquisition of macromedia, ostensibly to aquire its mobile flash platform, and then proceeded to either mis-market it or grossly overestimate the need for it in the first place. so basically no one can afford to pay someone competent to audit literally hundreds of thousands of lines of code *for each product*.

and even if they could, the indian managers would surely outsource the job to the same fucking indian developers who probably introduced the bugs in the first place.

so basically thats why adobe chugs an ugly dick these days, security wise.

*jazzhands*

Awesome laydown of the story, godatine.

So if I just never open a PDF on my iPhone, am I safe?