03-08-2016, 05:52 PM | #1 |
Addict
Posts: 357
Karma: 5514511
Join Date: Nov 2012
Location: US
Device: Kindle 4 NT, Nexus 7, iPod Touch 4, HP TouchPad
|
ADE Security Update & Security of Old Versions
Today Adobe published a security bulletin and updates for ADE (Adobe Digital Editions). This issue affects "Adobe Digital Editions 4.5.0 and earlier versions" on Windows, Macintosh, iOS and Android. Adobe is categorizing this as a Critical vulnerability ("A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."), but with a low priority since, unlike Flash and Reader, ADE is not commonly targeted by malware.
Spoiler:
It appears that details on the vulnerability are being withheld until people have a chance to install the updated version of ADE (4.5.1). The CVE database still says this CVE number is "reserved." So, I'm not quite sure if "earlier versions" includes all older versions or just older versions of ADE 4.x. This brings me to my question. IIRC, many of you have been holding off on upgrading beyond ADE 2.01 because of DRM issues with ADE 3 and newer. If that's correct, what are you doing to protect yourselves from security problems with the older versions? Adobe doesn't list very many ADE vulnerabilities, Security Bulletins and Advisories - Adobe Digital Editions, but this bulletin shows a vulnerability in ADE 2.01 on Windows and Mac which is fixed in ADE 3. The oldest bulletin listed is for ADE 2.0.0 which is fixed by 2.0.1, so I'm not sure about any problems with 1.7.x. The only thing I can think of to be safe with older versions is to change the settings in my browsers and operating systems so that ADE doesn't automatically open ACSM, PDF, and epub files. Any other ideas? |
03-08-2016, 05:55 PM | #2 |
Resident Curmudgeon
Posts: 74,015
Karma: 129333114
Join Date: Nov 2006
Location: Roslindale, Massachusetts
Device: Kobo Libra 2, Kobo Aura H2O, PRS-650, PRS-T1, nook STR, PW3
|
You are worrying about nothing. I've been using ADE 2.0.1 for a long time and I've never had an issue. I only download ACSM from bookstores and Overdrive. So just stick with 2.0.1and you'll be fine. DO not go with any version later than 2.0.1 or you could possibly be screwed by the DRM.
|
Advert | |
|
03-09-2016, 12:08 AM | #3 | |
Wizard
Posts: 3,821
Karma: 19162882
Join Date: Nov 2012
Location: Te Riu-a-Māui
Device: Kobo Glo
|
Quote:
I wouldn't rely on retailers/distributors checking whether the books they sell contain malicious code, so that means I would also need to trust the original publisher/creator of the book. |
|
03-09-2016, 12:29 PM | #4 |
Grand Sorcerer
Posts: 5,698
Karma: 16542228
Join Date: Feb 2010
Location: Pennsylvania
Device: Huawei MediaPad M5, LG V30, Boyue T80S, Nexus 7 LTE, K3 3G, Fire HD8
|
I'm sticking with 2.0.1 because I don't want to worry about the new drm. I don't trust Adobe at all - how do I know there really is a risk? They could be trying to scare people into downloading the new version. Does this bug exist in 2.0.1 or was it introduced in later versions?
|
03-09-2016, 12:33 PM | #5 |
Grand Sorcerer
Posts: 27,552
Karma: 193191846
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
|
I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.
|
Advert | |
|
03-09-2016, 01:42 PM | #6 |
Bookaholic
Posts: 14,391
Karma: 54969924
Join Date: Oct 2007
Location: Minnesota
Device: iPad Mini 4, AuraHD, iPhone XR +
|
|
03-09-2016, 01:52 PM | #7 |
Ex-Helpdesk Junkie
Posts: 19,422
Karma: 85397180
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
|
|
03-09-2016, 03:18 PM | #8 |
Is that a sandwich?
Posts: 8,189
Karma: 100500000
Join Date: Jun 2010
Device: Nook Glowlight Plus
|
Off topic.
I just received notice my credit card was compromised again! This is the 5th time in less than a year. So, I've long realized that nothing is secure and we are all vulnerable. |
03-09-2016, 05:53 PM | #9 |
Wizard
Posts: 3,144
Karma: 8426142
Join Date: Jun 2008
Location: Chicago, IL
Device: Kindle PW2, Kindle Voyage, Kindle DXG, Boox M90, Kobo Aura HD
|
I've had this happen three or four times in the last several years. I now have all of my bank apps set to message me whenever any charge hits any of my cards. I get the ding on my Apple watch and iPhone almost immediately when I make a purchase. I did the same with my dad's Mastercard, and it got hit a couple of months ago. I was able to call the issuing bank and cancel the card immediately after receiving notification of a purchase I know he would not have made.
|
03-09-2016, 09:40 PM | #10 |
creator of calibre
Posts: 43,860
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
The standard way to run known insecure software is to run it inside a virtual machine created specifically for it. Make a snapshot of the machine state before the first time you run the software. Then after you finish using the software restore the VM snapshot.
While that is not 100% secure (it's possible for virtual machines to have security bugs allowing code to escape the virtual machine) it does make it much harder for malicious code to cause any damage. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
content server - port forwarding & security | kiwipippa | Calibre | 4 | 09-17-2011 01:55 PM |
iPad BoingBoing: Report: AT&T security breach exposed 114k iPad users | kjk | Apple Devices | 9 | 06-14-2010 12:09 AM |
Security. | ruibittencourt | Workshop | 30 | 03-05-2009 12:37 AM |