Adobe Acrobat JavaScript Execution Bug 94
QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched.
Common (Score:2, Informative)
http://it.slashdot.org/article.pl?sid=07/01/01/13
The whole architecture is fatally flawed (Score:5, Insightful)
Yes, I know that those are strong words. But there has never been a secure implementation of anything where security was an afterthought, and bolted on later. Javascript is no exception.
Javascript has well shown that its approach can be very useful. But honestly, right now it seems almost as problematic as Microsoft Windows, when it comes to security issues. Frankly, the Open Source community really ought to be doing better here.
This is (IMHO) the biggest problem with the current implementation of all the Web 2.0/AJAX approaches. And until it's PROPERLY addressed, we're going to see a continual repeat of security issues, just like we see with MS Windows. It's not new; people have been saying this for years. And we still keep seeing these problems.
Pardon the rant, but I really do get tired of seeing this stuff when it should never have happened to begin with.
Re:The whole architecture is fatally flawed (Score:4, Interesting)
Re: (Score:3, Informative)
However, to get full-page interaction of controls that you would get using Javascript, your applet would have to present the entire page itself, rather than being embedded in a page. In that respect, havin
Re: (Score:2)
Re: (Score:2)
Java *applets* are run in a sandbox, which limits what they can do and makes them more secure than a normal Java application.
Although what you are saying here is true, one must weight the security history of applets in 2006 alone - take a look at my post below, I attached applet vulnerabilities that were posted days ago. Plus take a look at research from Marc Schoenefeld (awesome Java researcher) and Tom Hawtin (scarry smart Java cynic) http://jroller.com/page/tackline [jroller.com] - Java is NOT ready to enterprise prime-time, way way to many ways to escape the sandbox - and just not once or twice, but monthly applet vulnerabilities for t
Re:The whole architecture is fatally flawed (Score:4, Interesting)
Take this from the LAST sunsolve weekly report:
Newly Released Sun Alert Notifications
Sun Alert ID: 102729 (RESOLVED)
Synopsis: Security Vulnerabilities in the Java Runtime
Environment may Allow Untrusted Applets to Elevate
Privileges and Execute Arbitrary Code
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006
To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetk
Sun Alert ID: 102731 (RESOLVED)
Synopsis: Security Vulnerabilities Related to Serialization
in the Java Runtime Environment may Allow Untrusted
Applets to Elevate Privileges
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006
To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetk
Sun Alert ID: 102732 (RESOLVED)
Synopsis: Security Vulnerabilities in the Java Runtime
Environment may Allow an Untrusted Applet to Access
Data in Other Applets
Product: Java 2 Platform, Standard Edition
Category: Security
Date Released: 19-Dec-2006
Date Closed: 19-Dec-2006
To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetk
Re: (Score:2)
Re: (Score:2)
Heck, they called setSecurityManager(null) a BUG for NOT WORK
Java got it wrong, too (Score:2)
Not really; over the last decade, people have found numerous security holes, not only in Sun's implementation, but also in the underlying Java design.
Maybe if the start-up problems in the VM are addressed, client-side Java will return
I think J2SE is far too bloated for that. But J2ME/MIDP might make a good basis for reviving applets.
that is really neat (Score:1)
how do they find these things?
Foxit? (Score:3, Interesting)
Re: (Score:1)
Acrobat under Linux (Score:1)
Re: (Score:2)
Now we just need a Flash replacement (Score:2)
I installed my extra copy of Windows XP 32 in VMWare so that I could run Flash for GooTube videos. I won't run Adobe programs outside a sandbox.
Melissa
Re: (Score:2)
We have a Flash replacement (Score:2)
Quick assessment (Score:5, Informative)
The bad: It can make your webserver appear to be hosting arbitrary content if you are hosting any PDF files and the user is using Acrobat reader.
The solution: Delete every PDF file hosted by your webserver OR configure your httpd to throw nasty errors for any requests that contain a string after the
Something like this? (Score:5, Informative)
Re: (Score:2)
Can anyone see any holes in this logic? A practical use for anything after the
Re:Something like this? (Score:5, Informative)
someone on sla.ckers.org [ckers.org] had a good suggestion: redirecting to a random, one-time address (that translates to the right PDF file on the server-side) if the client requests the PDF file directly. the valid addresses would have to be hard to guess, though.
Incorrect httpd Solution (Score:2, Informative)
http://[URL]/[FILENAME].pdf#something=javascript:
Strings after # are not sent to the webserver. That is all client-side.
Re: (Score:2)
Worse, much worse. It allows anyone to execute javascript code as if it was on your server. Another name for that is Cross Site Scripting. This can result in cookie stealing and many other nasty things.
More dangerous than it looks at first glance (Score:2)
Re: (Score:2)
OS X (Score:2)
Re: (Score:2)
I don't think this would affect Preview on OS X or xpdf since neither of them handle all the javascript that Acrobat Reader 6 and above can handle. I haven't used Preview much, so I could be wrong, but since I tend to use pdfs for slides for talks, and I embed movies using javasc
Let's be clear: bug is in Reader (Score:5, Informative)
Sites are "fixing" this by implementing work-arounds on the server to refuse serving the file if the script is tacked onto the URL. But these are kluges, stop-gap measures to reduce the damage until a proper patch can be made. The sites are not vulnerable; the reader is.
Re: (Score:1)
Firefox 2.0.0.1 win32
Firefox 1.5.0.8 win32
Opera 8.5.4 build 770 win32
Opera 9.10.8679 win32
But doesn't work here on IE6 or IE7. My Firefox was updated this a.m. to 1.5.0.9 and it was not affected. The Reader remains the same. BTW, I wonder how much credit the IE7 team gets for not being affected by this?
Make that the Reader Plugin (Score:5, Informative)
Also, as others have pointed out, Adobe Reader 8 appears to not be affected.
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
On our website we have a directory with
1. of the form
2. of the form
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Informative)
Probably Acrobat 8 is safe? (Score:5, Informative)
Re:Probably Acrobat 8 is safe? (Score:5, Insightful)
Adobe could surely learn how to make a more user friendly "update is available" screen, kinda like Firefox does.
Re: (Score:2)
Re: (Score:1)
I don't know what the reader is on ubuntu, whatever comes up seems to do the trick
Re: (Score:2)
I probably am still missing a
Re: (Score:2)
Same result with Adobe Acrobat Reader 8 with Opera 9.10.
Re: (Score:2)
Which Versions? (Score:1, Interesting)
Work around? (Score:5, Funny)
chmod -x `which acrobat`
rpm --erase acrobat
rpm --install xpdf
there, couldn't be simpler. If you find these commands don't work on your system, you either need to use the "apt" command instead of "rpm" or upgrade your operating system. If you are running OpenBSD and you've managed to install and run acrobat then you don't need my instructions.
The problem with that (Score:2)
Or you can find the 5.0 version somewhere, from happier days. Somebody at Adobe really has their head up their ass.
Re: (Score:2)
Actually is Adobe's reader any better on Linux, or is the crappiness specific to the Windows version?
Re: (Score:2)
I haven't seen the Netopsystems FEAD Optimizer on Linux...
But acroread is still pretty slow and bloated compared to xpdf. It has a few more features (like filling in PDF forms), but I need those features so rarely that I could really just install acroread when I need it, and uninstall it when I'm done.
Using acroread to view PDFs on Linux is a mistake, generally speaking.
Nothing happens under Vista with Acrobat 8... (Score:1)
Re: (Score:2)
[/shocked]
Wait, wait, wait (Score:2)
I question the timing [slashdot.org]. What are they trying to prove, by doing this? They must be trying to profit from it [slashdot.org].
Oh, wait, this is about Adobe and not Apple. Nevermind.
Re: (Score:2)
Re: (Score:2)
Most people in a position to implement that idea probably know this already, but for those who aren't, the typical MIME-type for generic downloads is "application/octet-stream".
What the hell? (Score:1, Funny)
Re: (Score:2)
Dude... You have to LOG OUT and THEN post anonymously.
As for why the points aren't given back to you... It prevents the typical abuse where some idiot moderates a stupid post, then waits a few minutes to let other idiot moderators see it. Moderators typically moderate up posts which have already been modded up. So you wait until everyone else pushes your target post up to '5', then you post a comment which undoes your moderation. So you keep your mod points but you can control which posts get modded up. T
Re: (Score:2)
Another option is to keep a second browser around that's not logged in.
Re: (Score:2)
Re: (Score:1)
So let me get this straight... if anyone in my university halls posts to a Slashdot thread within a certain timespan of me moderating it, my moderation will be silently undone? (There's a *really* nasty NAT setup there..
Re: (Score:2)
sla.ckers.org (Score:1)
I don't like PDF (Score:5, Interesting)
The PDF was formed with parameters linking to a second pdf base document.
From Firefox on Windows with internet explorer disabled the pdf opened inside acrobat then proceeded to display the resulting PDF file in internet explorer.
I haven't seen IE now for ages and that made me nervous as hell.
Re: (Score:2)
From Firefox on Windows with internet explorer disabled the pdf opened inside acrobat then proceeded to display the resulting PDF file in internet explorer.
It sounds like your problem is with Acrobat Reader, Windows, and IE. Acrobat shouldn't launch a non-default browser and Windows should allow you to disable or remove IE. For that matter, IE should not be bundled in the first place, so that developers don't rely upon it being there and develop their applications to be browser independent.
PDF itself is
Re: (Score:2)
Re: (Score:2)
If IE is not bundled with the OS, how is the average user supposed to download firefox?
Using whatever browser the OEM includes: Firefox, IE, Opera, or whatever. The point being since it doesn't come with Windows developers can't assume it will be there and make stupid design decisions based upon that.
Re: (Score:2)
Re: (Score:2)
I agree that the default browser should be used, but until I updated to acroread 8, Acrobat would open links in IE. (Swore like heck whenever it happened to me.) It seems to be fixed now, and stuff opens in Opera, like the computer god (or, well, at least me) intends.
Hope you get the "funny" mods for your second point.
Firefox extension anyone? (Score:2)
Please?
I should find where I had saved the firefox extension development SDK and learn it.
Firefox extensions are themselves a problem. (Score:2)
The main difference between this and a Firefox Extension is the Firefox makes you wait a few seconds and then click on the "I want to do something really stupid" button. Adobe figures that most people don't care, and presses the "I want to do something really stupid" button FOR you.
My experience as a system administrator is that the only way to get people to quit pushing the "I want to do something really stupid" button, is to make it more inconvenient to jump through
JavaScript error (Score:1)
Also to be called the 3rd Month of Apple Bug? (Score:2)
FIle Under, "Duh" (Score:5, Insightful)
Every time I install Acrobat Reader, I dive through the preferences panel and fix all the incorrect defaults. One of the things I turn off, and which should be off by default, is JavaScript execution. Whether turning this off will protect against the described vulnerability, I don't know, but it's probably a reasonable first line of defense.
A lot of the factory-default settings in Acrobat Reader are (stupidly) wrong. You should review all of them.
Schwab
Re: (Score:2)
Yes.
JavaScript was an amazingly stupid idea there, too, because it takes what was originally supposed to be a document (i.e. a static presentation of information) and turns it into software, with all the attendant hazards. I keep JavaScript turned off by default.
The macro viruses that plagued Microsoft Word showed exactly what kind of trouble would inevitably follow if you turned documents into software, but tried to pretend they were still "document
More info? (Score:2)
1. What context does the js execute in? Browser or Acrobat? If Acrobat, does it have access to your cookies? (I'd guess not)
2. What versions/browsers are affected? I'm using FF2 with Acrobat 5, and nothing seems to happen, but this could be because I've got an odd setup.
Anyone know?