50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."
Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is.
From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.
Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else? (Yeah, I'm being ignorant right now.) The main point is that it's possible to register URI handlers in many ways. IF you choose to do it on the command line, you need to be extremely careful. As the GP said, there is no way to tell that the URL is really invalid. What could be done would be to specify an escpaing scheme to be used, but that's "only" a design error, not a bug, and anyon
Then whose fault is it that so many applications have had security issues lately due to how IE passes arguments to applications when launched? Is it a shitty API, or are these programmers just incompetent or ignorant of how to correctly do things?
I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader [foxitsoftware.com], which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?
I use GSview [wisc.edu]. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything special with URLs.
I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?
Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.
As someone kindly pointed out to me in an earlier, related post, "interaction" includes just opening the pdf in Foxit, (which I use, and works very well for simple pdf viewing & printing). Don't even have to fill in a form field. So, just as bad as an executable, then. BTW, use CutePDF Writer to make 'em, although many options exist, including Open Office..
If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
get your free ringtones/[other garbage appealing to the less technically inclined] here!!!! and if you see a UAC window, just click ok to download!
URI and MIME type handling in both Windows and OSX is profoundly broken. It's second only to ActiveX in the opportunity for exploits... the basic problem is that when apps register handlers for local use (eg, 'help:' or '.chm') they are available to untrusted content by default. The fix is to have separate registries or separate flags that allow applications to explicitly register as handlers for internal use, or for use on untrusted documents.
Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder. RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header. There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)
Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.
I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.
The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.
Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?
The only one i've heard of (for Windows) is Foxit PDF reader [foxitsoftware.com], which is about 2mb - never tried it myself though. On linux, Evince [gnome.org] works great, and had no issues with everything i've thrown at it.
I always disable javascript and open external links in the PDF reader. Is is enough protection? Or am I still vulnerable? Is it possible to write a NoScript like extension to acroreader?
you mean you didn't set noscript to block other plugins too? or did you mean an update for noscript much like the one that protects against that cross site scripting mess?
NoScript runs inside FireFox. I am thinking of a way a third party could write code and give it to me and that runs inside acroreader and block it from doing things I don't want it to do. In fact I would like some kind of code that will sandbox any application given to it. Something like "sandbox acroreader" should run acroreader and allow it to make all kinds of calls to the registry and disk etc etc. But none of these commands get past the sandbox environment. When I close I can examine all the changes ac
The browser should be secure by itself but when a plug-in is installed by the user (like Adobe Acrobat Reader) that plug-in can execute code and do pretty much what it what... so I would not blame IE7 for that.
But I'm still happy to never have upgrade to IE7... yet.
Citation needed that preferring efficient software amounts to hating civilization. I measure human progress in how many things a computer can do for its user at once, and for a given configuration of paid-for hardware, less RAM use per program means more progress.
in addition to the other users comment, you can download and use foxit for free, legally, from thier site. They pay version probably has special support or some other bonus.
Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:
* View or print PDF document
* Basic PDF form operations i.e. filling out PDF forms and printing them out
* Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
* View PDF as text
* Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc
The followings are several examples of non-free, advanced add-ons:
* Foxit Reader Pro Pack is not free. It includes the following functions:
o Annotation
o Text viewer and text converter
o Form filler
o Spell checker
o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more
Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.
This is similar to Acrobat itself - the Adobe Reader (formerly Acrobat Reader) is free, but if you want to write or annotate, you need to buy a license. I assume Foxit has to pay Adobe a royalty to create a writer, as even though Acrobat itself is an Open standard. Adobe has a lot of patents on both Acrobat itself and the underlying renderer, which is a subset of PostScript. Note that the Ghostscript program allows conversion (writing) of a file format such as Word into Acrobat by printing to an Acrobat fi
...to hyphen hell! The rules - of style that apply to dashes - and hyphens - have evolved to support ease of reading in complex constructions; editors - often accept deviations - from them that will support, rather than --- hinder, ease of reading.
Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange?
Define "low volume" and we'll talk. Specifically, where should the transition between code in, say, the Python virtual machine and native C++ code occur?
While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.
If it's only a problem on XP (Score:2, Troll)
Re:If it's only a problem on XP (Score:5, Insightful)
Parent
Re: (Score:2)
Secunia [secunia.com] disagrees with you.
What's disgraceful about this is that it's an exploit that's been known since April at least, and neither Microsoft nor Adobe have patched it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Has this been confirmed?
Unsupported workaround? (Score:2, Interesting)
I'm confused... (Score:2)
To be honest, though, the subject sounds a lot like joke fodder [wikipedia.org]....
What About Foxit? (Score:5, Interesting)
Re:What About GSview? (Score:2)
I use GSview [wisc.edu]. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything special with URLs.
Sumatra Re:What About Foxit? (Score:2)
My first attempt at using FoxIt wouldn't even open a PDF (open - not print), because apparently they didn't support my default printer.
Re: (Score:3, Interesting)
Re:What About Foxit? (Score:5, Insightful)
To Microsoft. If a PDF reader can crash the OS, it's their bug.
Parent
Re:What About Foxit? (Score:5, Informative)
Parent
Pretty wide defintion of 'interaction' (Score:4, Informative)
Alternatives?
http://en.wikipedia.org/wiki/DjVu [wikipedia.org]
A great open source, (except under Windows, see Lizardtech), format for scanned files.
Not for Mac users, tho', see:
http://slashdot.org/article.pl?sid=06/02/20/1449226 [slashdot.org]
For a discussion of this and other pdf 'alternatives'. Still, 'security by obscurity'?
Finally, no
http://en.wikipedia.org/wiki/List_of_PDF_software [wikipedia.org]
Parent
plus about running into this on Vista (Score:5, Informative)
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
People will install anything if it promises naked pictures.
Not a backdoor (Score:5, Informative)
A backdoor is an intentional feature that one puts so that they can take over you computer.
Microsoft shares the blame, Apple blindly copies. (Score:4, Insightful)
Re:Microsoft shares the blame, Apple blindly copie (Score:4, Interesting)
RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)
Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.
I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.
Parent
Re: (Score:3, Interesting)
If you only use (Score:2)
Perhaps this would also be a good time... (Score:2)
If only Adobe hadn't purchased Macromedia....FlashPaper had such promise...
Sklyarov? (Score:5, Funny)
Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?
"computers with Internet Explorer 7 installed" (Score:2)
Please recommend a good non-adobe reader (Score:2)
Just like Openoffice is immune to Word virus's--- is there a recommended non-adobe pdf reader folks would recommend?
I'm getting tired of the "Please upgrade to version 7" warnings anyway.
Re:Please recommend a good non-adobe reader (Score:4, Informative)
Parent
Re: (Score:2)
http://blog.kowalczyk.info/software/sumatrapdf/ [kowalczyk.info]
William
Stop external links? (Score:2)
Re: (Score:2)
Re: (Score:2)
Aaaaand... (Score:2, Funny)
Interesting (Score:2)
The official Adobe advisory [adobe.com] states: "Vista users are not affected".
Now let the downplay begin.
Re: (Score:2, Funny)
Control me (Score:4, Funny)
I had to snap a shot before Adobe pulls their ad.
Re:browser or plugin issue (Score:3, Informative)
Re: (Score:2)
High RAM usage = human progress (Score:3, Funny)
Low RAM usage = human progress (Score:2)
Re: (Score:2, Informative)
Cheaper? Foxit Reader for Windows is listed as $39.00 [foxitsoftware.com].
Adobe Acrobat Reader is free. How is that cheaper? Am I missing something?
Re: (Score:2)
Re: (Score:2)
Yes, the price is for the "Pro" version, which includes: Annotation, Text viewer and text converter, form filler, etc. etc. etc.
The free version, if you're only reading and printing PDF's, should suffice.
Re:solution (Score:5, Informative)
Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:
* View or print PDF document
* Basic PDF form operations i.e. filling out PDF forms and printing them out
* Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
* View PDF as text
* Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc
The followings are several examples of non-free, advanced add-ons:
* Foxit Reader Pro Pack is not free. It includes the following functions:
o Annotation
o Text viewer and text converter
o Form filler
o Spell checker
o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more
Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.
Parent
Re: (Score:2)
Note that the Ghostscript program allows conversion (writing) of a file format such as Word into Acrobat by printing to an Acrobat fi
Alternative PDF viewer? (Score:2)
Welcome... (Score:5, Funny)
Parent
Re:Welcome... (Score:4, Funny)
Parent
Define low volume (Score:2)
Re: (Score:3, Informative)
While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.
Have they fixed the weblink bug yet?