Forgot your password?
typodupeerror
Security

Adobe Confirms Unpatched PDF Backdoor 170

Posted by CmdrTaco
from the machines-wide-open dept.
50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."
This discussion has been archived. No new comments can be posted.

Adobe Confirms Unpatched PDF Backdoor

Comments Filter:
  • Yay! (Score:1, Troll)

    One more reason not to upgrade to IE7. Thanks, Microsoft!
    • One more reason not to upgrade to IE7.
      What if you use Foxit Reader [foxitsoftware.com] instead of Adobe's PDF-handling tools?
  • Is it really an Adobe vulnerability? Seems more like it's an IE vulnerability that has been blame-shifted to whoever writes the plugins that might expose it for what it is.

    • by JoelKatz (46478) on Monday October 08, 2007 @09:58AM (#20898941)
      From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.
      • From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw.

        Secunia [secunia.com] disagrees with you.

        What's disgraceful about this is that it's an exploit that's been known since April at least, and neither Microsoft nor Adobe have patched it.

        • by cnettel (836611)
          Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else? (Yeah, I'm being ignorant right now.) The main point is that it's possible to register URI handlers in many ways. IF you choose to do it on the command line, you need to be extremely careful. As the GP said, there is no way to tell that the URL is really invalid. What could be done would be to specify an escpaing scheme to be used, but that's "only" a design error, not a bug, and anyon
          • Re: (Score:2, Informative)

            by ozmanjusri (601766)
            Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else?

            Other security sites do call it a Vista [securityfocus.com] issue. It looks like Vista is only OK if IE7 is running in protected mode.

            • by cez (539085) *

              He did not say specifically that Microsoft will not be issuing an IE patch. Instead, Diorinos pointed out that Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links.
              This means that Vista users running IE gets a roadblock that reads:

              "A website wants to open web content using this program on your computer"

              However, Windows customers running IE 7 on Windows XP get no such warning.

              This doesn't mean IE7 on Vista in "protected mo

        • by JoelKatz (46478)
          Secunia most certainly agrees with me that it's not an IE flaw. The page you cited says that the bug affects Firefox. How can an IE vulnerability affect Firefox?

          However, looking at the details referenced from that page, it's not quite so clear who is responsible. It's a judgment call. This could be considered either an OS bug or a browser bug depending.

          I would argue that it's the browser's job to sanity-check the URL before handing it to the OS. However, if the OS is going to process URLs (and everyone know
      • by jZnat (793348) *
        Then whose fault is it that so many applications have had security issues lately due to how IE passes arguments to applications when launched? Is it a shitty API, or are these programmers just incompetent or ignorant of how to correctly do things?
        • by jc42 (318812)
          Is it a shitty API, or are these programmers just incompetent or ignorant of how to correctly do things?

          Well, as one of those programmers, I'd say it's guaranteed that I'm incompetent and ignorant when any of my stuff runs on a proprietary system like Vista. Since the OS's inner workings are intentionally kept secret from me, there's no way that I can (legally) know for certain what any of my code can do if it calls anything from any system library.

          If you want competent, knowledgeable programmers, the only
        • by JoelKatz (46478)
          Neither. Parameter validation is a common source of bugs in many APIs where one program launches another. Regardless of the API specification, every program must sanity check all of its invocation parameters.

          Any program that is intended to be launched from a browser is going to be launched with untrusted parameters. This means that they have to validate them. There's just no way for the browser to know what parameters are valid for Adobe Reader or Macromedia Flash.

          These are programs that were designed to be
    • It is an Adobe vulnerability if, after saving said PDF and opening it, you get infected.

      Has this been confirmed?
  • by techpawn (969834)

    In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers
    So they want me to do what with my what? Isn't that like your mechanic telling you to do something but "if they ask, [they] didn't tell you"
  • Is that the same backdoor vulnerability as this one [michaeldaw.org]?

    To be honest, though, the subject sounds a lot like joke fodder [wikipedia.org]....
  • What About Foxit? (Score:5, Interesting)

    by Lagged2Death (31596) on Monday October 08, 2007 @09:43AM (#20898771)
    I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader [foxitsoftware.com], which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?
    • I use GSview [wisc.edu]. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything special with URLs.

      • by Threni (635302)
        > I use GSview. Is that vulnerable to this backdoor exploit? I suspect that it is not because I don't believe that this PDF viewer does anything
        > special with URLs.

        It doesn't do anything special with printers either - took me 20 mins to print a 40 page document that just whizzed through using Reader.
    • Is there a pay-per-post thing happening right now? These 'foxit' posts seem suspect...
      • Re: (Score:1, Interesting)

        by Anonymous Coward
        No, people just like foxit and wonder why Adobe would be used.

        I hated and avoided PDFs before Foxit, because of how slow and bloated Adobes PDF reader was, and how often it crashed my web browser. Foxit doesn't have these issues. It's free (you'll find the usl here in several posts, just find one, click the download link along the top if you see the pay version, and it'll take you to the free version).
    • Sumatra is even "lighter-weight" (is that a word?) than Foxit. 1MB - also runs portably

      My first attempt at using FoxIt wouldn't even open a PDF (open - not print), because apparently they didn't support my default printer.
      • For those like me who have never heard of this before, Sumatra [kowalczyk.info] is an open source PDF viewer for Windows. Giving it a little whirl, it seems to render a couple manuals nicely. Links don't get parsed for easy clicking. Quick look at the forums seems to reveal it doesn't support password protected PDFs or searching.

        For a very slim PDF viewer, it appears to be quite nice (and GPL to boot). Thanks to the parent for bringing it up.
    • Re: (Score:3, Interesting)

      by Hatta (162192)
      I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?
    • Re:What About Foxit? (Score:5, Informative)

      by darkmeridian (119044) <william@chuang.gmail@com> on Monday October 08, 2007 @10:54AM (#20899693) Homepage
      Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.
    • Re: (Score:2, Informative)

      by JackRazz (707629)
      Acrobat isn't bloated if you remove the plug-ins you don't use from 'C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins.' I just put a ~ in front of each plug-in filename to turn them off. I only use the eBook, EWH32, ImageViewer, Multimedia, PDDom, reflow Search, Search5 and weblink plug-ins. Acrobat loads up plenty fast on my older Athlon64 2Mhz PC.
    • by kklein (900361)

      I, too, have switched to Foxit. I love it! I actually own Acrobat 7 (the writer), but I've found that, for what I need to do with PDF, anyway, PDFcreator (check Sourceforge) and Foxit meet my needs faster and more elegantly.

      Huzzah!

    • by Mike89 (1006497)
      [I posted this last time FoxIt was mentioned but it didn't get seen] This may be slightly OT, but please don't mod it as such. I use FoxIt and I have a problem. Whenever I open the solutions file for a textbook I use for school, the text is barely readable. Yet in Adobe Reader, it's fine.

      See screenshot [bayimg.com] [bayimg.com]

      Any ideas? I like FoxIt, but I can't use it!
      Note: The zoom is set to the same on both, zooming on FoxIt doesn't help the issue. Also sorry the screenshot is so small, I uploaded a larger one bu
  • Dear Industry: (Score:1, Insightful)

    by Anonymous Coward
    Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange? Thanks.
    • Can we finally just agree to stop using native code with the full privileges of the user and no sandbox for everyday low-volume information exchange?
      Define "low volume" and we'll talk. Specifically, where should the transition between code in, say, the Python virtual machine and native C++ code occur?
  • by dioscaido (541037) on Monday October 08, 2007 @09:44AM (#20898795)
    If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
    • Re: (Score:3, Funny)

      by wizardforce (1005805)

      If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
      get your free ringtones/[other garbage appealing to the less technically inclined] here!!!! and if you see a UAC window, just click ok to download!
      • Re: (Score:3, Insightful)

        by AeroIllini (726211)
        First Rule of Internet Security:

        People will install anything if it promises naked pictures.
  • Not a backdoor (Score:5, Informative)

    by Anonymous Coward on Monday October 08, 2007 @09:44AM (#20898799)
    From the information available, this is just yet another security vulnerability.

    A backdoor is an intentional feature that one puts so that they can take over you computer.
  • URI and MIME type handling in both Windows and OSX is profoundly broken. It's second only to ActiveX in the opportunity for exploits... the basic problem is that when apps register handlers for local use (eg, 'help:' or '.chm') they are available to untrusted content by default. The fix is to have separate registries or separate flags that allow applications to explicitly register as handlers for internal use, or for use on untrusted documents.
    • by jonwil (467024) on Monday October 08, 2007 @10:23AM (#20899265)
      Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder.
      RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
      There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)

      Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.

      I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

        My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".

        • by suv4x4 (956391)
          My guess is that they try to do the right thing, but have drifted toward RFC violation in the name of "compatibility". That seems to be the standard course when users are trained that the MS way is the right way, other apps are viewed as inferior because "it works under IE".

          Ever thought why IE does it this way? It's because the servers (*cough* Apache *cough*) have historically, and still have plenty of the mime types wrong. They report mime type, but the wrong one. Anything that's not image or html is text
      • by Fweeky (41046)
        I'm pretty sure all the major browsers do some guessing these days, since there are a lot of misconfigured servers out there; CSS, JS, images, even HTML end up being served as text/plain or application/octet-stream, and people expect them to work.

        In Opera it can be configured from opera:config [opera] under User Prefs -> Trust Server Types. I can't find an equivilent in Firefox.
        • Re: (Score:3, Interesting)

          by Fweeky (41046)
          Grr, that link should be opera:config#Trust%20Server%20Types -- Slashdot ate my #
        • I'm pretty sure all the major browsers do some guessing these days, since there are a lot of misconfigured servers out there

          It doesn't matter what the browser does. The problem is that when the browser goes to resolve a URI, it sees one list of URI and mime-type handlers (and, in the case of Windows, ActiveX controls) that are used both for local content (for example, "help:" on OSX and the ".chm" handler on Windows) and global (for example, "http:" or ".html").

          Applications, like a help viewer, that are not
          • by weicco (645927)

            Windows has a second problem that isn't shared by other desktops, in that the mechanism used to call a program is more like the UNIX "system" API than the UNIX "exec" API... and the calling application has to guess how the called application will interpret things like quotes.

            I have never thought that it is UNIX way to not to check and sanitize input. Have I done wrong all these years when I've checked everything that user, be it real person or another app, inputs?

            • by argent (18001)
              I have never thought that it is UNIX way to not to check and sanitize input

              What the hell are you talking about?

              What I wrote was that the UNIX "exec" API passes strings through to the called program without having to concatenate them into a command line that is then parsed by the called program and separated out into separate parameters again. That is, the calling program does not have to guess how the called program will parse quotes. It's got nothing to do with "sanitizing": the calling program itself actu
        • PS: It's not the *type* that is trusted or not trusted... it's the *application* that's supposed to display it. No attribute of a file downloaded from an untrusted source (and all web pages, no matter where located, are 'untrusted') should ever need to be correct for trust to be maintained, and only the user should be able to request that a file be granted any kind of trust.

          That means, a downloaded file is not unpacked, installed, or otherwise opened unless there is a trusted viewer that maintains a hard sa
      • Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is.

        If the OS and the browser were configured correctly, and the browser maintained a hard sandbox and the OS made it possible for it to know reliably what helper applications and plugins also maintained a hard sandbox, then it wouldn't matter whether the MIME type was guessed or not.
      • I tried with Firefox to upload an XML document with an XSL stylesheet but because it was served as plain text, it was displayed as plain text. That's really annoying actually. Why do webservers even need to tell the browser what kind of file it is?
  • a Limited User account on XP are you vulnerable to this?
    • a Limited User account on XP are you vulnerable to this?

      Can you run Adobe reader as a limited account on XP? I thought it would need power user priviledges at the very least...
      • Adobe Reader runs fine in a limited user account in XP.

        As for the grandparent's question, the answer is "kind of."
        There's nothing about a limited user account that prevents a hijacked process from doing anything it wants within the context of that account (deleting that account's files, catching keystrokes, capturing the screen, uploading data, etc.). Just like in Linux or Max OSX, malware running with standard user privileges can still wreak havoc on that account's data--but, in the real world, malware wri
  • To reduce the horrendous bloat of Acrobat Reader?

    If only Adobe hadn't purchased Macromedia....FlashPaper had such promise...

  • Sklyarov? (Score:5, Funny)

    by Speare (84249) on Monday October 08, 2007 @09:57AM (#20898921) Homepage Journal

    The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

    Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?

  • Just in time for the forced update from MS then? Perfect.
  • All I do is read pdf's.

    Just like Openoffice is immune to Word virus's--- is there a recommended non-adobe pdf reader folks would recommend?

    I'm getting tired of the "Please upgrade to version 7" warnings anyway.
    • by Lisandro (799651) on Monday October 08, 2007 @10:14AM (#20899151)
      The only one i've heard of (for Windows) is Foxit PDF reader [foxitsoftware.com], which is about 2mb - never tried it myself though. On linux, Evince [gnome.org] works great, and had no issues with everything i've thrown at it.
    • by WillAdams (45638)
      I like Sumatra PDF:

      http://blog.kowalczyk.info/software/sumatrapdf/ [kowalczyk.info]

      William

    • by DrVomact (726065)

      I'm getting tired of the "Please upgrade to version 7" warnings anyway.

      Obviously, you've been wise enough not to do this. That's a good thing, because in addition to more bloat, V7 of Reader also enables all your Adobe applications (like PhotoShop and FrameMaker) to call home. Both at work and at home, those two apps started trying to contact the Adobe mothership every time they started. (I believe this is due to a new "feature" Adobe calls "Adobe Online".)

      At first I backed out V7 and tried Foxit. It's p

    • by olyar (591892)

      I've used Brava Reader [bravaviewer.com] for a while now. It views PDF's and lets you print a region of a page, as well as "calibrate" a measurement tool against a known dimension on the page.

      Useful if you're working with PDF's of house plans, which I frequently am.

      It's free, but the software expires periodically and you have to download and install a newer version.

    • kpdf under Linux is decent. It has some rendering problems, but it usually works. Scrolling is instantaneous, whereas acroread re-renders each time you hit the down arrow. Expect to lose a lot of functionality, but if what you need is speed on a slow computer, kpdf wins.
  • I always disable javascript and open external links in the PDF reader. Is is enough protection? Or am I still vulnerable? Is it possible to write a NoScript like extension to acroreader?
    • you mean you didn't set noscript to block other plugins too? or did you mean an update for noscript much like the one that protects against that cross site scripting mess?
      • NoScript runs inside FireFox. I am thinking of a way a third party could write code and give it to me and that runs inside acroreader and block it from doing things I don't want it to do. In fact I would like some kind of code that will sandbox any application given to it. Something like "sandbox acroreader" should run acroreader and allow it to make all kinds of calls to the registry and disk etc etc. But none of these commands get past the sandbox environment. When I close I can examine all the changes ac
        • sigh... it's been a while since I actually toyed with windows but surely there is a way to run single programs under a different user account... other than that I'd suggest you try sourceforge and see what there is on sandboxed environments. then there is the option to use alternate programs to view PDFs, foxit seems like a good one from prior posts. there are others but I don't know which ones have been ported to windows. though I wonder what happens if you were to run programs like PDF reader under a V
  • Aaaaand... (Score:2, Funny)

    by dfdashh (1060546)
    the site is slashdotted. Here [wikipedia.org] is the PDF'ed version of the article.
  • Note to all saying that there's no difference between Vista and XP:

    The official Adobe advisory [adobe.com] states: "Vista users are not affected".

    Now let the downplay begin.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      That's because no ones figured out how to install Acrobat on Vista yet.
    • Vista is just as much affected, the bug is there, just that Vista by default with UAC ON it can't do much more then write to the tmp folder. IF UAC is turned off, you are vulnerable to whatever somebody can cook up.

      Since UAC is one of the more hated elements of Vista I would guess that a lot of people got it switched off. So the bug is still there, just that it can do less direct harm (do you really want a malicious coder to be able to write anything at all to your HD?)

      • by trifish (826353)
        Vista is just as much affected, the bug is there, just that Vista by default with UAC ON it can't do much more then write to the tmp folder.

        Any reference to back up what you claim?
  • 50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D." there most preferable thing that most users seems having big trustworthy in having PDF "p
  • Control me (Score:4, Funny)

    by suv4x4 (956391) on Monday October 08, 2007 @12:36PM (#20901049)
    The irony of this page [bayimg.com] (click for 100% scale) is astounding.

    I had to snap a shot before Adobe pulls their ad.
  • So this is why we had all those pdfs in the mail for a few months now. I think someone on /. even postulated at the time that it was because they were trying to get through spamfilters, but now we know - they were just expanding their botnets.
  • Maybe I missed something. Adobe says the affected versions are these:

    Adobe Reader 8.1 and earlier versions
    Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
    Adobe Acrobat 3D

    OK, so I am running a nice copy of Acrobat 6.0 Pro. That's an earlier version.

    The registry key they want changed simply doesn't exist on my system. Either the fix doesn't apply to this old version, or it's different, or .... I dunno what to make of it.

When all else fails, read the instructions.

Working...