Critical Vulnerability In Adobe Reader 160
An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."
Re:For the uninformed: (Score:1, Insightful)
Symptoms you've been attacked (Score:3, Insightful)
Adobe Reader is very slow to load and freezes your browser. Yes, it's very difficult to tell.
Single-purpose tools are good (Score:5, Insightful)
Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
If not, it should.
Re:For the uninformed: (Score:5, Insightful)
...with the privileges of a user running the Adobe Reader application.
Which strongly implies that those affected will be Windows users with Administrator access.
It seems fair to worry even if you aren't running as admin. If a trojan PDF can run arbitrary code with privileges of the user running Adobe Reader, that's still enough to screw with that user's documents even if the user isn't an admin.
Re:For the uninformed: (Score:5, Insightful)
Perhaps, but you can have multiple PDF readers installed. And in terms of security, it's usually best to use the simplest application that will work.
So basically you could use FoxIt or Sumatra PDF to open most PDFs. And then for the rare one that uses some advanced stuff, you can fire up Acrobat. The fact is that most of the stuff that Acrobat supports that other PDF readers don't involves some kind of scripting. And really you shouldn't be running any scripts (even those that are, in principle, sandboxed) unless you have reason to trust them.
So a sensible strategy would seem to be that you open 99% of PDFs with a simpler reader, and only use Acrobat on the few that really need it, and only if the source of the PDF is trustworthy in your estimation.
(Yeah, I know... it's a bit of a pain to have multiple programs that do the same thing. In principle you "shouldn't have to" in the sense that your PDF reader should be secure. But in reality it seems like a reasonable precaution.)
Re:Single-purpose tools are good (Score:5, Insightful)
Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.
This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.
Which again... (Score:5, Insightful)
...begs the question "Why Does Adobe Reader Need Javascript"??
Re:For the uninformed: (Score:4, Insightful)
I think it makes good sense to have a different app depending on what you need done. For instance, reading articles in PDF in Preview or Acrobat is a pain, and I'll use Skim.app [sourceforge.net] for those.
Re:For the uninformed: (Score:4, Insightful)
The real solution is to open 100% of PDFs in a simpler reader, and refuse to tolerate PDFs that require scripting.
Really, there's no good reason for a document viewer to have the bloat of Acrobat, and we shouldn't encourage Adobe by doing what they want.
Re:Which again... (Score:5, Insightful)
You are part of the problem.
Is this hole cross platform compatible? (Score:3, Insightful)
Adobe is one of the best when it comes to cross-platform compatibility and the hole is based on Javascript...
And yes, I did RTFA.
Re:Which again... (Score:3, Insightful)
It raises the question, godsdamnit. Here's what "begging the question" actually means:
Originally you're correct. The common idiom has changed to reflect a more intuitive meaning. Language changes over time. YOU are the one failing to deal with it.
Re:Scripting is useful, but.... (Score:4, Insightful)
No javascript in pdf is an excellent solution. It's a DOCUMENT, not a video game or word processor or anything else. You don't get javascript on a paper printout; you don't need javascript in the electronic version of a paper printout.
Few people disable javascript in their browsers.
I do. Most javascript in web pages is useless and needless and a waste of computer cycles. If you want to calculate something, do it on YOUR SEVER and send me the result.
It's a crutch used by poor web designers to add glitz to content-less pages.
I caught a major cell-phone company using javascript to provide log-in security for their account access web pages. Since I had javascript turned off, I had access to anyone's account I wanted. I told them what I was doing and they didn't believe it, until I started telling the account manager I was talking to what his minute balance and last payment was. THEN he got interested.
Much better that pdf authors spend the time properly identifying their documents with title and author information. I have US Government produced pdfs where the "title" of the document is "Microsoft preview -- C:\some\file\name\that\is\meaningless.doc" and the author is even stupider. Leave out the fancy crap until you can properly identify your documents, ok?
You need evidence that javascript on web pages is useless? Try Yahoo. I go to my Yahoo mail page and a big, time-wasting page tells me that I have javascript turned off, click here for the OLD version of mail -- which is exactly where I was trying to get to in the first place, damn it!
And get off my lawn...
Miserable Retards (Score:5, Insightful)
When I install a new piece of software, the first place I go is to the preferences panel to see if there are any stupid/broken settings that need to be fixed (or, too often, fixed again after an upgrade). I can't remember which version it originally showed up in, but when I saw the checkbox for JavaScript in Acrobat Reader, my jaw hit the floor.
"Are you people fscking morons? Did you learn nothing from the exploits and problems caused by JavaScript in Web browsers? Hell, forget Web browsers; Microsoft Word became a virus/trojan platform because the Special-Needs Children who apparently design all their software thought it would be tEh k00l to embed macros in what is fundamentally a static document."
Every time some would-be clever person adds a macro language or other executable logic to a document format, the result is "unexpected" worms, viruses, and security breaches. Every God-damned time.
This is not an honest mistake. This is negligent engineering, and someone needs to lose a lot of money over it before the lesson sinks in.
Schwab
Re:Which again... (Score:3, Insightful)
From your link:
"More recently, to beg the question has been used by some to mean "to raise the question", or "the question really ought to be addressed". [7] An example of such a use would be, "This year's budget deficit is half a trillion dollars. This begs the question: how are we ever going to balance the budget?" Although proponents of the traditional meaning will criticize this formally incorrect usage, it has nonetheless come into widespread use and in informal contexts may actually be the more common use of the term. The phrases circular reasoning, circular logic, and circular arguments have come to be used in places where logicians would tend to use "beg the question"."
So, it would appear that language changes over time.