Forgot your password?
typodupeerror
Security Bug Media

Critical Vulnerability In Adobe Reader 160

Posted by timothy
from the see-attachment dept.
An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."
This discussion has been archived. No new comments can be posted.

Critical Vulnerability In Adobe Reader

Comments Filter:
  • For the uninformed: (Score:5, Informative)

    by Joe Snipe (224958) on Wednesday November 05, 2008 @05:33PM (#25650075) Homepage Journal

    Foxit [foxitsoftware.com] FTW

    • by Ethanol-fueled (1125189) * on Wednesday November 05, 2008 @05:36PM (#25650151) Homepage Journal
      Hey, that's my line. By the way,

      While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug.

      Foxit users: don't panic. Though Foxit Reader v2.3 build 2825 is vulnerable, 2.3 builds 2912 and later are patched. Build 3309 is the current version available for download.

      ...with the privileges of a user running the Adobe Reader application.

      Which strongly implies that those affected will be Windows users with Administrator access.

      • by nine-times (778537) <nine.times@gmail.com> on Wednesday November 05, 2008 @05:42PM (#25650299) Homepage

        ...with the privileges of a user running the Adobe Reader application.

        Which strongly implies that those affected will be Windows users with Administrator access.

        It seems fair to worry even if you aren't running as admin. If a trojan PDF can run arbitrary code with privileges of the user running Adobe Reader, that's still enough to screw with that user's documents even if the user isn't an admin.

      • by initdeep (1073290) on Wednesday November 05, 2008 @06:13PM (#25651219)

        if you rtfa, you would note that the current build of adobe reader isn't vulnerable either.

        • by tsa (15680)

          But who uses the current build of AR? AR 8.0 is a disaster and the reason I switched to Foxit. I guess the versions after 8.0 are not better.

          • by RockDoctor (15477)

            But who uses the current build of AR? AR 8.0 is a disaster and the reason I switched to Foxit. I guess the versions after 8.0 are not better.

            Substitute "5.05" for "8.02 and you'll be getting closer to my experience.
            Once Acrobat removed the capability for me to export the text of a PDF to a text file without having to pick up a mouse and plug it in, then I stopped downgrading to newer versions. Now that I'm occasionally (under 1%) seeing PDFs generated with image types that aren't recognised, then I'm having

    • by JustinOpinion (1246824) on Wednesday November 05, 2008 @05:38PM (#25650193)

      Another option for PDF reading on Windows is Sumatra PDF [kowalczyk.info] (if you prefer open-source).

      • Re: (Score:3, Informative)

        by Anonymous Coward

        I knew some guy would chime in recommending Foxit, but I'm surprised and glad to see a recommendation for Sumatra.

        Foxit is suffering from its own feature-creep and bloat-up issues (on a much smaller scale than Adobe's software, but still), so Sumatra is really what I _think_ everyone who chimes in with "Foxit" really means to recommend. It accurately renders PDFs. THAT'S IT.

      • by Joe Snipe (224958)

        I wasn't familiar with sumatra untill you posted, and I have now installed and will give it a run. Thanks for the recommendation!

    • Re: (Score:2, Informative)

      Sure, Foxit is fine as far as it goes, but it runs slower than Adobe Reader on my PC. Plus Adobe lets me save as text, where Foxit expects me to pay for that functionality.
    • Re: (Score:2, Redundant)

      by Thaelon (250687)

      Foxit FTL.

      Sumatra PDF Viewer [kowalczyk.info] FTW.

      Foxit is about as bloated and irritating as Acrobat Reader was in version 5.0 (which was much better, but still terrible).

      Sumatra is to Foxit as Foxit is to Adobe Acrobat Reader.

      I realize being a .info site makes it very suspicious, but if you don't trust me or it, Google it yourself [google.com]

    • HATE Adobe (Score:2, Interesting)

      What I hate about them most is their labeling the file types in windows: "Adobe PDF, Adobe SVG, Adobe PNG". WHAT THE FUCK! This should be prosecuted.

    • by westyvw (653833)
      For the enlightened: Okular FTW
    • Re: (Score:2, Interesting)

      by access.name (1198513)
      Paradoxically, this vulnerability was found in Foxit first :) http://secunia.com/advisories/29941/ [secunia.com]
  • by Anonymous Coward

    Critical Vulnerability In Adobe

    You see, if you mix too much water into the mixture before it hardens, it is brittle and your dwelling will collapse on you ...

  • by Anonymous Coward on Wednesday November 05, 2008 @05:36PM (#25650145)

    Adobe Reader is very slow to load and freezes your browser. Yes, it's very difficult to tell.

  • by davidwr (791652) on Wednesday November 05, 2008 @05:37PM (#25650159) Homepage Journal

    Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

    If not, it should.

    • by Roland Piquepaille (780675) on Wednesday November 05, 2008 @05:45PM (#25650385)

      Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.

      This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.

      • by liquidpele (663430) on Wednesday November 05, 2008 @06:40PM (#25651891) Journal
        We use javascript in the PDF for forms the clients can type entries into and then print. Basically, if they enter certain values in one part, it will not let them fill out other parts or set other parts to certain values to make the form actually make sense for us. Very handy.
      • Re: (Score:3, Informative)

        by Randle_Revar (229304)

        JS in PDFs is silly IMO, but I have to point out that PS (but not PDF) is a Turing-complete language.

        http://www.tinaja.com/post01.asp [tinaja.com]

      • by Thundersnatch (671481) on Wednesday November 05, 2008 @07:04PM (#25652509) Journal

        Sure, JavaScript is pointless in a PDF viewer and should be disabled, but it is worth noting that PostScript itself is a programming language. It has conditionals, functions, loops, etc. I myslef once hand-coded a PostScript program to draw a high-res graph of a particular function for a class back in college. This 1K file basically owned the imagesetter in the print lab for about 45 minutes while it rendered at 1200 dpi.

        If I recall correctly, there were even a couple of postscript exploits back in the 1990s that could "brick" Apple LaserWrtiers.

        • by hyc (241590)

          Bricking a laserwriter wasn't hard at all.

          I remember when someone posted their implementation of John Conway's "Life" to usenet. That was a fun way to tie up a printer and waste a ream of paper. (Basically you could prepend it to any document and it would iterate off the document's first page. Each generation printed on a separate page.)

      • Re: (Score:3, Informative)

        by erikdalen (99500)

        Postscript is a stack based programming language. PDF was afaik originally designed to be a simpler format for just describing page layout. But then they've extended it to be able to include javascript for programming and embedding videos, flash and all sorts of stuff (sounds like HTML...).

        http://en.wikipedia.org/wiki/PostScript [wikipedia.org]

    • by Rary (566291)

      Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

      If not, it should.

      Agreed. And the same goes for every other application primarily designed to read documents (images, media files, whatever).

      On the one hand, I find some of the functionality that is being embedded in various document types useful, but on the other hand I find it ridiculous that data can attack us.

    • Re: (Score:3, Interesting)

      by zalas (682627)
      They've already developed a lite version of their PDF renderer for their Digital Editions product, so they really should just distribute the renderer in that as a standalone product or something.
      • by jmulvey (233344)
        "they really should just distribute the renderer in that as a standalone product or something."

        Yes. Because we should soon expect the renderer installer alone to consume an entire 4 GB DVD. Adobe Acrobat is the pinnacle of bloatware. No wonder vulnerabilities like these are discovered. It must be easy to poke holes in the 17 gajillion lines of code it takes Adobe to render text.

    • by bcrowell (177657) on Wednesday November 05, 2008 @05:50PM (#25650539) Homepage

      Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?

      To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

      Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.

      Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.

      If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.

      People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.

      • People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader.

        Well, being the first one to find and fix the vulnerability is still a pretty good endorsement. Few useful software products out there have zero flaws. You should put your trust in those that find, disclose, and resolve their flaws in a speedy and reliable manner.

    • And it should also be the default mode, IMO.

      But I guess I never got the memo that explained why Acrobat Reader was doing anything more than reading plain/static PDFs in the first place. Didn't they do something in new versions to allow Flash and movies, or something?

      The only reason I use PDFs is when I want to make a document with a very controlled layout, both in print and on a display, without any expectation of editing. Honestly I'm willing to pay money to Adobe to get Acrobat if it's going to help m

  • Which again... (Score:5, Insightful)

    by slapout (93640) on Wednesday November 05, 2008 @05:49PM (#25650505)

    ...begs the question "Why Does Adobe Reader Need Javascript"??

    • Re:Which again... (Score:5, Informative)

      by andrewd18 (989408) on Wednesday November 05, 2008 @05:55PM (#25650709)
      I create PDF order forms for my company that our salesmen e-mail to customers; these javascript-enabled PDF order forms dynamically enable or disable options as the user customizes an order. For example, if the user picks option A, sub-options A1 -> A5 are automatically enabled, while B1 -> B5 are disabled. And that's why you might want javascript in a PDF.
      • Re:Which again... (Score:5, Insightful)

        by Anonymous Coward on Wednesday November 05, 2008 @06:22PM (#25651489)

        You are part of the problem.

        • Can you suggest an alternative for creating and using interactive forms?

          • by slapout (93640)

            Perhaps an interactive form program. But not one called Adobe _READER_

          • Re:An alternative? (Score:4, Informative)

            by cparker15 (779546) on Wednesday November 05, 2008 @07:17PM (#25652785) Homepage Journal

            Web page?

            • Web page?

              Yeah, those never have javascript.

              Starting off with the requirement of having customers fill out customized forms, we have explored two options:
              1. Send them PDFs with some javascript, have them fill it out and send back
              2. Build a secure Internet facing website which incorporates the same business logic as the javascript from the PDFs.

              In theory we're trying to avoid adding unnecessary complexity and possible security vulnerabilities to a simple application. You really think option 2 meets th

              • In theory we're trying to avoid adding unnecessary complexity and possible security vulnerabilities to a simple application. You really think option 2 meets that goal better than option 1?

                Yes, since web browsers were designed with the explicit goal of doing this sort of thing. Quoth Einstein: "Make things as simple as possible, but not simpler." It appears as though your system is too simple.

          • How about not a display format? PDF is PostScript without the logic...

            Just use a website if that's what you want your form to act like.

          • by erikdalen (99500)

            A HTML page using javascript?

            Probably doable in a spreadsheet as well.

    • Re: (Score:3, Interesting)

      "Why Does Adobe Reader Need Javascript"??

      I've written scripts for Adobe Acrobat Professional to interleave PDFs of scans from my single-duplex, automatic document feeder scanner. Can you believe that there are companies out there that charge $100 or so to do the same task with a plugin? Took me 15 min to write it in JavaScript myself.

      As far as Reader though, I've seen some web-fill state tax forms that use Javascript for field validation.

      • ghostscript for the win. I can do this in even less time using ghostscript and reasonably advanced shell. The best part is not having to pay for Acrobat pro.
    • Re:Which again... (Score:5, Informative)

      by Nimey (114278) on Wednesday November 05, 2008 @06:26PM (#25651595) Homepage Journal

      It raises the question, godsdamnit. Here's what "begging the question" actually means:

      http://en.wikipedia.org/wiki/Begging_the_question [wikipedia.org]

      • Thank you!

      • Re: (Score:2, Interesting)

        by ZERO1ZERO (948669)
        Yeah. I noticed that. I understand when not to use 'begging/begs the question' when meaning 'raises the question' . But I have read that wiki page before, and I just read it again, but it still makes no sense to me. Can someone please explain in plain english when one *would* use the phrase begging the question?

        "That begs the question" is an appropriate reply when a circular argument is used within one syllogism. That is, when the deduction contains a proposition that assumes the very thing the argument a

        • by Nimey (114278)

          Another way of putting it is "circular logic". You start off by making an assumption, then use logic to prove that assumption, which is vacuous because you didn't prove it, you instead used circular logic.

        • The example that made sense to me was the question: "do you still beat your wife?" The question itself presumes that you did in fact beat your wife at one time.

      • Re: (Score:3, Insightful)

        by syousef (465911)

        It raises the question, godsdamnit. Here's what "begging the question" actually means:

        Originally you're correct. The common idiom has changed to reflect a more intuitive meaning. Language changes over time. YOU are the one failing to deal with it.

      • It needs Javascript because PDFs include Javascript code. Duh! Now, let's see what this "begging the question" is on that Wikipedia page...
      • Re: (Score:3, Insightful)

        From your link:

        "More recently, to beg the question has been used by some to mean "to raise the question", or "the question really ought to be addressed". [7] An example of such a use would be, "This year's budget deficit is half a trillion dollars. This begs the question: how are we ever going to balance the budget?" Although proponents of the traditional meaning will criticize this formally incorrect usage, it has nonetheless come into widespread use and in informal contexts may actually be the more common

  • by Sneftel (15416) on Wednesday November 05, 2008 @05:49PM (#25650511)

    Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader.

    The main privileges being the privilege of waiting thirty seconds to view text, followed closely by the privilege of a crashed web browser.

    • by QuantumG (50515) *

      hehe, people use to say that about the overflow in the default php install for apache. "oh, you can only get access to the 'anonymous' account on the web server". There's always a dozen different local exploits you can use to escalate from these accounts. And that's on a platform which actually takes security seriously.

      • by Sneftel (15416)

        Er, yes, I got that. And there's no need for escalation, as the user most likely has pretty good system privileges, not to mention access to all his own documents.

        'twas a joke, you see.

        • by QuantumG (50515) *

          A lot of people sandbox Acrobat Reader on Linux and IE7 does it too I think.

          Oh, and I meant the 'nobody' account. Wow, it has been years.

    • Or >90% usage of mem and swap. Happens to my office mate's box. She is not happy, but she managed to run top on it once to identify the culprit. I think she's switching to kpdf [she doesn't like the ubuntu orange].

  • Why in the world does Adobe Acrobat include a Javascript engine in the first place? Why add a structured programming language to a document? HTML is different since it's being used as a new platform for applications...but a PDF file? Maybe I'm missing something. Have any of you ever used Javascript in a PDF document (other than when you're trying to access a remote machine)?
    • I guess after they took Turing-completeness out of PS to make PDF, they wished they hadn't, and somehow thought JS was better than PS.

  • This was discussed previously [slashdot.org], as well - the difference is that a specific vulnerability has been found at this point.

    As usual, take precautions to ensure you're not automatically opening PDFs in your browser - Save by default instead, so you can scan it and actually make the decision to open it yourself.
    For Firefox users:

    Tools->Options->Applications. Change actions for PDFs to Save.

  • by glop (181086)

    Hey,

    I can't believe nobody mentioned that noscript prompts you before showing a PDF file.

    It can be tedious but it's useful apparently.

  • by richrumble (988398) on Wednesday November 05, 2008 @06:30PM (#25651687)
    98% of virii/malware etc need ADMIN to succeed... and very few application on windows, save a very small percentage actually need admin. The User Group is good enough for the wife/kids and my sales staff, lowers TCO even for M$. We don't use installed AV clients, we scan remotely nightly, run proxy+av along with snort, no issues. Users can use runas http://xinn.org/RunasVBS.html [xinn.org] if need be, but they probably won't need to. Anti-Admin VS Anti-Virus, and AA wins! http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html [blogspot.com] -rich
    • No live AV scanning there is stuff out there that does not need admin to take over the system.

      Just wait for your kids to play games with DRM, auto updating, online play, mods and more that needs admin to work.

    • by cbhacking (979169)

      So true. Nonetheless, I find running my main account on XP as a standard user to be a real pain sometimes. There are things, like the control panel, that are... awkward... to start as a limited user.

      For things like this, Vista's UAC - say what you will about it training people to click OK or whatever (you can configure it so it demands your password every time, like Linux or OS X, if that's preferable) is really actually quite handy. After a few months of running XP as a standard user, UAC was an incredibly

  • by Biff Stu (654099) on Wednesday November 05, 2008 @06:38PM (#25651869)

    Adobe is one of the best when it comes to cross-platform compatibility and the hole is based on Javascript...

    And yes, I did RTFA.

  • Miserable Retards (Score:5, Insightful)

    by ewhac (5844) on Thursday November 06, 2008 @02:15AM (#25657293) Homepage Journal
    Frankly, this should be actionable. There is no excuse for this stupidity any longer.

    When I install a new piece of software, the first place I go is to the preferences panel to see if there are any stupid/broken settings that need to be fixed (or, too often, fixed again after an upgrade). I can't remember which version it originally showed up in, but when I saw the checkbox for JavaScript in Acrobat Reader, my jaw hit the floor.

    "Are you people fscking morons? Did you learn nothing from the exploits and problems caused by JavaScript in Web browsers? Hell, forget Web browsers; Microsoft Word became a virus/trojan platform because the Special-Needs Children who apparently design all their software thought it would be tEh k00l to embed macros in what is fundamentally a static document."

    Every time some would-be clever person adds a macro language or other executable logic to a document format, the result is "unexpected" worms, viruses, and security breaches. Every God-damned time.

    This is not an honest mistake. This is negligent engineering, and someone needs to lose a lot of money over it before the lesson sinks in.

    Schwab

    • by lahvak (69490)

      There is nothing wrong with the concept of scriptable document. The main difference between an electronic document and a paper document is that an electronic document is viewed on the screen, which gives you a lot of possibilities. Having an option to interact with the document, for example to highlight or hide certain part of an illustration or a diagram, etc.

      There is, or *should* be, a fundamental difference between document macros as found for example in MS Office, but also used by other software into s

  • So why would I want javascript running in my Adobe Reader? I've never had it enabled by default in any browser -- and only enable it in a per-site basis when needed. Adobe Reader...that's something I use to read static "Portable Documents" (like books) that are formatted in "Portable Document Format". I've never needed javascript enabled in any book I've ever read. Am I missing something? I just say 'no' to javascript being 'on' as a 'default' option (or activeX, or 'java'). Wasn't there some rich gu

"Floggings will continue until morale improves." -- anonymous flyer being distributed at Exxon USA

Working...