Forgot your password?
typodupeerror
Security Bug

Homemade PDF Patch Beats Adobe By Two Weeks 238

Posted by kdawson
from the p-d-q dept.
CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."
This discussion has been archived. No new comments can be posted.

Homemade PDF Patch Beats Adobe By Two Weeks

Comments Filter:
  • Registry hack (Score:5, Interesting)

    by coulbc (149394) on Monday February 23, 2009 @08:00PM (#26964343)

    We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

    • by teridon (139550)

      what do you mean "group policy file"? Did you deploy via script or ADM file or what?

      Share :)

      I tried making a quick ADM file based on some ADMs I found here:
      http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-9-for-windows [stealthpuppy.com]

      But apparently I didn't do it correctly, because JS was still on after I applied my setting.

      • Re:Registry hack (Score:5, Informative)

        by initialE (758110) on Monday February 23, 2009 @10:59PM (#26965533)

        For myself I just used the REG.exe located inside the %system32% folder. in your logon script (assuming you have one), just add in the lines

        REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

        REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

        REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

        REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

        YMMV. REG.exe is not included on Windows 2000. Because this applies to the current user registry there should be no permissions issue. And make sure your path does include the system32 directory as by default.

    • So is this "user supplied" PDF fix an example of how Open Source is More Secure than Closed Source?

      OSS users supplied a fix in less than a day, whereas a closed source programmer in some cubicle somewhere will take weeks to do the same. Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

      • [snip]Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

        And then the lobbying starts

        • The lobbying already started several weeks ago. Closed-source companies are trying to scare politicians away from open-source software by saying, "It's not secure."

  • Feature Request (Score:5, Insightful)

    by ewhac (5844) on Monday February 23, 2009 @08:06PM (#26964393) Homepage Journal
    Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea, how about adding this feature:

    When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

    This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.

    Schwab

    • Re:Feature Request (Score:5, Insightful)

      by tkdrg (1484293) on Monday February 23, 2009 @08:17PM (#26964479)

      When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

      Do you think that the average user will read anything before clicking "Yes"?

      • by MMC Monster (602931) on Monday February 23, 2009 @08:41PM (#26964653)

        How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

        If they select No, the next dialog is: "Fine. I've just opened all the ports on the computer, deleted the last 10 documents you opened up, and loaded up a couple trojans. Are you sure you want to run the executable code in this PDF file now?" [Yes][No].

        This way, the user won't be taught to always select the same confirmation box all the time.

        • There is NO SUCH THING as idiot proof. Why don't we all just get over it and MOVE ON? The idiots will only get more inventive if we try to outsmart them.

        • How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

          Yeah, that'll work. [slashdot.org]

        • Don't cha just love the way the idiots rally round to say nothing can be done.

          Just because the Yes then No questions only protects lazy idiots doesn't mean it's worthless. You know I think the marketing department must write all the Microsoft 'Confirmation dialogs' because they read like marketing copy ... always positive, never mention anything in a negative way, never let the mark even think of the 'N' word.

          Then again here's a nice way of saying it ...
          Do you really want to delete everything (y/N)?
          D

      • Re:Feature Request (Score:5, Insightful)

        by Mr. Roadkill (731328) on Monday February 23, 2009 @08:49PM (#26964721)

        Do you think that the average user will read anything before clicking "Yes"?

        ...of course they won't, which is why you turn it around to "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to block execution of this code? [Yes][No, I like to live dangerously]".

    • by BSAtHome (455370)

      Agreed, why would one want another programming language embedded in a programming language? Postscript already can do all you would want. It is a bit hairy programming, but it can be done (see f.x. http://www.physics.uq.edu.au/people/foster/postscript.html [uq.edu.au]). The best way to mitigate security issues with embedded code is to eliminate the execution. That is, until some one writes a javascript interpreter in postscript.

      • Re: (Score:3, Informative)

        by klossner (733867)
        PDF is not PostScript. It shares some concepts (such as the imaging model and a good many keywords), but it is not a programming language. It has no control constructs, for example.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      I'm going to have to disagree...

      Allowing some scripting in a document is great. For example, I'm writing a math textbook [wordpress.com]. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

      Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technical

    • Re:Feature Request (Score:5, Informative)

      by klossner (733867) on Monday February 23, 2009 @08:26PM (#26964537)

      Adobe did add this dialog -- but it only appears if you have disabled Javascript! (Which you can do with Edit / Preferences, no need for the registry hack.)

      Here's the exact dialog:

      ? This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled.

      [ ] Don't show this message again until this document is reopened

      [[Yes]] [[No]]

      • The language used by most software in those situations is a big culprit:

        > The document may not behave correctly if they're disabled.

        Should say:

        "the document may not have the author's expected appearance, but your computer will be safe from viruses"

    • Re: (Score:3, Interesting)

      by Ihmhi (1206036)

      Feature request: a NoScript equivalent for Acrobat Reader.

    • Yanno, Okular runs on Windows and -IIRC- doesn't have all of these stupid issues.
      See:
      http://windows.kde.org/ [kde.org]

    • by oasisbob (460665)

      Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea [...]

      PDF files supporting Javascript isn't the problem. In this exploit, Javascript is used to get executable code in the stack, but isn't the crux of the problem. A buffer overflow in Adobe's image processing code is.

      In what world does it make sense that an untrusted website can execute javascript, but an untrusted PDF can't? Javascript can actually be useful for PDFs: think forms where the contents of one field are added to th

  • JavaScript?! (Score:5, Insightful)

    by Anonymous Coward on Monday February 23, 2009 @08:08PM (#26964415)

    Seriously, JavaScript? In a PDF file? Why would you do that?

    • by IceCreamGuy (904648) on Monday February 23, 2009 @08:11PM (#26964435) Homepage
      Uh, duh, to get on the front page of /.
    • by eihab (823648)

      Seriously, JavaScript? In a PDF file? Why would you do that?

      I believe Adobe Version Cue's PDF review system is one of the applications that uses it.

      The idea is that any PDF file posted to Adobe Bridge (design files repository, think SVN-lite) can have a web review process.

      An administrator logs to the web interface and starts a review process which sends links to the reviewers. Once a reviewer logs in, they can download a copy of the PDF and start commenting on it and marking it up. When they're finished Acrobat sends only the comments back to the server instead of r

    • Re:JavaScript?! (Score:5, Insightful)

      by TheRealMindChild (743925) on Monday February 23, 2009 @08:48PM (#26964713) Homepage Journal
      PDF seems to be the poster child for "How to abuse a format in a way that is contrary to its nature". Clients send us PDF's FORMS now... that they want us TO EDIT! Not print out, hand write on, and perhaps fax back... but EDIT IT, like it is a Word Processor document. Explaining to these people why this is an abomination is like telling a hooker not to sleep with the guy with sores all over his body... it falls on deaf ears, and makes baby Jesus cry.
      • by Penguinshit (591885) on Monday February 23, 2009 @09:14PM (#26964933) Homepage Journal
        I actually used JavaScript in PDF to create interactive forms for the corporate intranet. It was pretty because I could use Photoshop to create the underlying image.

        Then I quit drinking and realized Excel with tweaked permissions was far better suited to the task. It wasn't as smooth looking but it was easier for my staff to update.
      • by Main Gauche (881147) on Monday February 23, 2009 @09:29PM (#26965015)

        Pardon my ignorance, but exactly what other format should one use if one wants to use forms?

        In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.

        For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?

        • by Korin43 (881732) on Monday February 23, 2009 @09:48PM (#26965127) Homepage
          HTML? Just point them to a page on the corporate intranet, they put in their login, profit?
          • Just point them to a page on the corporate intranet, they put in their login, profit?

            You're doing it wrong! It's:

            • Just point them to a page on the corporate intranet
            • they put in their login
            • ???
            • reduce costs!
        • by Lehk228 (705449)
          if it's for electronic storage and retrieval, use plain text.

          if it's getting printed out then hand filled, use PDF, if it's getting filled out on the computer then printed use wordpad
          • by Dare nMc (468959)

            , if it's getting filled out on the computer then printed use wordpad

            If you haven't modified the text of a form HR sent out for you to print, sign, fax. IE removing the not from "I will not browse porn at work." Then you need to turn in your geek card. PDF file that lets you fill in name, address, etc digitally. Print, and sign without a easily modified format begging for touch-up.

            • by Lehk228 (705449)
              If you haven't modified a protected PDF and done the same turn in yours.
              • by Dare nMc (468959)

                true, but the pdf can't be turned into a joke by anyone in the company without extra effort using IT approved applications.

        • by WiiVault (1039946)

          Am I missing something?

          Yes, you have to pay to edit PDF's. Sure Word costs money too, but there are lots of good free alternatives, plus a lot of people buy Word anyway. If you only edit it once a year, that is a lot of money to be paying Adobe just to use their software a single time annually.

        • by Bazzargh (39195)

          Well apart from anything else, they only work in Acrobat Reader. Which isn't the default PDF viewer on any platform except Windows.

          This means that
          (a) lots of people can't fill out the forms anyway, without installing additional software. Which may not even be an option on limited devices.
          (b) if you publish eg feedback forms later, lots of people will wonder why you published a whole pile of identical blank forms
          (c) if you used fdf forms (ie something compatible with older versions of Acrobat) the data and t

      • by Thaelon (250687)

        I've had co workers email me a PDF of a requirements document that was originally a word document.

        Because they didn't want me to edit it.

        Seriously. I half expected the person to ask for the file back when I was done.

      • by WiiVault (1039946)
        I get this all the time from my shipping agent. Like you said, these are not forms meant to be printed and faxed, no they have 3 32-54 character strings of numbers and are submitted digitally. It kills me what a pain in the ass this is and is my main motivator for moving my business elsewhere.
    • Well here's a use case:

      The document contains a form from officialdom which can be printed out as usual. Alternatively the PDF viewer enables entering of data inline for online submission. Here the JavaScript may activate client-side validation or pop up contextual help.

      The limitation here seems not the concept but a failure of sandboxing such as Java applets provide - suspicious activity is prevented by the applet security manager.

    • A lot of companies actually use Acrobat/Reader for forms management - the code behind these forms is - you guessed it - javascript.

  • by Anonymous Coward

    JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.

    Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever

  • by fm6 (162816) on Monday February 23, 2009 @08:20PM (#26964497) Homepage Journal

    You skip all testing. Just the sort of thing I want to install in my system.

  • Wow (Score:5, Funny)

    by ClosedSource (238333) on Monday February 23, 2009 @08:20PM (#26964501)

    You mean an individual who doesn't have a business to protect or any customers is able to come up with an un-QA'd version faster than the company that produced the product. Amazing!

    • The advantage is security through obscurity. Assuming the patch fixes this problem, even if it creates others so few people will have applied it, it is hardy worth developing malware for. This is a very nice stopgap until Adobe gets the real thing out the door.
      • by Nazlfrag (1035012)

        Apart from the fact that obscurity is not really security at all, why do you think a patch posted to the front page of slashdot and dozens of other places on the net is somehow obscure?

  • Patch? (Score:2, Interesting)

    by noidentity (188756)
    So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!
  • by Facegarden (967477) on Monday February 23, 2009 @08:31PM (#26964587)

    What i find more interesting is how slashdot is now able to tell the future!
    The article boldly claims that something released yesterday has arrived two weeks before the official patch. Now, i know it's possible that the two weeks was taken from Adobe's projected patch fix date, but projections and fact are still different, and journalistic integrity requires a writer in this situation to indicate directly that this two weeks is not actually fact, as we couldn't know that yet. The headline is an outright lie, as far as i can tell, as it relies on future events being a certain way.

    Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?
    -Taylor

    • by gardyloo (512791)

      [...] journalistic integrity requires a writer in this situation [...]

      Hahahahaha... *gasp* wait, wait, .... HAHAHAHAHAHHAHA!

    • *sigh* It's kdawson. What do you expect?

    • [...] and journalistic integrity requires a writer [...]

      Dude, this is /. - "journalistic integrity" means that the ext3 filesystem mounted cleanly. :-P

    • Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?

      "Yes"

  • As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.

    Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

    • by Malc (1751)

      And to prove the point, you have a mistake in your two line comment!

    • by AngryNick (891056) on Monday February 23, 2009 @09:25PM (#26964991) Homepage Journal

      - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

      Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

      • As for how forgiving you'd be: we'll see if that's still true when tens of thousands of your users suddenly can't open a critical document without crashing or other instability.

        It's ultimately a judgment call: they need to decide if getting an urgent patch out is worth the risk that an urgent patch introduces. In the case of a product with this large an installed userbase, and given the fact that this hole has been out there for quite a while already, I think that they took the only responsible cour

      • Oh, I believe it. My patch was clean on a large project, but some numbskull didn't have his changes in the source control system and compiled the new version for installation from what was on his desktop, without any of the other previously source control submitted updates. The results.... well, the results weren't pretty because my patch didn't get the full QA procedure as a "minor patch", and because they trusted _my_ code. I continued to get the blame for the situation at meetings with staff for other de

    • by WiiVault (1039946)
      Yes but how many people will actually install this "fix"? Is that worth creating malware for between now and the official patch? I would venture it is a no. Security through obscurity at its best.
    • you /cannot/ simply slap together a fix and push it out to millions of people.

      You can if you're Apple [slashdot.org].

  • by Anonymous Coward on Monday February 23, 2009 @08:41PM (#26964659)

    Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability ... beating Adobe Systems Inc. to the punch by more than two weeks.

    What the fuck Adobe? What did you do for those extra two weeks?

    it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

    Oh ... I guess you were trying to make it work on all systems, and checking to make sure that it didn't royally fuck up the user's computer, or introduce another, potentially more serious vulnerability.

  • Really? (Score:5, Funny)

    by tool462 (677306) on Monday February 23, 2009 @08:44PM (#26964679)

    "caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees."

    My boss will be pleased. I can push all my releases up at LEAST two weeks earlier now by adding this caveat on to all of my code. Thanks, Geritol.

  • by UtucXul (658400) on Monday February 23, 2009 @08:52PM (#26964745) Homepage
    I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

    I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

    I've also seen lots of forms that do some math or validation. How do people think that happens?

    Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

  • Yes, because we should all get our security patches from unknown 3rd-Party sources. Sounds like a plan for success to me.

    BTW, I've got this great IE patch, it makes the Internet 10x faster!

  • A better patch... (Score:4, Insightful)

    by Kazoo the Clown (644526) on Monday February 23, 2009 @09:01PM (#26964815)
    My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.

    Good riddance.
  • Does anyone have a clue if the reg fix will work on Foxit? Or is Foxit vulnerable? Because myself and most of my customers have been avoiding the bloat that is Adobe PDF reader for awhile now and while Foxit is great usually anything that can infect Adobe works on Foxit too. So anybody know?
    • Foxit supports javascript too now... I suspect the reason it hasn't been attacked is there isn't any blood in the water over some small company.

  • so why doesn't he stand up his own giant graphic design software company and pay thousands of employees across the world if he's so much beter than Adobe? Oh, that's right, because any single person can act much more quickly (and cheaply) than any large organization. Next story please.

The typical page layout program is nothing more than an electronic light table for cutting and pasting documents.

Working...