PDF Vulnerability Now Exploitable With No Clicking 206
SkiifGeek writes "With Adobe's patch for the current PDF vulnerability still some time away, news has emerged of more techniques that are available to exploit the vulnerability, this time without needing the victim to actually open a malicious file. Instead, the methods make use of a Windows Explorer Shell Extension that is installed alongside Adobe Reader, and which will trigger the exploitable code when the file is interacted with in Windows Explorer. Methods have been demonstrated of successful exploitation with a single click, with thumbnail view, and with merely hovering the mouse cursor over the affected file. There are many ways that exploits targeting the JBIG2 vulnerability could be hidden inside a PDF file, and it seems that the reliability of detection for these varying methods is spotty, at best."
So, don't use Adobe Reader (Score:2, Informative)
Use Foxit! Reader on Windows and something else on other operating systems, such as Okular.
Re:Does it affect other platforms as well? (Score:3, Informative)
does it affect other platforms as well. Or is it Windows specific?
Yes [slashdot.org] and no respectively. It only affects Adobe Reader. All other PDF software is unaffected, I believe.
Re:So, don't use Adobe Reader (Score:1, Informative)
Fuck it! Every single Adobe vulnerability article (for there are many) and someone says use Foxit.
Foxit is bad software. It comes with an opt-out shitty toolbar. It comes with opt-out ebay link.
Finally once its installed it has a shitty inline advert bar.
Face it, there isn't a good PDF reader for windows.
Re:Not PDF vulnerability ... Adobe vulnerability (Score:5, Informative)
Adobe's particularly horrible implementation.
Right now, on my laptop, I have two VirtualBox sessions running images pretty close to the servers at work. I'm testing out some simulation. I've got slashdot open in Firefox, and I've got Adobe's PDF reader open to a reference manual.
The PDF reader is using more memory than the two virtual servers combined. That's a ridiculous amount of bloat, and it doesn't even count the "Adobe Updater" software that runs all the time.
Re:PDF and Viruses (Score:4, Informative)
If you allowed a popup to occur you were not being careful.
Re:Not PDF vulnerability ... Adobe vulnerability (Score:5, Informative)
Re:Not PDF vulnerability ... Adobe vulnerability (Score:3, Informative)
Re:PDF and Viruses (Score:3, Informative)
Does it matter? GP could also have have been tricked to click a link that leads to the same page as the popup. Disallowing popups would not have saved him in that situation. The problem is not allowing popups, the problem is that his browser was not secure.
Re:Not PDF vulnerability ... Adobe vulnerability (Score:2, Informative)
Eh, it's buggy. I just installed it, and after 4 seconds figured out I can't even scroll with PDFs on "Facing" mode (how I primarily use PDFs).
Also there's no toolbar buttons like in Acrobat for changing the view.
I think I'll stick with Reader 7.0.x + ARSpeedup for now.
Re:Whoa (Score:3, Informative)
Not surprising because this is Windows we are talking about but holy crap - what a way to design a file browser / operating system. The problem here is NOT Adobe, or PDF or anything else, the problem is terminally-shit operating system and file browser design - executing entire programs to perform unnecessary tasks (e.g. add a column to explorer, generate a small bitmap, provide some hover-text).
That's strange, because the last time I booted up a Kubuntu live cd, the file explorer created preview bitmaps for all the PDFs in any folder I opened.
Re:Whoa (Score:3, Informative)
Your +4 Interesting (at the time I'm writing this) rant against Microsoft completely fails to take into account the fact that this vulnerability is not limited to Windows, but in fact affects all platforms.
Now, please write your rant 100 times on the blackboard, substituting "Linux" for "Windows", then write it 100 times more substituting "OSX" for "Windows".
Re:Workaround for Security Hole (Score:2, Informative)
Why in the world was this marked "Informative"??
The three exploits that Didier shows in his blog do NOT use javascript!!!
This "fix" won't work with these exploits.
Re:Workaround for Security Hole (Score:3, Informative)
Not '+1 Informative', this should be '+1 Misleading'. Disabling javascript is *not* sufficient to protect you against this exploit.
Re:Whoa (Score:3, Informative)
What did it use to create those previews? Adobe Acrobat Reader (the associated program for that particular user on that particular system) or a program that has been specified specifically for that purpose? Or even it's own internal renderer? I don't think it's sitting there loading up Acrobat Reader for Linux for every thumbnail, somehow, which is apparently what Windows does. I think you might find that konqueror internally decides to use libpoppler, no matter what file is associated with PDF mimetypes (but I could be wrong there - google can be misleading). Thus, it's konqueror itself and it's built-in libraries that are doing the preview, not some random associated executable. Thus, new and "interesting" mimetypes don't execute even more external programs for no reason when you view them, they just don't have previews.
Other file managers may differ.
Re:Workaround for Security Hole (Score:3, Informative)
Not correct.
As to JavaScript, itâ(TM)s possible to exploit the /JBIG2Decode vulnerability without using JavaScript, and there are samples of this found in the wild.
—here. [didierstevens.com]
Re:So, don't use Adobe Reader (Score:5, Informative)
'You can read the source' is irrelevant 99% of the time;
The point is that someone, other than the original author, can and most likely has.
Re:Whoa (Score:3, Informative)
The Adobe advisory [adobe.com] indicates that it affects all platforms, and others in this thread have also pointed it out (some with links).
The second link [didierstevens.com] in the summary also explains that the preview functionality is added through a shell extension installed by Adobe, as opposed to default Windows functionality, although obviously Windows provides the API to make it possible. Similar functionality exists in the Linux and OSX worlds.
This is not the fault of bad Windows design. This is the fault of unnecessary preview functionality available on all systems (and not written by Microsoft), combined with yet another bloody buffer overflow (also not written by Microsoft).
Re:Not PDF vulnerability ... Adobe vulnerability (Score:5, Informative)
It's not obvious, but if you hold down the control key while mousing text is selected and automatically copied to the clip board.
Once you get used to it this is actually quite convenient.
Re:Not PDF vulnerability ... Adobe vulnerability (Score:5, Informative)
(yes, there's a ton of good PDF freeware [paperlined.org] available now)
Re:Not PDF vulnerability ... Adobe vulnerability (Score:3, Informative)
Inside Adobe Reader (version 8 at least) under Tools|Preferences|Internet uncheck "Display PDF in browser" in the "Web Browser Options" group.