Adobe Confirms PDF Zero-Day, Says Kill JavaScript 211
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
Ditch Acrobat... (Score:5, Informative)
Adobe is really slow about security patches on Acrobat. This is just the latest.
Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else [slashdot.org].
Re:No problem for Macs, really (Score:5, Informative)
What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.
I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.
Re:Ditch Acrobat... (Score:4, Informative)
It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.
Re:Inevitable post recommending Foxit Reader (Score:3, Informative)
I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
Okular instead (Score:3, Informative)
Okular rocks, and it apparently can run on Windows [kde.org] as well.
My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.
Re:Disabling Javascript is standard (Score:5, Informative)
Quite so... I didn't even realize that PDF's could run Java scripts...
But now I've got a new hoop to jump through when I update a new computer:
Simple as that!
Re:Inevitable post recommending Foxit Reader (Score:5, Informative)
The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).
Re:Disabling Javascript is standard (Score:2, Informative)
This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.
Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.
Re:Kill Adobe reader, not java script (Score:1, Informative)
Re:This is a Zero-Day? (Score:5, Informative)
Re:Ditch Acrobat... (Score:2, Informative)
According to Secunia disabling Javascript does not mitigate the risk. Old news?
http://secunia.com/blog/44/ [secunia.com]
Re:PDF Forms under Linux (Score:1, Informative)
Try again. Recent versions of evince allow you to enter data in fill out forms. I have been told ocular does this as well, but haven't personally tried it.
disabling js will not save you (Score:5, Informative)
Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml [immunityinc.com]
They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.
Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.
The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.
Sumatra (Score:5, Informative)
Already ran into this... (Score:1, Informative)
But yeah, this definitely came through a
The virus information sites don't really say much what this specific trojan does. Is it a key logger?
Re:Y'know... (Score:1, Informative)
Sounds like some of your standard template files (eg. normal.dot) have macros in them.
If you don't know what the macros are for and believe they should not exist, you should be clicking "no" and then getting back to work.
Precisely why I use Preview on OSX (Score:2, Informative)
I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.
I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.
Finally, all PDFs are associated with Preview and not Acrobat.
Re:Inevitable post recommending Foxit Reader (Score:3, Informative)
I routinely create, view & print really big PDFs. When comparing FoxIt & Adobe the time difference between opening & printing a E-sized PDF on my machine is huge. FoxIt blows Adobe completely out of the water in every manner I can think of.
Most of the time Adobe will never actually print anything out, or if it does, it will be missing elements.
Re:Kill Adobe reader, not java script (Score:5, Informative)
Edit, Preferences, "Enable JavaScript Actions" is checked by Default.
And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.
Re:Ditch Acrobat... (Score:3, Informative)
On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.
Clearly they don't care about using my disk (obviously, neither do I).
Re:PDF Forms under Linux (Score:3, Informative)
You can fill them in, but you'll have to print them. You can't use it to submit forms.
Re:Ditch Acrobat... (Score:3, Informative)
You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.
I ran into something similar at work once. I had the guys in QA load up my thumb drive with all of the procedures that go for the product line I had inherited from one of the other leads there that... well, no need to digress... The documentation was just so fucking sloppy that most of it had to be completely rewritten from scratch. I couldn't make heads or tails of anything when I went to do any testing.
I sat down with the technician that I was now in charge of for this stuff. As I was trying to have him teach me everything, he just placed the documentation to the side and stated that it would be easier to teach me without it. It took me about an hour, but I finally started understanding everything he was teaching me. The documentation started to make sense, but it was still so horribly inaccurate that the fact that any person actually spent time writing anything down was a waste of resources.
With understanding in tow, I take my thumb drive home and open it up. .pdf's everywhere, sizes as large as 2MB.
As far as I had known, the only person who had a writer to edit these had left the company years ago. Making updates to these specifically was not going to happen. No matter, I was rewriting them all anyway. I load up word knowing that was the standard program in use at work and start pounding at my keyboard.
Document sizes were smaller (not that that was too important), documents could be edited by them if they needed to (very important), and any moron could actually follow the documentation step by step with full understanding what was going on.
When I had asked the QA team why there even .pdf's anyway, they pretty much summed it up to bureaucratic nonsense. Apparently the president thought it was a great way to keep everything under "lock and key".
Re:Adobe Reader has more holes that swiss cheese (Score:3, Informative)
The default on Ubuntu is evince, which does all that.