Adobe Confirms PDF Zero-Day, Says Kill JavaScript 211
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
No problem for Macs, really (Score:0, Insightful)
What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.
All Adobe software is so overbloated that if you compare them with Microsoft, they're the lightweight ones.
Re:Ditch Acrobat... (Score:2, Insightful)
Yeah... like if I'm offered the choices
1. Disable javascript and kill the web
2. Uninstall Adobe_who_evidently_can't_code_their_way_out_of_a_wet_paper_bag crap
Why would I choose the former? Even if I do that I'm sure they'll have another exploit by next Wednesday that wouldn't be defanged by disabling a scripting language, looking at their track record [google.com]..
Color me tired of this much more so than surprised..
Y'know... (Score:5, Insightful)
...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.
It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.
--- Mr. DOS
Can we always kill javascript? (Score:5, Insightful)
Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.
What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.
creeping featuritis (Score:4, Insightful)
Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.
Seems like a solution in search of a problem to me.
Re:Ditch Acrobat... (Score:5, Insightful)
Ok, color me surprised then... Thank you for the clarification.
I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...
Kill Adobe reader, not java script (Score:4, Insightful)
Re:Disabling Javascript is standard (Score:5, Insightful)
And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)
Mac? (Score:3, Insightful)
Adobe Reader has more holes that swiss cheese (Score:5, Insightful)
Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.
It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!
Re:Inevitable post recommending Foxit Reader (Score:5, Insightful)
All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!
Re:Y'know... (Score:2, Insightful)
The average user immediately presses 'accept' or 'ok' on any prompt that comes up when they open a file without reading the message or thinking about what it means. Adding this requirement is just annoying for users and does absolutely nothing.
What I would like to see is a way to deploy Reader to client PCs with JavaScript disabled through a configuration file or command line flag. It is not realistic to expect users to go to preferences and disable JavaScript on an application that is used to view documents.
Re:Inevitable post recommending Foxit Reader (Score:5, Insightful)
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.
PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
Disabling Javascript won't mitigate the risk still (Score:3, Insightful)
Re:Can we always kill javascript? (Score:5, Insightful)
Re:Inevitable post recommending Foxit Reader (Score:3, Insightful)
If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
If you don't use a reader with a browser plugin, a PDF is just as likely to crash your browser as a zip file.
Comment removed (Score:5, Insightful)
Re:Ditch Acrobat... (Score:2, Insightful)
Precisely that bloat functionality.
Advanced forms handling, embedded content, Adobe javascript, et cetera.
Things most people never need and things that would use Microsoft Word if Adobe had never offered the functionality.
You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.
Re:Inevitable post recommending Foxit Reader (Score:4, Insightful)
Images can be embedded in cdata tags. Its not easy or really recommended, but possible.
Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"
Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.
Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.
So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.
I purpose a new term (Score:4, Insightful)
"Negative-One-Day Exploit"
Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.
As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."
Re:Inevitable post recommending Foxit Reader (Score:3, Insightful)
I dont really mind the startup time, but the idea that a program adds itself to my bootup menus and runs all the time, really puts me off. The tiny overhead of the updater application doesn't bother me so much, its the fact that it exists at all that indicates a serious design flaw!
That is why on windows always choose xmplay^H^H^H foxit over itunes^H^H^H adobe pdf!
Unfortunately people still flock to this software because of its 'features', and the atrocities of its design are hard to get across to non-geeks.
Surely windows has a cron you can use update program regularly without running it all the time!?
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get though. Additionally a preload system that allows programs to boot faster would let most of these 3rd party programs die (I mean one that software can add itself to, in addition to the standard preload).
Re:Inevitable post recommending Foxit Reader (Score:3, Insightful)
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
I'm not usually a subscriber to the "evil big company" theory, but I'm not too fond of trusting Adobe to install and run whatever they want, regardless of whether or not I have asked for it. Actually, I guess I am a subscriber to that theory - since I don't tend to let anyone run their crap on my PC unless I know exactly what it does or can at least be reasonably sure that it's not doing something stupid*. That's a large part of how I've stayed virus free for a couple of decades, in spite of not running anti-virus.
Aside from that - I'm not sure that I agree that's what memory is for. When I'm working in game development and my development tools are consuming 3GB of memory, you're damn right I"m picky about someone taking up an unnecessary 60MB plus. I view my computer's memory as /my/ resource, to be used by my computer as I want it to.
* like allowing anybody at all to run flawed javascript when I open a PDF file -- which should be a read only format for viewing and printing documents
Re:Can we always kill javascript? (Score:5, Insightful)
Yep. They want flash, pdf, and AIR [wikipedia.org] to be ubiquitous. This [newsweek.com] article shows their point of view: "What's wonderful for Adobe is, we are pretty much everywhere you look. [...] Just about every Web site uses Flash. Every tax form you download off the IRS is done in PDF. So it's OK if the average consumer does not know who Adobe is. We're almost like air." They want their suite of tools to be a ubiquitous consumer-level software tool like Windows, and they understand that if they're going to make money that way, they have to convince people that their tool is better than the free alternatives, just as MS has to convince people to desire Windows rather than Linux.
Adobe is very clever about making their formats and implementations open enough to get them widely adopted, while maintaining their market position via a combination of (a) the first-move advantage when they release new features, and (b) keeping certain aspects of their formats and implementations just proprietary enough to maintain the perception that the competition isn't as good. You see it with flash, where they've opened up a lot recently, but for most developers there is really no viable alternative to using Adobe's tools. You see it with pdf, where they sell people snake oil, e.g., convincing them that the DRM features are useful, even though they're trivial to circumvent.
One of the big things working in their favor is patents. E.g., flash supports mp3 but not ogg, which makes it difficult to make a legal, OSS toolchain for flash development, because the license for mp3 forbids distribution of encoders in large numbers without paying a royalty. Ditto for patented color management and patented video codecs. Any patented special sauce they can add to their apps makes it easier for them to differentiate themselves from the free competition.