Adobe Confirms PDF Zero-Day, Says Kill JavaScript 211
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
Re:Inevitable post recommending Foxit Reader (Score:2, Interesting)
How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...". I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
I suppose there must be a place for them, but it seems to me they're mostly used by people too lazy to create a page with the information they want to display, and instead just put a link to the PDF they sent to their printer, often from a years out of date brochure or flier.
Re:Can we always kill javascript? (Score:5, Interesting)
Programatically clone a page to the end of the document.
Calculate and fill fields based on the value entered into other fields.
Update reference data from the web.
There are good uses.
Re:Can we always kill javascript? (Score:4, Interesting)
PDF Forms under Linux (Score:2, Interesting)
Re:Ditch Acrobat... (Score:5, Interesting)
For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.
Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.
Incessant Acrobat JavaScript nagging (Score:5, Interesting)
Re:Can we always kill javascript? (Score:3, Interesting)
I'm not familiar with what you're talking about, here -- can you point me to an example? Also, when would you need to do this?
PDF doesn't need to be a spreadsheet.
Seems like HTML/XML/Javascript would be a better solution to that, don't you think?
Re:Inevitable post recommending Foxit Reader (Score:4, Interesting)
pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).
So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.
Re:Inevitable post recommending Foxit Reader (Score:2, Interesting)
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
Re:Inevitable post recommending Foxit Reader (Score:3, Interesting)
These are things that have frustrated me for years, especialyl as more and more applications are presuming to do it. It's like people have never heard of the concept of windows scheduler/cron, or even spawning off an update thread in the background on startup. Processors and hard drives are so fast these days that even bloated and beefy software (I'm looking at YOU openoffice.org and netbeans) provides acceptable startup times without a "launcher" application.
As far as Adobe - the only thing I ever do with my PDF files is read them. Every year I watch Reader's footprint get bigger and bigger, and yet there is /no/ difference in my experience with it (except that it's slower) than there was several years ago.
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get
That would also be quite nice. A simple Updater API would go a long way and might clean up some of this crap.
Re:Ditch Acrobat... (Score:5, Interesting)
For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.
If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.
If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.
If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.
So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.
That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.
Re:Ditch Acrobat... (Score:3, Interesting)
These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader [wikipedia.org] which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.
You think using Foxit will help you avoid security flaws? Check this out:
http://www.foxitsoftware.com/pdf/reader/security.htm [foxitsoftware.com]
Those are just the ones they found - Foxit isn't even a big target for black hat hackers. Once it is - the Foxit religion will lose faith and switch to something else I'm sure. It would actually be possible to write an exploit that exploits Foxit and Adobe Reader.
Having worked on Acrobat - I know that it is audited all the time by the security team there. You can do a ton of code reviews, and fix a lot of vulnerabilities quickly (which they did all the time actually - stuff you've never seen exploited because of this), but being that we are human stuff comes up. Like anyone who is a security target: it is a cat and mouse game at this point and until that happens to your product you'll probably never appreciate the problem.
Re:Executable... (Score:3, Interesting)
^^ this. I had no idea recent versions (or even old ones) of adobe reader even had javascript. Why?
Its considered by most people to be a static document format, leave interactivity to HTML or other formats.
Comment removed (Score:3, Interesting)
Re:Ditch Acrobat... (Score:2, Interesting)
I'm not a Windows user so I've never used Foxit. That said, your complaints sound somehow wrong to me.
First, you say "Foxit isn't even a big target for black hat hackers" like it's a bad thing. Here's some news for you: Some of us utterly dislike the software monoculture companies like Adobe and Microsoft are selling, partly because it creates big targets for black hats...
Second, you didn't comment on the bloat accusations. It's great Adobe does audits, but wouldn't it be great if they didn't have to audit source code that builds into a 180MB monster?
I'm sure they have a client demanding each one of those 'features', but why does everyone on the planet need to have all those feature installed and enabled as well? It's a balance between (perceived) ease-of-use and security, and I think I know which side Adobe is leaning on.