Forgot your password?
typodupeerror
Security IT

Adobe Finally Fixes Remote Launch 0-Day 82

Posted by kdawson
from the stay-safe-out-there dept.
Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.
This discussion has been archived. No new comments can be posted.

Adobe Finally Fixes Remote Launch 0-Day

Comments Filter:
  • by snowraver1 (1052510) on Tuesday June 29, 2010 @04:43PM (#32737356)
    Why is every unpatched exploit a 0-day attack? Wouldn't this be more like a multi-month exploit?
    • by spazdor (902907)

      I logged in to ask exactly this.

      If a company patches 0-day exploits, their dev team is really on top of shit.

      • If a company patches 0-day exploits, their dev team is really on top of shit.

        Or bumbling GENIUSES. Since the definition of a 0-day exploit is a vulnerability the developers don't know about.

        • by spazdor (902907)

          Nah, 0-day remains 0-day throughout the first ("zeroth") day in which it's released. So if the devs can get a patch out the door the same day that the exploit is first disclosed in public, it counts.

          • I don't know of any company that has managed to do that though. In most cases, they are aware of the exploit at least a day before patching it. I mean, I can't imagine finding a solution, implementing it, and fully testing it in under 24 hours. I CAN imagine finding a solution, implementing it, and pushing it out, but that's dangerous.

            • Re: (Score:3, Informative)

              by tomhudson (43916)

              Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.

              Of course, we've seen (here on slashdot) what happens when you try to do that too often ... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.

    • by Darkness404 (1287218) on Tuesday June 29, 2010 @04:46PM (#32737410)
      Because its an attack out in the wild that the developers didn't know about and before a patch can be shipped.
      • I only saw a proof-of-concept. Have people actually been exploiting this?

        • by drinkypoo (153816)

          I only saw a proof-of-concept. Have people actually been exploiting this?

          Further, there are 24 hours from first disclosure to the end of when you can call it a Zero-day exploit. But I think that you still get to call it a Zero-day exploit after days have passed.

        • by chrisG23 (812077)
          Yes. If you do a google search for CVE-1297 (going from memory here, the CVE number might be off (CVE's are the numbering scheme used by the Mitre organization. One of the things they do is publish details on exploits/vulnerabilities as they happen, and security people use them as a reference point)) zero day you will find some analysis that was done on a pdf found in the wild.
    • by vawarayer (1035638) on Tuesday June 29, 2010 @04:56PM (#32737584)
      Details in the PDF file attached to this e-mail.
      • by mcgrew (92797) *

        When I got up this morning and fired up the little netbook, I got a message saying that Adobe had an update -- but the thing wasn't even on the internet; there were no local wifi signals this morning.

        I wonder if it's really the patch, or if the Adobe bug let someone in my box? I dread internet security updates, and wish that, with software I've paid for at least (not free stuff like PDF readers) they'd snail mail a CD to me.

    • by Skuld-Chan (302449) on Tuesday June 29, 2010 @05:17PM (#32737782)

      The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.

      Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

      • by grcumb (781340) on Tuesday June 29, 2010 @06:15PM (#32738366) Homepage Journal

        Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

        No, zero-day exploits are are... (wait for it) actively exploited in the wild before the first 'look what I found' ever appears.

        • Isn't that kinda what I said?

          • Re: (Score:3, Insightful)

            by lennier (44736)

            Nope. Exploitation and disclosure are two completely different things.

            If you've found an unpatched exploit and you're a black hat, are you going to blog to the whole world about it? Or quietly add it to your botnet kit without telling anyone?

            If the second, it's a 0-day. No warning, no defense, no lead time, just blam, click the wrong web page, read the wrong email, or open the wrong PDF and you're rooted without knowing it.

          • by grcumb (781340)

            Isn't that kinda what I said?

            No, that's kinda what you implied, but you left the door open for people to infer that you also meant that a zero-day was when a researcher announced a potential exploit without warning anyone else.

    • Yes, I wish every exploit could just be called an exploit (sans "zero day" in front of everything) unless it's specifically 1) a vulnerability the company has chosen not to fix, or 2) a vulnerability some guy somewhere knew about but hadn't used in order to keep it valuable. It's like if we were to start calling Microsoft Office "Microsoft Office for Windows" incessantly. It's assumed, unless you're specifically on a Mac or running it in WINE or something.

      I'm pretty sure. Amiright?
    • Normally, a "0 day attack" accompanied with some black background, text like html page occuring means

      1) Company doesn't take it serious and demonstrates their own case or explains why it is non issue for 99.9% (of course, add to fix list)

      2) Company takes it serious (sends out an emergency hotfix which may remove functionality and not very tested but, it works until real thing ships)

      As Adobe took it serious but didn't ship a God damn ".bat" file (yes, ms-dos .bat is enough) to remove the component which isn'

  • Another PDF reader (Score:1, Informative)

    by Anonymous Coward

    Missing from the summary is gsview. It makes a very secure pdf reader that works on windows, although it certainly isn't anything nice to look at. Uses ghostscript for the backend.

  • by MacCoder (1800034) on Tuesday June 29, 2010 @04:57PM (#32737600)
    For the 90% of us who don't require all the minutiae of functionality and cruft which Adobe Reader offers, there are options. Obviously Mac folk are covered by Apple's built in Preview, but on Windows, Sumatra PDF is amazing and ridiculously small. It's better than Foxit, in my opinion, for barebones PDF viewing in Windows. Check it out! http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]
    • Seconded. I use a portable version of it found at portableapps.com. We've found that to be friendly at places that don't let you have admin access to your machine for things like installs.

    • Thanks for the link. Comparing some documents side by side between Foxit and SumatraPDF, Sumatra rendering has some issues with gamma and images. Text rendering is a little better in Foxit. I can live with the yellow blank starting page, though.

      • by drinkypoo (153816)

        SumatraPDF fills a nice niche. If you hardly ever use Windows, it is sufficient for most purposes (occasional PDF viewing.) I have three windows systems which I use for gaming and stuff like that (e.g. a netbook which runs streets and trips; there's no good Linux navigation software.) They all have SumatraPDF and I've never been unable to read anything I've opened with.

        It has long since gotten to the point where PDF is easier to deal with on Linux than Windows. Especially since if you really have to, you ca

    • I've always had issues with sumatra, it seems to render some datasheets incorrectly, every now and again it'll consume 100MB+ ram, though that goes away when closing reopening pdfs, but most annoying is it'll happly stretch and print landscape documents on portrait (though you told it not too) and create several megabyte files to send to the xerox (which it really doesn't like).

      Im having better look with foxit, even if it isn't as light weight.

    • by lgw (121541) on Tuesday June 29, 2010 @05:58PM (#32738212) Journal

      Sadly, my employer has chosen a payroll provider (ADP) that requires Adobe Reader specifically to view paystubs. Foxit won't work, nor will any of the other options (apparantly Acrobat has some stupid web toolbar option that's beyond PDF). Why would anyone do that? Now when I need to see my paystub I have to download 200MB of Adobe cruft, then later uninstall it along with Adobe Download Manager and a bunch of other crap that Adobe stuffs in along the way. Man, I hate Adobe these days.

      • by laptop006 (37721)

        Mine uses ADP as well, but Evince on Linux works fine for me.

      • by tehcyder (746570)
        Wouldn't it be easier just to get them to print it out and post (snail mail) it to you?
        • by lgw (121541)

          That doesn't seem to be an option. Having them printed out and sent to the receptionist for hand distribution didn't fill me with joy.

    • by glwtta (532858)
      I'm not seeing how it's better than Foxit. Rendering seems to be slower, for one thing. And the minimalist tool bar is great and everything, but having the zoom control buttons accessible in one click is handy (or to put it another way, hiding them in a menu is annoying). No tabs, either.
    • by Zadaz (950521)

      Ever since Google put a PDF reader in Chrome it's been all I need for most things. Simple, fast, no cruft.

      (To use it you need the dev version of Chrome. To enable it go to chrome://plugins/ and click on "Enable" for the "Chrome PDF Viewer" plug-in.)

    • Thanks for bringing up Sumatra - do you happen to know any good pdf viewer for windows 98? (I tried Foxit 2.x but it's buggy as hell in win98).

  • after reading the summary and the Brian Krebs blog. I realized that Adobe is shipping a buggy, risky piece of software.

    I installed Foxit Reader (minus the Ask.com search bar)..

    It seems much snappier, and is significantly smaller.

  • MSP installer (Score:5, Informative)

    by darthservo (942083) on Tuesday June 29, 2010 @05:43PM (#32738046)
    The MSP Installer [adobe.com] is also available for those who may use Adobe Reader in silent installs/updates.

    Side rant: Why does Adobe still only offer the unpatched versions of Reader on their front page?
    • by jo42 (227475)

      In the past, we delivered Adobe Reader updates as full installers or patches (for instance, 9.x = full installer, 9.x.y = patch). The Adobe Reader Download Center at http://get.adobe.com/reader [adobe.com] always offers the most recent full installer of Adobe Reader, which is currently Adobe Reader 9.3. After installation, the Adobe Reader Updater will automatically check and offer the latest patches to keep end-users up-to-date (as of today, the latest patch is Adobe Reader 9.3.3).

      What a bunch of incompetent ass clowns. They can't even offer up a downloaded-able 9.3.3 install yet. You have to do it in two stages. If I was running the show, the people that crapped out this dung-pile would be looking for work tomorrow morning.

      • by Jesus_666 (702802)
        What do you expect? This is Adobe we're talking about. Their name has been translating to "half-assed software development" for the last couple years.
  • Ugh. I just updated on my Mac running 10.6.4. It looks like Adobe is still distributing Reader 9.3.0 as the default distribution package. I had to download/install this version and then apply individual patches for 9.3.1, 9.3.2, and finally 9.3.3. Annoying.

    Perhaps it would have been easier had I updated from within Reader?

    • This time, whatever these idiots did, the jump from 9.3.0 to 9.3.3 doesn't work at all. It may have something to do with the idiotic "repair adobe pdf viewer" plugin dialogue, which has no title and opens at background, unclickable.

      Idiots (hopefully they read) still install Adobe Updater to Utilities but they were lazy to feed it with data so, the dedicated (and working) Updater doesn't work too. Of course, it is still added to launchd per user schedule.

      Man how worse you can get? I mean, I am not like those

  • by Anonymous Coward

    is it? oh shit

  • I appreciate they probably had some QA to do in order to release this puppy and it took a while, but I loaded Evince [gnome.org], un-installed flash and called it a day. If you can't see it on youtube using their HTML 5 beta [youtube.com] then that's a real good time to boot up Linux even if it's just in Xen [xen.org] or Oracle/Sun Virtualbox [virtualbox.org] running on Windows. It works just fine for web browsing and less zero day exploits.

  • by Zadaz (950521)

    It's been nearly a week since I updated Reader! About time for another download install and unnecessary reboot!

    Every single time Reader/Acrobat updates it resets its self as the default viewer. That's completely inappropriate behavior, especially for a 'security update'. (And no, I can't uninstall it. Job requires proofing PDF in Reader just like all my poor clients.)

    I saw/overheard this in a bar recently (seriously):
    Girl: So where do you work?
    Guy: Adobe.
    Girl: Oh yeah, you're the guys always asking me to

    • by Tteddo (543485)
      Hah! I had a client tell me about a problem with the font size on their website (it's already dynamic, set at 1em). His proof was that the person that complained worked for Adobe. Yeah, you know that Reader thing that bugs you all the time? That's Adobe.
  • When using ExitWindowsEx() at the end of your patch install, don't use the damned EWX_FORCE flag. It doesn't even give users enough time to respond to the "Save? Yes/No/Cancel" dialogs popping-up before the applications are kill -9'd and users lose all their unsaved data.

    • by butlerm (3112)

      If the Windows developers had a clue, they would make it so that application developers could update their software without requiring a reboot much of the time. Reboot intervals should be measured in years, not hours.

      The Windows mandatory file locking scheme is brain damaged. Windows filesystems need to support a mode where a file can be replaced (Unix style) without disturbing people who currently have a file open for read only access (like running executables, for example).

  • It's about time, however there are still a few more exploits that have not been addressed....until these have been fixed too, i am sticking to fox it pdf reader....

It's a poor workman who blames his tools.

Working...