Forgot your password?
typodupeerror
Security

New Adobe PDF Zero-Day Under Attack 203

Posted by CmdrTaco
from the duck-and-cover dept.
Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."
This discussion has been archived. No new comments can be posted.

New Adobe PDF Zero-Day Under Attack

Comments Filter:
  • by symbolset (646467) on Thursday September 09, 2010 @12:08PM (#33523162) Journal
    Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.
    • Re: (Score:3, Informative)

      by tlhIngan (30335)

      Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

      Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.

    • by camperslo (704715)

      Those that don't trust zdnet can go to where Adobe mentions [adobe.com] this issue (CVE-2010-2883) [adobe.com].

  • by gweihir (88907) on Thursday September 09, 2010 @12:11PM (#33523204)

    PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

    • by Darkness404 (1287218) on Thursday September 09, 2010 @12:19PM (#33523340)
      Because Adobe has decided to take what should be a basic document format and added scripting to it.
    • by martas (1439879)
      what alternatives? no, seriously?
      • by MozeeToby (1163751) on Thursday September 09, 2010 @12:29PM (#33523526)

        Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe [google.com] and come up with a variety of alternatives yourself.

        • Re: (Score:3, Interesting)

          by Lennie (16154)

          Funny you should mention that one, the last non-scripting exploit for Adobe Acrobat Reader was also an exploit for Foxit Reader.

          • by MozeeToby (1163751) on Thursday September 09, 2010 @01:29PM (#33524482)

            Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.

            • All computer users deserve software freedom. Switching from Adobe Acrobat to Foxit Reader is moving from one proprietor/monopolist to another hoping that the switch makes users more safe. Without software freedom one cannot inspect the program to see what it does (a spy program that has no bugs is still doing spying on users), change the program to make it better, or help one's community by distributing the improved version. Proprietary software is untrustworthy by default. We don't fully know what it d

              • I agree, but the chances of Joe Average User, and let's face it, most of us as well, inspecting the source code for the majority of the applications they use is low. Changing to Foxit still represents a vast improvement in security.

                That said, use SumatraPDF [kowalczyk.info]. It's probably not as polished as Foxit, but it suits my purposes for most things, and it's licensed GPLv3.

                • Re: (Score:3, Informative)

                  by Svartalf (2997)

                  And it should be observed that Evince [gnome.org] is also available for Windows and is under the GPLv2.

                  Sumatra's minimalistic and lacks some functionality, if you want the honest appraisal- the dev site openly admits not everything renders correctly. Evince seems to be pretty solid when it comes to rendering content correctly. I've yet to find a document that didn't view and print as the author of the document had intended.

          • Re: (Score:3, Informative)

            by hairyfeet (841228)

            Foxit actively sandboxes and refuses to run ALL code embedded in a PDF unless you actively turn off safe reading, and they have been doing this for quite awhile now, since that last bug you mentioned.

            And for anybody dealing with clueless users that want a butt simple way to install Foxit or several other free PDF readers like Sumatra, or need a butt simple way to install most of the basics like chrome, Firefox, or Flash, I'd suggest Ninite [ninite.com] which has fully automated installers for over 90 programs. simply

      • Re: (Score:3, Informative)

        by 6031769 (829845)

        xpdf [foolabs.com].

        • by drspliff (652992)

          xpdf is *old*. You should be using Poppler, which is actively maintained and very fast.

      • by Pascal Sartoretti (454385) on Thursday September 09, 2010 @12:41PM (#33523718)

        what alternatives? no, seriously?

        The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A [wikipedia.org]), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.

        Now, all we need is a PDF reader with an option "only open PDF/A documents"

        • by nashv (1479253)
          Or just go to the Acrobat settings for Javascript and the Trust Manager (which by default is set to require explicit permission to execute scripts), to set up according to how much paranoia you feel...
      • Zathura, Evince, ePDFview, Okular...

      • Re: (Score:3, Informative)

        by nashv (1479253)
        How about XPS [wikipedia.org] ? *ducks* But seriously, the major problem is to convert the tons of literature , especially academic/scientific that exists as PDF into something else...
    • You might have a point if not for the fact that the alternatives like FoxIt have had to patch their fair share of security holes as well (with a number of them being the exact same issue as spotted in Reader).

    • by Anonymous Coward on Thursday September 09, 2010 @12:37PM (#33523648)

      We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.

      COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.

      Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

      - the adobe1

      • Re: (Score:3, Insightful)

        by Nursie (632944)

        Advice to you if you genuinely work for adobe - make a noscript option. Or even better - just cut out all the scripted elements.

        PDFs were and are awesome for one thing only, displaying documents the same everywhere. Active content is a mistake.

        • Re: (Score:3, Insightful)

          by sjames (1099)

          What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.

      • Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

        Is that out of a 40-hour work week? Or are you based in France?

      • by MarcoAtWork (28889) on Thursday September 09, 2010 @02:26PM (#33525352)

        My team pulled a 32 hour session last week.

        I am not sure how you can be proud of working 32 hours in a row on difficult security issues, nothing against your team but I wouldn't want any (and security-sensitive especially) code written at the 31th hour of a caffeine-fueled marathon by an exhausted developer... I do understand that 'we worked 32 hours in a row, we need to go home' sounds good to managers, but every single metric shows pretty clearly that working normal (as in, 8 a day) hours leads to much higher quality code.

      • by hAckz0r (989977)
        I'm just writing to add the appropriate html tag obviously left out by the parent poster...

        </SARCASM>

        When designing a "Portable Document Format" no API nor programming environment is needed or wanted by the users. Content providers on the other hand don't care about users of their documents?. Users just want a way to read published documents, not a way to dynamically reprogram their machine. If I want a program I will download one, but I expect that when I only intend to read something I only want

      • Re: (Score:3, Insightful)

        by Svartalf (2997)

        Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

        32 hour session? Uh, dude... I'm less than impressed. That's not hard work, that's sadomasochism in the workplace, brought on by badly missed deadlines for some un-stated reason. And it tells us quite a bit about WHY the quality isn't as much there as we've expected out of the past Adobe products and releases- and shows a glimpse of why we're not seeing 64-bit anything out of your claimed employer.

        Going that long

    • by sqlrob (173498) on Thursday September 09, 2010 @01:06PM (#33524100)

      I've never heard a 700 page specification called "not highly complicated"

    • by carn1fex (613593)
      It is total bullshit. I recall in years past one of the primary advantages for using PDFs was because you could trust them from random web links as if they were JPGs. I recall my professors saying not to send any homework in DOC format because of its silly security problems. Nowadays I IP get block notices from our admins the minute my PDF reader is outdated.. it is ridiculous.
    • by The Moof (859402)

      PDF is not a highly complicated format

      Truly spoken like someone who has never looked over the full PDF format specification. Here's a link [adobe.com] to all 980 pages of version 1.4. It's a little outdated, but you get the idea of how complex it actually is.

  • Fortunately... (Score:5, Insightful)

    by mcgrew (92797) * on Thursday September 09, 2010 @12:12PM (#33523216) Homepage Journal

    "Unfortunately, there are no mitigations we can offer. "

    I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?

    • Re: (Score:2, Funny)

      by codewarren (927270)

      If the exploit affects spelling, you have cause for concern

    • Re: (Score:3, Funny)

      by wbhauck (629723)

      Meanwhile, how do I know if I'm alreadt pwned?

      It's all explained in this FREE guide. Just download our convenient PDF for more information.

    • by ThatsNotPudding (1045640) on Thursday September 09, 2010 @01:51PM (#33524826)

      Meanwhile, how do I know if I'm alreadt pwned?

      You start slurring your y's.

    • Just don't use Acrobat Reader to view downloaded PDFs. Grab Foxit or Sumatra instead.

      Also, be certain to disable the browser plugin *always*. Using something like NoScript to block external plugins (it works like Flashblock, except with all plugins) also helps some. The largest danger isn't in someone sending you an infected PDF, it's in a webpage embedding an infected PDF that you can't see.

  • by Vahokif (1292866)
    How can they screw up a format designed to print the same everywhere so badly?
    • Re:PDF (Score:5, Insightful)

      by ledow (319597) on Thursday September 09, 2010 @01:03PM (#33524052) Homepage

      1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
      2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
      3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
      4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
      5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)

      Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.

      • by gad_zuki! (70830)

        6) Do not provide an auto-update mechanism. Let users do it manually via help > update or the ignored tray icon and only in version 9.2 even allow a check box for "Download and install updates automatically."

      • by molecular (311632)

        how do you know it's not a buffer overflow or something like that in the reader? No scripting or execution of anything required for that to work.
        I'm not saying they should have put all that shit into PDF, but not putting it in doesn't automatically make the reader secure.

  • Correct me if I'm totally off base here, but...isn't part of the definition of "zero-day" that the flaw is being exploited? I mean, it's "zero-day" because it's being exploited on "day zero", right?

    Dan Aris

    • Re: (Score:2, Funny)

      by tater86 (628389)
      I'm pretty sure we have this argument every time someone mentions zero day. If we could have a zero day bricking, we could have the best thread ever.
  • Does Adobe employ the the worst programmers on the planet? Between Flash and Acrobat their critical bug count has to be racing up the charts of companies with the most critical bugs in their software.

    • Not only that, but how hard is it to develop a DOCUMENT FORMAT that doesn't allow arbitrary code to be executed?
      • by MaWeiTao (908546)

        Saying it's merely a document format doesn't mean much. You can do quite a lot with many document formats nowadays. PDFs aren't used only as a means is displaying text and images consistently. You can embed quite a lot of functionality into them. It could be argued that PDFs shouldn't permit that kind of functionality considering it opens up opportunities for exploits but then you could argue the same thing about any technological progress.

        The problem is that there are people working just as hard, and perha

      • by molecular (311632)

        it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.

        • it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.

          That's exactly what I'm talking about. How hard is it to code a damn strncpy?

    • by 0123456 (636235)

      Does Adobe employ the the worst programmers on the planet?

      As someone who used to use Premiere on a regular basis, my assumption can only be 'yes'; that was the software that got me into the habit of saving my work after every change because the program would crash at least every couple of hours, and to make backups of old saves because it also had an amusing habit of corrupting new ones.

      I've never worked with any Adobe software that wasn't a bug-ridden mess. Maybe Photoshop is better (and I hear that Premiere has improved over the last few years since I stopped us

  • by Anonymous Coward on Thursday September 09, 2010 @12:26PM (#33523492)

    A work around for end users is to disable javascript, such as this guide:

    http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/

    For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):

    http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/

    • by swb (14022)

      Why isn't this the default setting?

      Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

      • by rsborg (111459)

        Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

        Adobe is a corporation.

        Whenever a corporation does something seemingly stupid or evil, you can always trace that back to some fool in the organization who convinced the others that the stupid/evil would lead to more profits (or kickbacks).

        If you follow the money you will 99.44% of the time get the right answer. It's all about the money.

  • Limited? (Score:2, Informative)

    by supernothing (1661929)
    I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
    Metasploit module [metasploit.com]
    • Re: (Score:3, Informative)

      by phantomfive (622387)
      It's not a zero day [wikipedia.org], either. Check out what Wikipedia says (in case anyone is unclear what a zero-day is, since the submitter for one hasn't figured it out):

      A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

      I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.

      • by tepples (727027)

        I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.

        But did Adobe learn of the vulnerability before exploits made it into the wild? If not, it's 0-day.

    • by molecular (311632)

      from the metasploit module code:

      Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',

      This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

  • Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

    • by Xian97 (714198)
      Where I work Adobe Reader is also installed and likewise I use Foxit at home. Just disable javascript in preferences. I have had it disabled for years and haven't had any issues displaying PDF files, though I do not fill out many PDF forms where it might be used. I guess I could always enable on a case by case basis if one actually required it but I haven't run into any yet.
    • NoScript seems to block PDFs by default, which you can then click to load.
    • It would just need to scan the PDF for non-document-like features being used and display a BIG warning to the user.

    • by Thelasko (1196535)

      Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

      Tools>Options>Applications change anything that says "Use Adobe Acrobat (in Firefox)" to "Always Ask"

  • by bill_mcgonigle (4333) * on Thursday September 09, 2010 @01:06PM (#33524094) Homepage Journal

    So, are any of the viewers I use vulnerable?

    • by molecular (311632)

      not to this particular exploit.
      wouldn't bet my life on there being no buffer overflow in these, though.

  • I use Evince for Windows. Haven't had a problem yet.

    http://live.gnome.org/Evince/Downloads [gnome.org]

  • !Hackers (Score:4, Insightful)

    by jgrahn (181062) on Thursday September 09, 2010 @01:12PM (#33524220)

    ... warning that hackers are actively exploiting the vulnerability in-the-wild ...

    Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:

    • ... warning that criminals are actively exploiting the vulnerability in-the-wild ...
    • ... warning that crackers are actively exploiting the vulnerability in-the-wild ...
    • ... warning that malware authors are actively exploiting the vulnerability in-the-wild ...
    • ... warning that Men of Low Moral Fiber are actively exploiting the vulnerability in-the-wild ...
  • by scorp1us (235526) on Thursday September 09, 2010 @01:18PM (#33524314) Journal

    There is way too much manual intervention required in the Adobe updater.
    1. It does not download updates automatically.
    2. It requires a new EULA to be accepted.
    3. It makes you wait as it downloads the update
    4. It makes you wait as it installs.

    Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
    If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.

    This way, in no more than 1 click you'll updated.

  • Click here to download a PDF that will tell you more about the vulnerability.

  • Is it just me, or is Adobe the King of Insecure programs?

    What does Linux and Windows 7 have in common? Adobe makes both insecure and unstable!
  • getting spammed by people who clicked on PDF's...

    • by BenJeremy (181303)

      Yeah, this is spreading through our company exchange server. I never opened one of these PDF files, but people are getting mails spoofed using my e-mail (but other people's names). Extremely annoying, but our IT people seem to have this hammered down, as new attempts appear and disappear almost immediately from my inbox (and they don't go to delete or junk).

      I heartily approve the death penalty for the asshats pulling this sort of crap.

The clearest way into the Universe is through a forest wilderness. -- John Muir

Working...