New Adobe PDF Zero-Day Under Attack

Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."

No credibility to this story

[symbolset]

Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

Re:

[tlhIngan]

Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.

Re:

[camperslo]

Those that don't trust zdnet can go to where Adobe mentions [adobe.com] this issue (CVE-2010-2883) [adobe.com].

Poor management at Adobe?

[Futurepower(R)]

Quote: "Guess it's just as well I'm not depending on Adobe for anything important."

It seems to me that there are many indications that Adobe is not managed well in recent years.

Re:

[lgw]

Guess it's just as well I'm not depending on Adobe for anything important.

The biggest payroll provider (ADP) has this brain-dead system where you can't see your paystub online unless you install Adobe reader. The adobe reader download is up to 200MB now, IIRC, and requires you to first download a download manager, and is just a pain in the ass to install. Every time I want to look at a paystub online, I have to install this crap, look at what I need, uninstall this crap, and reinstall Foxit.

Never choose a partner who will force you to use Adobe for somehting important!

Re:

[Svartalf]

What's braindead is that many employers are going "paperless" with them- and you HAVE to view the stubs online.

Re:

[Critical Facilities]

What's braindead is that many employers are going "paperless" with them- and you HAVE to view the stubs online.

OK, I'll bite, why do you feel that this is "braindead". A lot of us like it.

Re:

[zn0k]

The current reader is under 30MB in size, and while they hide it a little bit you can absolutely download it without their download manager.

Re:

[amicusNYCL]

That's not a PDF... You can tell, because a PDF file ends with ".pdf".

Re:

[Dr_Barnowl]

The .scr file extension (screensaver) is treated the same as .exe on Windows ; stupid isn't it.

Unpacking the content of that file reveals a bunch of nasty VBScript that tries to worm it's way into your machine and anything else near it on the network, amongst other stuff, I'm sure. Nice.

Re:

[amicusNYCL]

Right, a PDF reader isn't going to open that, and if it did then it wouldn't execute the VBScript. That's not a PDF exploit, that's basically a phishing attack to try to get someone to open something that's not what they think it is.

Re:

[amicusNYCL]

See my reply below to Dr Barnowl, this is not a PDF exploit.

Re:

[Tynin]

We just started getting the same email a few minutes ago linking to the same place. That said, this isn't a pdf exploit.

That's no moon. It's a space...

[Mr. Neutron]

I mean, that's no PDF, it's a VB worm. It's currently eating the Exchange servers of our Fortune 500 company alive. I think I got a couple thousand copies before someone pulled the ethernet cable.

The email has the following text:

Hello:

This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

LUser clickies, LUser gets infected, sends it off to company-wide list, more LUsers clicky. Clic

Re:

[lwsimon]

I wonder if we all work in the same place, and this is targetted? Look up my Employee ID - 1747226. Does my name come up?

What is this stupidity???

[gweihir]

PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

Re:What is this stupidity???

[Darkness404]

Because Adobe has decided to take what should be a basic document format and added scripting to it.

Re:What is this stupidity???

[SQL Error]

They took a document programming language and stripped out all the programming features to make a document description format.

And then they added a programming language.

Re:What is this stupidity???

[drolli]

Let me add: They started from a programming language where security is *easy to implement*.

Re:

[lahvak]

Is this latest vulnerability related to scripting? The article is somewhat short on details.

Re:

[martas]

what alternatives? no, seriously?

Re:What is this stupidity???

[MozeeToby]

Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe [google.com] and come up with a variety of alternatives yourself.

Re:

[Lennie]

Funny you should mention that one, the last non-scripting exploit for Adobe Acrobat Reader was also an exploit for Foxit Reader.

Re:What is this stupidity???

[MozeeToby]

Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.

Switching between masters is not freedom.

[jbn-o]

All computer users deserve software freedom. Switching from Adobe Acrobat to Foxit Reader is moving from one proprietor/monopolist to another hoping that the switch makes users more safe. Without software freedom one cannot inspect the program to see what it does (a spy program that has no bugs is still doing spying on users), change the program to make it better, or help one's community by distributing the improved version. Proprietary software is untrustworthy by default. We don't fully know what it d

Re:

[Dr_Barnowl]

I agree, but the chances of Joe Average User, and let's face it, most of us as well, inspecting the source code for the majority of the applications they use is low. Changing to Foxit still represents a vast improvement in security.

That said, use SumatraPDF [kowalczyk.info]. It's probably not as polished as Foxit, but it suits my purposes for most things, and it's licensed GPLv3.

Re:

[Svartalf]

And it should be observed that Evince [gnome.org] is also available for Windows and is under the GPLv2.

Sumatra's minimalistic and lacks some functionality, if you want the honest appraisal- the dev site openly admits not everything renders correctly. Evince seems to be pretty solid when it comes to rendering content correctly. I've yet to find a document that didn't view and print as the author of the document had intended.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[6031769]

xpdf [foolabs.com].

Re:

[drspliff]

xpdf is *old*. You should be using Poppler, which is actively maintained and very fast.

Re:What is this stupidity???

[Pascal Sartoretti]

what alternatives? no, seriously?

The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A [wikipedia.org]), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.

Now, all we need is a PDF reader with an option "only open PDF/A documents"

Re:

[nashv]

Or just go to the Acrobat settings for Javascript and the Trust Manager (which by default is set to require explicit permission to execute scripts), to set up according to how much paranoia you feel...

Re:

[icebraining]

Zathura, Evince, ePDFview, Okular...

Re:

[nashv]

How about XPS [wikipedia.org] ? *ducks* But seriously, the major problem is to convert the tons of literature , especially academic/scientific that exists as PDF into something else...

Re:

[Lunix Nutcase]

Because HTML rendering is exactly the same on every system in every browser? Oh wait, it's not and thus is not an alternative to PDF.

Re:

[MozeeToby]

If you really need layout to be consistent (and really unless you're printing that seems like an obsolete idea to me) you could use TeX. Considering the original goal was "to provide a system that would give the exact same results on all computers, now and in the future" think it meets your requirements.

Re:

[amorsen]

TeX is somewhat difficult as a render target. In the general case it degenerates to embedding PS or PDF images...

Re:

[Lunix Nutcase]

You might have a point if not for the fact that the alternatives like FoxIt have had to patch their fair share of security holes as well (with a number of them being the exact same issue as spotted in Reader).

I work for Adobe and...

[Anonymous Coward]

We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.

COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.

Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

- the adobe1

Re:

[Nursie]

Advice to you if you genuinely work for adobe - make a noscript option. Or even better - just cut out all the scripted elements.

PDFs were and are awesome for one thing only, displaying documents the same everywhere. Active content is a mistake.

Re:

[sjames]

What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.

Re:

[jimicus]

Printers are seldom (but apparently not never) used as sources of spam.

Re:

[amicusNYCL]

Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

Is that out of a 40-hour work week? Or are you based in France?

Re:I work for Adobe and...

[MarcoAtWork]

My team pulled a 32 hour session last week.

I am not sure how you can be proud of working 32 hours in a row on difficult security issues, nothing against your team but I wouldn't want any (and security-sensitive especially) code written at the 31th hour of a caffeine-fueled marathon by an exhausted developer... I do understand that 'we worked 32 hours in a row, we need to go home' sounds good to managers, but every single metric shows pretty clearly that working normal (as in, 8 a day) hours leads to much higher quality code.

Re:

[hAckz0r]

I'm just writing to add the appropriate html tag obviously left out by the parent poster...

</SARCASM>

When designing a "Portable Document Format" no API nor programming environment is needed or wanted by the users. Content providers on the other hand don't care about users of their documents?. Users just want a way to read published documents, not a way to dynamically reprogram their machine. If I want a program I will download one, but I expect that when I only intend to read something I only want

Re:

[Svartalf]

Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

32 hour session? Uh, dude... I'm less than impressed. That's not hard work, that's sadomasochism in the workplace, brought on by badly missed deadlines for some un-stated reason. And it tells us quite a bit about WHY the quality isn't as much there as we've expected out of the past Adobe products and releases- and shows a glimpse of why we're not seeing 64-bit anything out of your claimed employer.

Going that long

Re:

[Svartalf]

2000# for the ton of dollars.

A ton of hours weighs heavily on the soul- perhaps worse than the ton of dollars would be on your body. But, if they pay you well...you can save up and go elsewhere when you burn out on the ton of hours...

If they don't pay you well, though...heh...best look for work elsewhere when you can.

A ton of money is...

[Lead Butthead]

US penny issued after 1984 weights 2.5g ~ 0.0881849049 oz.
2000 lbs ~ 362873.89589281056195820652293973 pennies = $3,628.74.
A ton of money indeed.

Re:A ton of money is...

[Lennie]

Only on slashdot ?

Re:

[Dr_Barnowl]

He said a 32-hour SESSION. As in, they programmed from 0900 until 1700 the next day

Although that doesn't impress me. Rather it speaks of bad management - crunches to meet deadlines might be occasionally necessary for a small company trying to break into a market. For a company that essentially IS the market, it just sounds like a harsh taskmaster wringing as much as he can out of his team.

Re:

[Svartalf]

Either that or someone in management pooched things either because they mis-estimated the effort or resources, or took on something like Scrum without first being very aware that it won't speed up development (It might improve quality, but it won't speed up ANYTHING...adding process on top of things almost always slows down things...).

As you point out, it typifies bad management to have that sort of thing or having people work weekends, etc. You need breaks from things to stay reasonably fresh- without t

Re:

[nashv]

a 32-hour SESSION...people work 40 hours over at least 5 sessions of 12 hours each. Do you see the point now ?

Re:

[Svartalf]

Uh...check your math there... A 40 hour work week comprises of an average of 5 8-hour sessions. You just described a 60 hour work week there. I'd rather not do that sort of thing. I'd rather be working the latter than the former (12 hour days doing programming tend to make for issues- at some point you break as much or more than you fix doing it.), or if you're needing to jam a bit more into something by a calendar date, I'd rather did 10 hour days (50 with 5, the 60 with saner hours over 6 days with at

Re:What is this stupidity???

[sqlrob]

I've never heard a 700 page specification called "not highly complicated"

Re:

[carn1fex]

It is total bullshit. I recall in years past one of the primary advantages for using PDFs was because you could trust them from random web links as if they were JPGs. I recall my professors saying not to send any homework in DOC format because of its silly security problems. Nowadays I IP get block notices from our admins the minute my PDF reader is outdated.. it is ridiculous.

Re:

[The Moof]

PDF is not a highly complicated format

Truly spoken like someone who has never looked over the full PDF format specification. Here's a link [adobe.com] to all 980 pages of version 1.4. It's a little outdated, but you get the idea of how complex it actually is.

Re:

[0123456]

Stupidity is not reading the actual URL and realizing it in NOT A PDF file... it is a .SCR file with some mumbo jumbo about PDF to play mental tricks..

These days I think I'd be more worried by a PDF file that pretends to be a screensaver than a screensaver that pretends to be a PDF file...

Fortunately...

[mcgrew]

"Unfortunately, there are no mitigations we can offer. "

I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?

Re:

[codewarren]

If the exploit affects spelling, you have cause for concern

Re:

[wbhauck]

Meanwhile, how do I know if I'm alreadt pwned?

It's all explained in this FREE guide. Just download our convenient PDF for more information.

Re:Fortunately...

[ThatsNotPudding]

Meanwhile, how do I know if I'm alreadt pwned?

You start slurring your y's.

Re:

[broken_chaos]

Just don't use Acrobat Reader to view downloaded PDFs. Grab Foxit or Sumatra instead.

Also, be certain to disable the browser plugin *always*. Using something like NoScript to block external plugins (it works like Flashblock, except with all plugins) also helps some. The largest danger isn't in someone sending you an infected PDF, it's in a webpage embedding an infected PDF that you can't see.

Re:

[Svartalf]

Explain how an antivirus program with up-to-date definitions would help against a "0-day" exploit? By definition, that means it's so damn new the antivirus/antimalware bunch don't have signatures, etc. to defend against attacks using the exploit.

Relying on an antivirus program to protect you is like relying on closing the barn door to keep the horses in their stalls after they've gotten out of the barn.

PDF

[Vahokif]

How can they screw up a format designed to print the same everywhere so badly?

Re:PDF

[ledow]

1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)

Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.

Re:

[gad_zuki!]

6) Do not provide an auto-update mechanism. Let users do it manually via help > update or the ignored tray icon and only in version 9.2 even allow a check box for "Download and install updates automatically."

Re:

[molecular]

how do you know it's not a buffer overflow or something like that in the reader? No scripting or execution of anything required for that to work.
I'm not saying they should have put all that shit into PDF, but not putting it in doesn't automatically make the reader secure.

Can there be a 0-day that's not under attack?

[danaris]

Correct me if I'm totally off base here, but...isn't part of the definition of "zero-day" that the flaw is being exploited? I mean, it's "zero-day" because it's being exploited on "day zero", right?

Dan Aris

Re:

[tater86]

I'm pretty sure we have this argument every time someone mentions zero day. If we could have a zero day bricking, we could have the best thread ever.

Re:

[danaris]

means the code is known and no patch exists..

doesn't matter if you're the only one who knows the code, its still a zero day vuln until its patched.

No, it's just a known vulnerability with no patch. Zero day means it was exploited on day zero—that is, before anyone else knew the vulnerability existed.

Dan Aris

What the hell

[C_Kode]

Does Adobe employ the the worst programmers on the planet? Between Flash and Acrobat their critical bug count has to be racing up the charts of companies with the most critical bugs in their software.

Re:

[spiffmastercow]

Not only that, but how hard is it to develop a DOCUMENT FORMAT that doesn't allow arbitrary code to be executed?

Re:

[MaWeiTao]

Saying it's merely a document format doesn't mean much. You can do quite a lot with many document formats nowadays. PDFs aren't used only as a means is displaying text and images consistently. You can embed quite a lot of functionality into them. It could be argued that PDFs shouldn't permit that kind of functionality considering it opens up opportunities for exploits but then you could argue the same thing about any technological progress.

The problem is that there are people working just as hard, and perha

Re:

[jack2000]

I wouldn't call what adobe has done the PDF a technological progress.

Re:

[molecular]

it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.

Re:

[spiffmastercow]

it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.

That's exactly what I'm talking about. How hard is it to code a damn strncpy?

Re:

[0123456]

Does Adobe employ the the worst programmers on the planet?

As someone who used to use Premiere on a regular basis, my assumption can only be 'yes'; that was the software that got me into the habit of saving my work after every change because the program would crash at least every couple of hours, and to make backups of old saves because it also had an amusing habit of corrupting new ones.

I've never worked with any Adobe software that wasn't a bug-ridden mess. Maybe Photoshop is better (and I hear that Premiere has improved over the last few years since I stopped us

Disable Javascript in PDF reader

[Anonymous Coward]

A work around for end users is to disable javascript, such as this guide:

http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/

For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):

http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/

Re:

[swb]

Why isn't this the default setting?

Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

Re:

[rsborg]

Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?

Adobe is a corporation.

Whenever a corporation does something seemingly stupid or evil, you can always trace that back to some fool in the organization who convinced the others that the stupid/evil would lead to more profits (or kickbacks).

If you follow the money you will 99.44% of the time get the right answer. It's all about the money.

Limited?

[supernothing]

I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module [metasploit.com]

Re:

[phantomfive]

It's not a zero day [wikipedia.org], either. Check out what Wikipedia says (in case anyone is unclear what a zero-day is, since the submitter for one hasn't figured it out):

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.

Re:

[tepples]

I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.

But did Adobe learn of the vulnerability before exploits made it into the wild? If not, it's 0-day.

Re:

[molecular]

from the metasploit module code:

Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',

This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

Flashblock -- PDFblock?

[MobyDisk]

Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

Re:

[Xian97]

Where I work Adobe Reader is also installed and likewise I use Foxit at home. Just disable javascript in preferences. I have had it disabled for years and haven't had any issues displaying PDF files, though I do not fill out many PDF forms where it might be used. I guess I could always enable on a case by case basis if one actually required it but I haven't run into any yet.

Re:

[molecular]

disabling javascript wont help if you open PDFs with acrobat reader

Re:

[davidbrit2]

NoScript seems to block PDFs by default, which you can then click to load.

Re:

[denis-The-menace]

It would just need to scan the PDF for non-document-like features being used and display a BIG warning to the user.

Re:

[Thelasko]

Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)

Tools>Options>Applications change anything that says "Use Adobe Acrobat (in Firefox)" to "Always Ask"

Evince, Okular, xpdf?

[bill_mcgonigle]

So, are any of the viewers I use vulnerable?

Re:

[molecular]

not to this particular exploit.
wouldn't bet my life on there being no buffer overflow in these, though.

What PDF bug?

[MetricT]

I use Evince for Windows. Haven't had a problem yet.

http://live.gnome.org/Evince/Downloads [gnome.org]

!Hackers

[jgrahn]

... warning that hackers are actively exploiting the vulnerability in-the-wild ...

Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:

• ... warning that criminals are actively exploiting the vulnerability in-the-wild ...
• ... warning that crackers are actively exploiting the vulnerability in-the-wild ...
• ... warning that malware authors are actively exploiting the vulnerability in-the-wild ...
• ... warning that Men of Low Moral Fiber are actively exploiting the vulnerability in-the-wild ...

Insult to injury, the updater SUCKS

[scorp1us]

There is way too much manual intervention required in the Adobe updater.
1. It does not download updates automatically.
2. It requires a new EULA to be accepted.
3. It makes you wait as it downloads the update
4. It makes you wait as it installs.

Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.

This way, in no more than 1 click you'll updated.

What to know more?

[slapout]

Click here to download a PDF that will tell you more about the vulnerability.

Adobe and security

[Beelzebud]

Is it just me, or is Adobe the King of Insecure programs?

What does Linux and Windows 7 have in common? Adobe makes both insecure and unstable!

Attack under way

[Maxo-Texas]

getting spammed by people who clicked on PDF's...

Re:

[BenJeremy]

Yeah, this is spreading through our company exchange server. I never opened one of these PDF files, but people are getting mails spoofed using my e-mail (but other people's names). Extremely annoying, but our IT people seem to have this hammered down, as new attempts appear and disappear almost immediately from my inbox (and they don't go to delete or junk).

I heartily approve the death penalty for the asshats pulling this sort of crap.

Re:

[GigsVT]

The link seems to be broken.