Adobe's Reader X Spoils New PDF Attack 72
CWmike writes "Gregg Keizer reports that Adobe's Reader X stymied a recent attack campaign, researchers said Thursday. But they're not sure why. 'I don't want to take anything away from Adobe — after all, a win is a win — but this particular exploit appears to be designed with previous versions of Reader in mind,' said Chris Greamo, who heads the security research lab at Invincea. 'What appears to have happened is that the exploit breaks, but we don't have a good sense if the sandbox was able to contain it.' Reader X, an upgrade issued last year, features a 'sandbox' designed to protect users from PDF exploits. Adobe claimed that a recently-addressed bug in Chrome that lets attackers escape the browser's sandbox was not present in Reader X's sandbox code. Google patched that bug, the first to earn the company's top bug bounty of $3,133, three weeks ago. Adobe said Thursday it will would ship its next regular update for Reader on Tuesday, Feb. 8."
Upgrade (Score:1)
We only have to wait for the upgrades :-)
Ehehehe
That's just sad. (Score:2, Insightful)
PDF reader... sandbox...
A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?
Re: (Score:2)
Better question, though off topic - why is Adobe's PDF viewer over 10 MB?
$ du -h /usr/bin/xpdf.bin /usr/bin/xpdf.bin /usr/share/xpdf /usr/share/xpdf
1.3M
$ du -sh
76K
Re: (Score:3)
Another good question is why a document viewer needs to add a preloader to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Re: (Score:3)
Bells and Whistles take up space.
Also, you're comparing apples and oranges. xpdf is ugly and, last I checked, lacking features. A fairer comparison would be with the flagship open source pdf reader, namely Okular. The file size may still be smaller but remember the Qt/KDE shared libraries it loads.
Re: (Score:1)
Re: (Score:2)
I think okular uses a fork of xpdf.
Does acrobat reader use the native toolkit in c:\windows? If not then I think it is fair. Gnome doesn't include Qt either, so if I want to use Okular... :)
Re: (Score:2)
First, if you're using Gnome, you'll probably use evince instead of okular. Just as okular uses the same toolkit as KDE, evince uses the same toolkit as Gnome.
Secondly, why wouldn't Adobe Reader use the native Windows toolkit? You're supposed to use the native toolkit of an OS (or DE), not only because it's more efficient, but also because it results in a consistent look and feel. So if Adobe is using their own toolkit, then that's their own stupid fault, it's not something to give them
Re: (Score:3)
I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.
On Windows, plenty of applications don't using the native Win32 toolkit. As an example, develop using Visual C++, with a toolkit such as MFC? A bunch of libraries need to be distributed with your app, even if the installer hides them under c:\windows.
Re: (Score:2)
This is only because of the ongoing fragmentation between Gnome and KDE. If they ever merge them into a single DE for Linux (and other free *nixes), then this will no longer be a problem.
<i>On Windows, plenty of applications d
Re: (Score:2)
Gnome and KDE merge? unlikely, they're chalk and cheese.
"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.
Re: (Score:2)
That's not my understanding at all, according to what I've read about the plans for Wayland. Yes, in a more minimalist distro, X11 could be eliminated. However, most distros will
Re: (Score:2)
I forgot to reply to this. What's so different between these two anyway, except for Gnome having less configurability (which could easily be emulated in KDE by just specifying certain config options and removing some stuff in the system setup menus)? Essentially, they both do pretty much the same thing: provide a similarly-functioning desktop environment, with a "start" menu button which brings up a menu with applications installed (and I believe t
Re: (Score:2)
The point is X will be an *optional* service that runs on top of wayland. Qt and Gtk+ will support wayland from day one by the time Ubuntu ships it. Those who "ssh -X" can download a bunch of optional packages. I won't miss it on my home desktop and won't bother to install and run X just to load up xpdf when wayland-native alternatives such as Okular exist.
Naturally distros will include X for the reasons you mention. Once wayland is sufficiently mature, don't expect a consumer oriented distro like Ubuntu to
Re: (Score:2)
It was announced [wordpress.com] nearly 3 years ago. Still no word on a release date!
Anyway, they do collaborate on various projects at freedesktop.org
Re: (Score:2)
Depends on your system of course.
Re:That's just sad. (Score:5, Insightful)
PDF reader... sandbox...
A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?
The problem is Adobe Acrobat Professional, or whatever they call their expensive software for creating PDFs. In order to get people to keep buying new versions they have to keep adding more and more features. Which means that Adobe Reader has to be constantly updated so that it can read PDFs with all those new features. New features equals new bugs and security exploits.
Re: (Score:2)
Re:That's just sad. (Score:4, Insightful)
Re: (Score:3)
So, tell me again why you would pay for that instead of just making a web page
Because popular web browsers' CSS engines still have crap support for paged media [w3.org], or at least they have such a reputation.
Re: (Score:2)
Re:That's just sad. (Score:5, Informative)
I don't have a sandbox around (...) my PNG viewer
Microsoft Security Bulletin MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution [microsoft.com]
(...) nor my MP3 player
Winamp MP3 Player Lets Malicious MP3 Files Control the Winamp Mini-browser and Cause Arbitrary HTML Scripts to Be Executed [securitytracker.com]
Re: (Score:1)
Sure. Everything has bugs now and then. Adobe Reader has so many that they added a sandbox. We're just starting to do that with web browsers, and they're supposed to run "programs" of a sort. We're always reading about some new PDF code execution problem. You're not seriously claiming PNG and MP3 have as many exploits as PDF...?
Re: (Score:2)
PNG and MP3 don't have exploits, programs do. I've never heard about any exploit in my PDF reader, and while lack of user base is a reason for it, supporting only a reasonable subset of the full spec is important.
TL;DR: PDF is fine, just don't use Adobe Reader.
Re: (Score:1)
You probably haven't heard of any because you don't strictly need to target PDF. You just target something it supports. Like packaged fonts. Then you can exploit FreeType, which exists on virtually every platform (it must as a prerequisite to PDF).
Oh yeah... and that example actually happened. All readers were vulnerable, even Okular.
Re: (Score:2)
PNG and MP3 don't have exploits, programs do.
That's because there's no standard scripting section for those container formats, as far as I'm aware. Without some way to package in code that can be executed in a way that the target will understand at all, the exploit isn't going anywhere.
If you work for Microsoft and are reading this, please, for the love of all that's holy, do not define such a thing, even as a vendor extension. Even if it lets you do something you think is neat. Such a change could only ever cause grief and pain, which would be redoub
Re: (Score:2)
And this isn't just applicable to Windows software; FOSS has its share as well: http://www.kb.cert.org/vuls/id/643140 [cert.org]
For that matter, any platform that accesses code and data from the same memory (i.e. Von Neumann Architecture [wikipedia.org]) is susceptible to this, as is typical of all general purpose OSes.
Re: (Score:2)
You know what's sad? My iPhone opens PDFs faster than Acrobat. How about when you have a network printer setup and you're not connected to that network Acrobat hangs the entire machine while trying to connect to it?
Tell me again why we need our applications to be bloated and buggy when they're run on desktops?
You may feel the need to have a bloated and buggy Acrobat, but I found that it's actually optional.
By removing most of the plug-ins that it installs by default, it avoids a lot of the security holes. Do I give a damn if a PDF on my box can execute javascript, send an email, play a media stream, or be translated into a voice reader for the blind? No. So I yanked probably a dozen default plug-ins, and my Windows version of PDF reader has a much reduced attack surface as a result. As a side benefit, it ope
Re:That's just sad. (Score:5, Insightful)
Any program that interprets untrusted information could benefit from a sandbox. While directly it prevents the interpreted code from explicitly accessing outside its bounds, it also protects the system from bugs in the interpreter that could cause the interpreter itself to perform actions outside its environment.
Since you mention PNG, I have seen examples of security patches for PNG and TIFF viewers that addressed security problems because it was possible to execute arbitrary code based on a bug in the viewer's interpretation of the picture data. (usually through overflows)
This came as a surprise to me with TIFF because I thought TIFF was raw uncompressed picture data and that would be immune to interpretation, but that was not the case.
Re: (Score:2)
Really, all our applications should be in sandboxes.
Why does a word processor need access to music files? Why give a music player access to anything but music files?
There have been hacks of MP3 players through corrupt ID3 info, hacks of image viewers through the JPG parser.
Just lock it down. Lock it all down.
Re: (Score:2)
Re: (Score:1)
It appears it's a useful feature because many applications allow commands to be embedded in documents - even ones you might not expect, like vim. From FreeBSD's pkg-message [freebsd.org] for editors/vim:
SECURITY NOTE: The VIM software has had several remote vulnerabilities
discovered within VIM's modeline support. It allowed remote attackers to
execute arbitrary code as the user running VIM. All known problems
have been fixed, but the FreeBSD Security Team advises that VIM users
use 'set nomodeline' in ~/.vimrc to avoid th
Re: (Score:1)
We don't need them to evaluate or run code. The first thing I do on any PDF reader, is turn OFF java script support. No reason the average user will ever ever ever need it.
Feature bloat, small corporate interests which damage non corporate general use. Laziness to make a separate safer user version and costs of splitting the source trunk into many trees.
The reason to sand box over validating all inputs is simple. The golden code syndrome.
Programmers with inflated egos and the PM's which deflect crap away fr
Just Windows? (Score:1)
The sandbox is only on Windows, so what about the other platforms with Reader X?
Re: (Score:2)
Re: (Score:2)
X? (Score:2)
X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?
Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.
Re: (Score:2)
It's funny that Reader X reminds me of Racer X, the mysterious nemesis of Speed Racer.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Before MacOS 10 there was MacOS 9. MacOS X = MacOS 10. Saying "MacOS X 10.4.2" is redundant. Really, "MacOS 10.4.2" OR "MacOS X 4.2" will do fine.
Re: (Score:2)
No, its not. The operating system is "OSX". The version is 10.4.2. That doesnt mean "tenth version of OSX" any more than Ubuntu 11.04 means "eleventh version of ubuntu"; the vendor chooses how to name and version their product. You are of course free to disagree with me, Apple, and whoever else you like, but you would be wrong-- as the vendor, all of this is their prerogative. I might suggest checking the wikipedia page for OSX if you want some clarification on the matter.
Stop being pedantic (and wrong
Re: (Score:2)
WIkipedia: http://en.wikipedia.org/wiki/Macos [wikipedia.org]
"Mac OS X is the newest of Apple Inc.'s Mac OS line of operating systems. Although it is officially designated as simply "version 10"...
" The operating system is the successor to Mac OS 9 "
"(pronounced /Ëmæk ËOEoÊS ËOEÉs ËtÉn/ mak oh es ten)"
"Mac OS X, whose X is the Roman numeral for 10"
"Mac OS X is the tenth major version of Apple's operating system"
"The letter X in Mac OS X's name refers to the number 10, a Roman n
Re: (Score:2)
I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?
No?
Re: (Score:2)
X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?
Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.
Five hours since you posted, and no one has thought of the obvious?
"[Mac OS / Adobe Reader] goes to Eleven!" That's the actual version number: "goes to Eleven!" After that, you count the exclamation points. "goes to Eleven!!!!!!!" is 7 versions after OS X.
Iron users beware of other adobe-exploits (Score:1)
SRW Iron (Chrome alt on windows) tends to be behind, and somehow I forgot to replace it w/Chromium on this PC, so I had no built-in autoupdate. A megavideo on-click-to-play-flash-movie event on that site always triggers some "benign" FLASH pop-up to reelhd.com and today the latter came with a payload. The usual site lie says I need to click to download *their own* xvid player. Except it the browser prompts me if I really want to DL the triggered installer's exe ... and even though I scoffed and cancelled TH
Re: (Score:2)
All those security concerns and yet you still:
A) Run the completely unvetted (and by their own admission, modified) SRWare Iron
-->Which lacks autoupdate
-->Which you for some reason trust more than googles official version, or the Chromium nightlies (despite this exploit, lol?)
-->not to mention that you cant exactly get the source code to SRWare, can you?
B) Use hosts files as some kind of attempt at security
C) (based on remark about promiscuity) believe that the websites you visit has anything to do
Brilliant Adobe Developers (Score:2)
the exploit breaks, but we don't have a good sense if the sandbox was able to contain it
Plain English Translation: We have no idea how our own code even works, but hey we dodged this one, HIGH FIVE!
Re: (Score:2, Informative)
It's not Adobe that was wondering why, it was the researchers at Invincea.
At least that's what the summary says.
and people wonder why Flash is Evil (Score:3, Informative)
The problem is homogeny of the market.
If every user has the same version of the same PDF reader, an exploit can spread to everyone.
If an exploit won't affect people using Chrome PDF Viewer, Foxit Reader, gPDF or XPDF or Mac OS X Preview, it severely restricts the effectiveness of the exploit.
If everyone uses Adobe Reader on Windows, Mac OS X, Linux and mobile devices, an exploit like this can affect everyone.
While there are 3rd Party implementations of Flash Players, Adobe Flash Player is still ubiquitous. Adobe evolve the "standard" for commercial reasons with every version, leaving 3rd Party implementations behind and incompatible with new versions of the "standard".
Re: (Score:2)
Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash, and the other half doesn't give technophiles a stiffy.
And technophiles are, by the way, the main reason we're stuck with Flash in the first place: Adobe has tried to do the same with Adobe Reader, but since almost nobody uses all the random scripting crap they've added to it and only uses the baseline standard, alternative PDF viewers are able to display 99% of documents out there perfectly in spite of not ca
Re: (Score:2)
The problem isn't so much the Flash format, as the fact that the official Adobe player is the only one that really works well, precisely because the spec is a moving target. Basically, they add in some stuff to their spec (which they don't share with anyone yet), then implement it in their viewer and authoring software, and then release it (and at this time, release the updated spec). So, t
Re: (Score:2)
My local municipality collects income tax. It's a simple tax: 1%. It usually fits onto a simple, one-page form. But there's still some data entry and calculations for exemptions and crap and so, like anything else more complicated than taking a leak, it could be improved.
For the 1999 tax year, they issued a PDF tax form that automagically did the simple math for me, just by filling out the values in Adobe Reader/Acrobat/X/whatever it was then.
It worked well. My brain already hurt from filing Federal an
Why not a normal update via URL? (Score:1)
I do not appreciate fancy updates which pop up on my desktop from icons in the right lower corner. I had a virus attack from such an update. It was masqueraded as a Java update. I removed Java from my computer completely after that.
I am seriously considering removing the Adobe Reader and Flash too.
Why just not inform us that an update is available and give the clear URL link to an update file on the Adobe website? Or at least update when I open the Reader and asked for an update or confirmed an offer to upd
Adobe problem (Score:1)
Re: (Score:2)
Sounds like the library has odd permissions issues-- allowing "create file" and "append data" but not "delete file". Not adobes fault at all.
Protected Mode Bug (Score:2)
I had to disable this sandbox (protected mode) across my network. Makes it impossible to open PDF files from DFS shares. Boo.
still does not make up for... (Score:2)
Ok, let's all rally a hurray for you (seeing you pat yourself on the back here) for doing something you should have done from day one...
i say, we still haven't forgiven you for all the other exploits out there that are still very functional, and lead to many millions of dollars damages....let's remember this point too....and keep the back patting to a minimum....mmmkay.