Forgot your password?
typodupeerror
Security

Adobe's Reader X Spoils New PDF Attack 72

Posted by timothy
from the stopped-clock-can-still-be-thrown-with-force dept.
CWmike writes "Gregg Keizer reports that Adobe's Reader X stymied a recent attack campaign, researchers said Thursday. But they're not sure why. 'I don't want to take anything away from Adobe — after all, a win is a win — but this particular exploit appears to be designed with previous versions of Reader in mind,' said Chris Greamo, who heads the security research lab at Invincea. 'What appears to have happened is that the exploit breaks, but we don't have a good sense if the sandbox was able to contain it.' Reader X, an upgrade issued last year, features a 'sandbox' designed to protect users from PDF exploits. Adobe claimed that a recently-addressed bug in Chrome that lets attackers escape the browser's sandbox was not present in Reader X's sandbox code. Google patched that bug, the first to earn the company's top bug bounty of $3,133, three weeks ago. Adobe said Thursday it will would ship its next regular update for Reader on Tuesday, Feb. 8."
This discussion has been archived. No new comments can be posted.

Adobe's Reader X Spoils New PDF Attack

Comments Filter:
  • We only have to wait for the upgrades :-)
    Ehehehe

  • That's just sad. (Score:2, Insightful)

    by ChrisMP1 (1130781)

    PDF reader... sandbox...

    A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

    • by ChrisMP1 (1130781)

      Better question, though off topic - why is Adobe's PDF viewer over 10 MB?

      $ du -h /usr/bin/xpdf.bin
      1.3M /usr/bin/xpdf.bin
      $ du -sh /usr/share/xpdf
      76K /usr/share/xpdf

      • by diegocg (1680514)

        Another good question is why a document viewer needs to add a preloader to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

      • Bells and Whistles take up space.

        Also, you're comparing apples and oranges. xpdf is ugly and, last I checked, lacking features. A fairer comparison would be with the flagship open source pdf reader, namely Okular. The file size may still be smaller but remember the Qt/KDE shared libraries it loads.

        • unless the QT/KDE libs supply PDF functionality (as OS X does), it's no fairer to include them than it is to include C:\WINDOWS.
          • I think okular uses a fork of xpdf.

            Does acrobat reader use the native toolkit in c:\windows? If not then I think it is fair. Gnome doesn't include Qt either, so if I want to use Okular... :)

            • by Grishnakh (216268)
              No, it's not fair.

              First, if you're using Gnome, you'll probably use evince instead of okular. Just as okular uses the same toolkit as KDE, evince uses the same toolkit as Gnome.

              Secondly, why wouldn't Adobe Reader use the native Windows toolkit? You're supposed to use the native toolkit of an OS (or DE), not only because it's more efficient, but also because it results in a consistent look and feel. So if Adobe is using their own toolkit, then that's their own stupid fault, it's not something to give them
              • I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.

                On Windows, plenty of applications don't using the native Win32 toolkit. As an example, develop using Visual C++, with a toolkit such as MFC? A bunch of libraries need to be distributed with your app, even if the installer hides them under c:\windows.

                • by Grishnakh (216268)
                  <i>I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.</i>

                  This is only because of the ongoing fragmentation between Gnome and KDE. If they ever merge them into a single DE for Linux (and other free *nixes), then this will no longer be a problem.

                  <i>On Windows, plenty of applications d
                  • Gnome and KDE merge? unlikely, they're chalk and cheese.

                    "X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.

                    • by Grishnakh (216268)
                      <i>"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.</i>

                      That's not my understanding at all, according to what I've read about the plans for Wayland. Yes, in a more minimalist distro, X11 could be eliminated. However, most distros will
                    • by Grishnakh (216268)
                      "Gnome and KDE merge? unlikely, they're chalk and cheese."

                      I forgot to reply to this. What's so different between these two anyway, except for Gnome having less configurability (which could easily be emulated in KDE by just specifying certain config options and removing some stuff in the system setup menus)? Essentially, they both do pretty much the same thing: provide a similarly-functioning desktop environment, with a "start" menu button which brings up a menu with applications installed (and I believe t
                    • The point is X will be an *optional* service that runs on top of wayland. Qt and Gtk+ will support wayland from day one by the time Ubuntu ships it. Those who "ssh -X" can download a bunch of optional packages. I won't miss it on my home desktop and won't bother to install and run X just to load up xpdf when wayland-native alternatives such as Okular exist.

                      Naturally distros will include X for the reasons you mention. Once wayland is sufficiently mature, don't expect a consumer oriented distro like Ubuntu to

                    • it seems entirely technically feasible to, for instance, replace Gtk+ and large parts of Gnome's libraries with Qt and some KDE libraries, create a new theme that looks like today's Gnome's

                      It was announced [wordpress.com] nearly 3 years ago. Still no word on a release date!
                      Anyway, they do collaborate on various projects at freedesktop.org

      • Disk usage of the wrapper is hardly a fair measure. Link the size of the dynamic libraries loaded as well. You will see that the amount of memory to run xpdf is much larger than 76k.

        Depends on your system of course.
    • by rudy_wayne (414635) on Friday February 04, 2011 @08:27PM (#35108472)

      PDF reader... sandbox...

      A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

      The problem is Adobe Acrobat Professional, or whatever they call their expensive software for creating PDFs. In order to get people to keep buying new versions they have to keep adding more and more features. Which means that Adobe Reader has to be constantly updated so that it can read PDFs with all those new features. New features equals new bugs and security exploits.

      • by Stregano (1285764)
        So we can make documents. We can set them to be editable or not editable and add stuff that make these work as webpages. So, tell me again why you would pay for that instead of just making a web page (sorry, I think it is the web developer in my not understanding why you would pay so much for something you could get for free legally)?
        • by ChrisMP1 (1130781) on Friday February 04, 2011 @08:32PM (#35108502)
          Well, a PDF is supposed to portably appear exactly as it will print. Pretty sure that's not possible with HTML.
        • by tepples (727027)

          So, tell me again why you would pay for that instead of just making a web page

          Because popular web browsers' CSS engines still have crap support for paged media [w3.org], or at least they have such a reputation.

      • by ChrisMP1 (1130781)

        Sure. Everything has bugs now and then. Adobe Reader has so many that they added a sandbox. We're just starting to do that with web browsers, and they're supposed to run "programs" of a sort. We're always reading about some new PDF code execution problem. You're not seriously claiming PNG and MP3 have as many exploits as PDF...?

        • PNG and MP3 don't have exploits, programs do. I've never heard about any exploit in my PDF reader, and while lack of user base is a reason for it, supporting only a reasonable subset of the full spec is important.

          TL;DR: PDF is fine, just don't use Adobe Reader.

          • by Anonymous Coward

            You probably haven't heard of any because you don't strictly need to target PDF. You just target something it supports. Like packaged fonts. Then you can exploit FreeType, which exists on virtually every platform (it must as a prerequisite to PDF).

            Oh yeah... and that example actually happened. All readers were vulnerable, even Okular.

          • by dkf (304284)

            PNG and MP3 don't have exploits, programs do.

            That's because there's no standard scripting section for those container formats, as far as I'm aware. Without some way to package in code that can be executed in a way that the target will understand at all, the exploit isn't going anywhere.

            If you work for Microsoft and are reading this, please, for the love of all that's holy, do not define such a thing, even as a vendor extension. Even if it lets you do something you think is neat. Such a change could only ever cause grief and pain, which would be redoub

      • by sankyuu (847178)

        And this isn't just applicable to Windows software; FOSS has its share as well: http://www.kb.cert.org/vuls/id/643140 [cert.org]

        For that matter, any platform that accesses code and data from the same memory (i.e. Von Neumann Architecture [wikipedia.org]) is susceptible to this, as is typical of all general purpose OSes.

    • by v1 (525388) on Friday February 04, 2011 @09:21PM (#35108774) Homepage Journal

      A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

      Any program that interprets untrusted information could benefit from a sandbox. While directly it prevents the interpreted code from explicitly accessing outside its bounds, it also protects the system from bugs in the interpreter that could cause the interpreter itself to perform actions outside its environment.

      Since you mention PNG, I have seen examples of security patches for PNG and TIFF viewers that addressed security problems because it was possible to execute arbitrary code based on a bug in the viewer's interpretation of the picture data. (usually through overflows)

      This came as a surprise to me with TIFF because I thought TIFF was raw uncompressed picture data and that would be immune to interpretation, but that was not the case.

    • by Zan Lynx (87672)

      Really, all our applications should be in sandboxes.

      Why does a word processor need access to music files? Why give a music player access to anything but music files?

      There have been hacks of MP3 players through corrupt ID3 info, hacks of image viewers through the JPG parser.

      Just lock it down. Lock it all down.

    • by hairyfeet (841228)

      Sadly the same reason why my MS Office 2K is a nice light word processor and 2K7 is a little piggy, it is called feature creep [wikipedia.org]. You see bug fixes aren't sexy and don't sell copies of software, whereas whiz bang new features do. Every year you have some PHB saying "Where's my new bullet point list of goodies to hand to the salesmen?" and you had damned well better have that bullet point done son!

      Of course the fact that we have truly insane amounts of hardware don't help either. I remember during the days of

    • It appears it's a useful feature because many applications allow commands to be embedded in documents - even ones you might not expect, like vim. From FreeBSD's pkg-message [freebsd.org] for editors/vim:

      SECURITY NOTE: The VIM software has had several remote vulnerabilities
      discovered within VIM's modeline support. It allowed remote attackers to
      execute arbitrary code as the user running VIM. All known problems
      have been fixed, but the FreeBSD Security Team advises that VIM users
      use 'set nomodeline' in ~/.vimrc to avoid th

    • We don't need them to evaluate or run code. The first thing I do on any PDF reader, is turn OFF java script support. No reason the average user will ever ever ever need it.

      Feature bloat, small corporate interests which damage non corporate general use. Laziness to make a separate safer user version and costs of splitting the source trunk into many trees.

      The reason to sand box over validating all inputs is simple. The golden code syndrome.
      Programmers with inflated egos and the PM's which deflect crap away fr

  • by Anonymous Coward

    The sandbox is only on Windows, so what about the other platforms with Reader X?

    • by lseltzer (311306)
      The attacks are on Windows so that's where they put the effort. Note that the sandbox is also only on Reader and not Acrobat for the same reason
    • They'll just do as they always do and assume they're invulnerable.
  • by markdavis (642305)

    X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

    Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

    • by treeves (963993)

      It's funny that Reader X reminds me of Racer X, the mysterious nemesis of Speed Racer.

    • Mac OS X is the name. 10.x.x is the version number. You kinda have to do something when you get to version 10, because after that things start to sound awkward. I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?
      • by markdavis (642305)

        Before MacOS 10 there was MacOS 9. MacOS X = MacOS 10. Saying "MacOS X 10.4.2" is redundant. Really, "MacOS 10.4.2" OR "MacOS X 4.2" will do fine.

        • No, its not. The operating system is "OSX". The version is 10.4.2. That doesnt mean "tenth version of OSX" any more than Ubuntu 11.04 means "eleventh version of ubuntu"; the vendor chooses how to name and version their product. You are of course free to disagree with me, Apple, and whoever else you like, but you would be wrong-- as the vendor, all of this is their prerogative. I might suggest checking the wikipedia page for OSX if you want some clarification on the matter.

          Stop being pedantic (and wrong

          • by markdavis (642305)

            WIkipedia: http://en.wikipedia.org/wiki/Macos [wikipedia.org]

            "Mac OS X is the newest of Apple Inc.'s Mac OS line of operating systems. Although it is officially designated as simply "version 10"...

            " The operating system is the successor to Mac OS 9 "

            "(pronounced /Ëmæk ËOEoÊS ËOEÉs ËtÉn/ mak oh es ten)"

            "Mac OS X, whose X is the Roman numeral for 10"

            "Mac OS X is the tenth major version of Apple's operating system"

            "The letter X in Mac OS X's name refers to the number 10, a Roman n

      • by David_W (35680)

        I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?

        No?

    • by Culture20 (968837)

      X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

      Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

      Five hours since you posted, and no one has thought of the obvious?
      "[Mac OS / Adobe Reader] goes to Eleven!" That's the actual version number: "goes to Eleven!" After that, you count the exclamation points. "goes to Eleven!!!!!!!" is 7 versions after OS X.

  • SRW Iron (Chrome alt on windows) tends to be behind, and somehow I forgot to replace it w/Chromium on this PC, so I had no built-in autoupdate. A megavideo on-click-to-play-flash-movie event on that site always triggers some "benign" FLASH pop-up to reelhd.com and today the latter came with a payload. The usual site lie says I need to click to download *their own* xvid player. Except it the browser prompts me if I really want to DL the triggered installer's exe ... and even though I scoffed and cancelled TH

    • All those security concerns and yet you still:
      A) Run the completely unvetted (and by their own admission, modified) SRWare Iron
      -->Which lacks autoupdate
      -->Which you for some reason trust more than googles official version, or the Chromium nightlies (despite this exploit, lol?)
      -->not to mention that you cant exactly get the source code to SRWare, can you?
      B) Use hosts files as some kind of attempt at security
      C) (based on remark about promiscuity) believe that the websites you visit has anything to do

  • the exploit breaks, but we don't have a good sense if the sandbox was able to contain it

    Plain English Translation: We have no idea how our own code even works, but hey we dodged this one, HIGH FIVE!

    • Re: (Score:2, Informative)

      by Anonymous Coward

      It's not Adobe that was wondering why, it was the researchers at Invincea.

      At least that's what the summary says.

  • by Salvo (8037) on Friday February 04, 2011 @10:13PM (#35109016)

    The problem is homogeny of the market.
    If every user has the same version of the same PDF reader, an exploit can spread to everyone.
    If an exploit won't affect people using Chrome PDF Viewer, Foxit Reader, gPDF or XPDF or Mac OS X Preview, it severely restricts the effectiveness of the exploit.
    If everyone uses Adobe Reader on Windows, Mac OS X, Linux and mobile devices, an exploit like this can affect everyone.

    While there are 3rd Party implementations of Flash Players, Adobe Flash Player is still ubiquitous. Adobe evolve the "standard" for commercial reasons with every version, leaving 3rd Party implementations behind and incompatible with new versions of the "standard".

    • by Draek (916851)

      Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash, and the other half doesn't give technophiles a stiffy.

      And technophiles are, by the way, the main reason we're stuck with Flash in the first place: Adobe has tried to do the same with Adobe Reader, but since almost nobody uses all the random scripting crap they've added to it and only uses the baseline standard, alternative PDF viewers are able to display 99% of documents out there perfectly in spite of not ca

      • by Grishnakh (216268)
        <i>Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash</i>

        The problem isn't so much the Flash format, as the fact that the official Adobe player is the only one that really works well, precisely because the spec is a moving target. Basically, they add in some stuff to their spec (which they don't share with anyone yet), then implement it in their viewer and authoring software, and then release it (and at this time, release the updated spec). So, t
        • by adolf (21054)

          My local municipality collects income tax. It's a simple tax: 1%. It usually fits onto a simple, one-page form. But there's still some data entry and calculations for exemptions and crap and so, like anything else more complicated than taking a leak, it could be improved.

          For the 1999 tax year, they issued a PDF tax form that automagically did the simple math for me, just by filling out the values in Adobe Reader/Acrobat/X/whatever it was then.

          It worked well. My brain already hurt from filing Federal an

  • I do not appreciate fancy updates which pop up on my desktop from icons in the right lower corner. I had a virus attack from such an update. It was masqueraded as a Java update. I removed Java from my computer completely after that.

    I am seriously considering removing the Adobe Reader and Flash too.

    Why just not inform us that an update is available and give the clear URL link to an update file on the Adobe website? Or at least update when I open the Reader and asked for an update or confirmed an offer to upd

  • I downloaded a PDF at the library to print it. No problem. Then I couldn't delete the document from the library's system. They had to uninstall Adobe to get it to stop displaying my document. I'm wondering if the document will still appear if someone re-installs Adobe. Assholes.
    • Sounds like the library has odd permissions issues-- allowing "create file" and "append data" but not "delete file". Not adobes fault at all.

  • I had to disable this sandbox (protected mode) across my network. Makes it impossible to open PDF files from DFS shares. Boo.

  • Ok, let's all rally a hurray for you (seeing you pat yourself on the back here) for doing something you should have done from day one...
    i say, we still haven't forgiven you for all the other exploits out there that are still very functional, and lead to many millions of dollars damages....let's remember this point too....and keep the back patting to a minimum....mmmkay.

When all else fails, read the instructions.

Working...