Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Zero-day Exploit in PDF With Adobe Reader 188

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."
This discussion has been archived. No new comments can be posted.

Zero-day Exploit in PDF With Adobe Reader

Comments Filter:
  • xpdf etc (Score:5, Funny)

    by eneville ( 745111 ) on Saturday September 22, 2007 @10:08AM (#20710875) Homepage
    my xpdf brings all the boys to the yard and they're like, its better than yours
    • Re: (Score:2, Informative)

      Comment removed based on user account deletion
      • Re: (Score:2, Insightful)

        by eneville ( 745111 )

        You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard [amazon.com] for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.

        what corporation actually makes use of forms? isn't that what html is ok for? if one wants to do a form, why not have a code hook that can validate the form data before printing. in most cases, i bet people send the whole pdf to print rather than just the page with the form, so it's probably better all round to keep forms on the web, where most people can get to it.

        • Re:xpdf etc (Score:5, Informative)

          by eggnoglatte ( 1047660 ) on Saturday September 22, 2007 @11:46AM (#20711629)

          what corporation actually makes use of forms?
          Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.
          • what corporation actually makes use of forms?

            Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.

            perhaps there is a use for pdf forms, however, the world span perfectly ok before their existence, and i'm sure it will spin just fine without it. what i do think, however, is that there is little calll for them. if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in, it's something that i seriously can't see much of a requirement for. sorry.

            • by fbjon ( 692006 )

              if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in,
              How can you get consistent formatting with plain text, when printed out? What's the font size, paper size, etc. etc.? Plaintext will likely give you 6 pages of unreadable monospaced text, instead of one neatly organised and easy-to-fill page.
          • by Cecil ( 37810 )
            Well at least there's still the option to just print it out as-is and write on it. How quaint. :)
          • what corporation actually makes use of forms?

            Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms

            The multinational corporation I work for doesn't. I have yet to receive a government PDF form here in Canada.

            The Evince developers are working on a form filling function for it. So I hope I never have the need to install Acrobat Reader on my home Linux system. At work on XP I use Foxit reader as my Acrobat Reader installation is so fucked up.

      • Re:xpdf etc (Score:5, Informative)

        by shutdown -p now ( 807394 ) on Saturday September 22, 2007 @11:42AM (#20711595) Journal

        You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.
        While this is mostly true, I would like to point out that the most recent version of Evince (the one that ships with Gnome 2.20) supports PDF forms [gnome.org]. Does this leave any piece of PDF functionality not yet implemented by FOSS readers?
        • Re:xpdf etc (Score:4, Insightful)

          by cortana ( 588495 ) <sam@robots.orRASPg.uk minus berry> on Saturday September 22, 2007 @12:10PM (#20711841) Homepage
          DRM, execution of JavaScript code and selective toggling of layers.
          • Yeah, but he was talking about functionality. Why make something intentionally broken?
          • Re:xpdf etc (Score:4, Informative)

            by shutdown -p now ( 807394 ) on Saturday September 22, 2007 @01:28PM (#20712563) Journal

            DRM, execution of JavaScript code and selective toggling of layers.
            No idea about the rest, but at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set. Of course, it being open source, it is easily disabled, and some distros disable it in their packages (I recall Gentoo was doing so).
            • Re:xpdf etc (Score:4, Insightful)

              by zCyl ( 14362 ) on Saturday September 22, 2007 @02:11PM (#20712991)

              at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set.

              An intentional defect is not a feature.
            • Many of us apply the patch to disable the restrictions on printing and cut and paste. It's kind of annoying to build it yourself if you're all into Debian, SuSE, Redhat or one of the other precanned distros. Gentoo and Slackware users though generally do the patch, if only to get cut and paste to work sanely.
          • Re:xpdf etc (Score:4, Informative)

            by BillyBlaze ( 746775 ) <tomfelker@gmail.com> on Saturday September 22, 2007 @02:19PM (#20713041)
            Heh, KPDF has a checkbox for whether you want it to respect that DRM. Um, no thanks. (There's also a compile-time option to make it mandatory, for the wussier binary distros.)
        • Re: (Score:2, Insightful)

          by ogrizzo ( 23524 )
          Comments!!!! Acrobat's ability to add comments to pdf files is one of the few things that make me ever think about using OSX (I cannot think of anything that would make me wish to run Windows, though :)

          It looks like it's a planned feature of evince.
      • Re:xpdf etc (Score:5, Insightful)

        by kebes ( 861706 ) on Saturday September 22, 2007 @11:44AM (#20711623) Journal
        Lacking features can be a good thing.

        I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

        So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.
        • Exactly my strategy. I have Acrobat reader installed but use it about once every two years. The rest of the time I use OS X Preview.
        • Re: (Score:3, Interesting)

          by thrawn_aj ( 1073100 )

          I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc.

          People have different definitions of "bloat". Mine is when you have to clutter up your system with more than one application to d the same job. Besides, I'm of the opinion that it's alright to use the incredibly fast and high-RAM computers of today to run these application without being stingy about resources for every single thing (unless it actually does slow down your system). While I've pitied the users who have 16 things in their system tray that eat up resources (Acrobat does this too btw, with it

        • by 1u3hr ( 530656 )
          I think the sensible strategy is to use a fast, minimalist PDF reader

          I use Acrobat 4. It can display and print 99% of the PDF files I need. I can warm up a later version of the reader if I have to, a few times a year. It's much smaller and faster than current versions, and I doubt it is vulnerable to any exploits, at worst it would crash or fail to open a document.

          Also Elcomsoft's Advanced eBook Processor to strip away silly print or selection restrictions is useful. Thanks Dmitry.

        • Re: (Score:3, Insightful)

          by p0tat03 ( 985078 )

          Lacking features can be a good thing.

          Not accusing of anything, but this is altogether too often used by FOSS advocates to justify the lack of features or polish.

          use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features

          The security issues still remain - all an attacker has to do is disguise his PDF as a PDF form and shabam, your employees fall hook, line, sinker, and your network is now compromised. A pinhole in a submarine will still let water in, even if 99% of the rest of the surface is perfectly sealed.

      • Re: (Score:3, Informative)

        by VGPowerlord ( 621254 )
        Adobe recently threatened to sue a company [news.com] that wanted to include PDF output into their word processor.

        Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat [adobe.com]).

        PDF isn't an open standard. If you want to implement it, Adobe apparently retains the right to sue you for it at any time.
        • Re: (Score:3, Insightful)

          Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat).
          Yes, it does. If you don't have a monopoly, it means nothing. (Ever notice how Adobe doesn't care that OpenOffice has PDF output?)
          • I did notice that. I have a famous quote [wikipedia.org] for you, though:

            In Germany, they came first for the Communists, And I didn't speak up because I wasn't a Communist;
            And then they came for the trade unionists, And I didn't speak up because I wasn't a trade unionist;
            And then they came for the Jews, And I didn't speak up because I wasn't a Jew;
            And then . . . they came for me . . . And by that time there was no one left to speak up.

            -- Martin Niemöller

            Adobe has already acted in bad faith once, there's nothing stopp

  • smug (Score:4, Funny)

    by ch0ad ( 1127549 ) on Saturday September 22, 2007 @10:10AM (#20710897)
    i bet it doesnt work with ubuntu's pdf viewer :p
    /smug

    about time i got modded as a troll neway
  • The article is sorely lacking in details. There was a vulnerability report earlier about PDF files that open external links. At that time slashdot discussions were very critical of adding javascript kind of functionality and opening external links and invoking the browser from pdf reader. A plain and simple document reader/renderer has no need for all these hooks that allow for bells and whistles. It was alleged every bell and every whistle could be a potential attack vector. Well, presently I have disable
  • And this kind of thing is also why I leave the preview pane off in Outlook whenever I use it.
  • by NevarMore ( 248971 ) on Saturday September 22, 2007 @10:14AM (#20710933) Homepage Journal
    It's still a big effing deal, because Reader is the most accessible and widely used PDF viewer out there.

    So in the interest of the public, what alternative PDF readers can people use?

    In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else. The last time I installed it under XP on my office workstation it wanted to shovel a bunch of crap into the tray and seemed to have a lot more cruft than it needed to. This is different from what I remember it being in High School where it was a simple viewer so the customers who paid for Acrobat had an easy way to tell their readers how to open the PDFs. It has since morphed into a product instead of just a utility.
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Saturday September 22, 2007 @10:16AM (#20710951)
    Comment removed based on user account deletion
    • by Nimey ( 114278 )
      Should one assume that the vuln is also in Acrobat Standard and Acrobat Professional? Got some users using those, and won't this be a joy for the pre-8 ones.
    • by nwbvt ( 768631 ) on Saturday September 22, 2007 @10:26AM (#20711049)

      Well yeah, it can't affect an operating system if no one is running it.

      Sorry, couldn't resist.

    • by kesuki ( 321456 )
      well, i guess its time to downgrade adobe to version 5. before they had all these automatic updating and rediculous feature bloat features...

      i know version 5 came on tons of various cd roms, including ones from motherboards and even anti virus installers... in fact even though i had a newer version i happend to pick version 5 when i reinstalled my parents computer because i was lazy and it came on their anti virus install cd.

  • by Zaphod-AVA ( 471116 ) on Saturday September 22, 2007 @10:17AM (#20710967)
    The Foxit PDF reader is pretty great, and I often recommend it to my clients. Not only will it be a good temporary fix for this exploit, but it opens PDF documents very quickly.

    Windows:
    http://www.download.com/Foxit-PDF-Reader/3000-2079_4-10634896.html?tag=lst-0-1 [download.com]

    Linux:
    http://www.foxitsoftware.com/pdf/desklinux/ [foxitsoftware.com]
    • I second this (Score:2, Informative)

      The entire download is just over 1mb and it loads PDFs quicker than the 40+mb pile of shit known as "reader".
      • Re: (Score:2, Informative)

        by 0xygen ( 595606 )
        Sadly this not 100% true.. I *am* a FoxIt user, but recently came across an issue.

        FoxIt does not seem to cache the page you are looking at, it appears to re-render the whole thing every time you move it.

        So, when you have an engineering drawing with only a few thousand vector lines on a page, it slows down to about a tenth of the speed of Reader 8.1.

        Now I have both installed, much to my annoyance - before seeing this, FoxIt was the one!
    • by Arkaic ( 784460 ) on Saturday September 22, 2007 @10:23AM (#20711015)
      That may not be much better. According to a follow up comment by the discoverer of the exploit.

      "Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."
      • "although the user is required to interact with the document in order to launch the exploit"

        So, I'm better off sticking with Foxit for most uses.

        I only use acrobat reader when forced to, (security, form filling...)
    • KPDF came with my Kubuntu installation. Never failed me.
      It also pleases the raving hippies who want everything open source ;)
    • Foxit is a great improvement from the Adobe Reader. I didn't know they had a linux version; however, I wonder if anyone actually uses it. In my experience, Evince and KPDF both beat Foxit hands down.
    • by Mike89 ( 1006497 )
      This may be slightly OT, but please don't mod it as such. I use FoxIt and I have a problem. Whenever I open the solutions file for a textbook I use for school, the text is barely readable. Yet in Adobe Reader, it's fine.

      See screenshot [bayimg.com]

      Any ideas? I like FoxIt, but I can't use it!
      Note: The zoom is set to the same on both, zooming on FoxIt doesn't help the issue. Also sorry the screenshot is so small, I uploaded a larger one but BayImg didn't like it for some reason.
    • Hope they have fixed it recently. About 6 months ago I tried it, and on the first PDF that I opened:

      - Some fonts looked different from the original. "Different" as in "the same font but were slightly thinner/bolder". Not an AA issue, the actual drawing of the polygons seemed slightly off.
      - Redrawing a vector part was slow even though everything else was blindingly fast.
      - Hitting "Print" caused it to crash. Every time.

      Kudos to FoxIt for tring, but with much sadness I immediately uninstalled it. At least Read
    • Re: (Score:3, Informative)

      by jambarama ( 784670 )
      Even lighter and faster than foxit: Sumatra PDF Reader [kowalczyk.info]. It is Windows only but runs fine in Wine. Since TFA has no details, I can't say if Sumatra is also vulnerable, but for me it beats foxit.
  • by promiscuous-mode ( 314909 ) on Saturday September 22, 2007 @10:23AM (#20711021)
    It's not a zero-day exploit until Petko releases code for the script kids to use without having a patch/update from Adobe.
    • by Mascot ( 120795 )
      Save your energy. It's like the cracker/hacker issue. Nobody seems to remember or care what the terms mean anymore.

      I won't even point out the irony in that a Slashdot editor doesn't even know.
    • Ah, so you seem to actually know what zero-day means. Would you explain it here for the public benefit?
  • For firefox users... (Score:4, Informative)

    by nwbvt ( 768631 ) on Saturday September 22, 2007 @10:30AM (#20711071)

    "If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

    If you are using firefox, there is a simple way around this. Just install the PDF download [mozilla.org] add-on, its also helps avoid the problems involving the embedded PDF plugin crashing your browser.

  • As an asside: (Score:4, Interesting)

    by T-Ranger ( 10520 ) <jeffwNO@SPAMchebucto.ns.ca> on Saturday September 22, 2007 @10:30AM (#20711077) Homepage
    Does anyone here think that embedding Acrobat into a browser is a good idea? Ignoring the plethora of stupid people who use PDF when HTML would work better, even.
  • Somehow, I don't believe the same vulnerability will affect xpdf on linux and adobe reader on windows.
    So, I still feel safe :)
  • Does anyone have any news if this affects 'Preview' on OS X. I hate the Adobe Reader and never use it.

    I understood that PDF is virtually native on the Mac. This is in part due to the design of Quartz and now NeXT used to use display Postscript , which PDF grew out of in a way.

    Some applications now use scaled PDF icons for resolution indepenence, such as Coda for example. Should we be worrying about this at all?
    • by p0tat03 ( 985078 ) on Saturday September 22, 2007 @01:10PM (#20712395)

      As a side note... Preview does an incredibly good job with PDFs that Adobe themselves can't even do. Back when I was a Windows user exclusively, I always complained that the "official" reader was dog slow even on the fastest machines, and could not ever scroll smoothly through any slightly complex document.

      Now that I've switched to Mac and use Preview, I realize this isn't Windows, it's just Adobe's incompetence. Preview is fast as hell and NEVER lags in any way, while Adobe Reader for the Mac is as slow and bloated as its Windows brethren.

  • Enough! (Score:2, Interesting)

    by Valtor ( 34080 )
    I am convinced that we will not escape sandboxing [wikipedia.org] every process in the not too distant future. Enough is enough, I don't think we will ever feel secure about any software any time soon.
    • Except I just read there is a security flaw in VMware could allow a process running within the VM machine to exploit the host OS. So even virtualization as a sandbox is not fully effective.
      • by Ilgaz ( 86384 ) *

        Except I just read there is a security flaw in VMware could allow a process running within the VM machine to exploit the host OS. So even virtualization as a sandbox is not fully effective.

        In fact it happened (or theoretically possible) with MS Virtual PC (don't laugh) 7 running on OS X.

        http://www.versiontracker.com/dyn/moreinfo/macosx/1006 [versiontracker.com]

        "What's new in this version":
        "This update fixes a vulnerability that an attacker can use to overwrite the contents of your computer's memory with malicious code."

        Yes, the "Virtual PC" running there may overwrite memory from "there". I hate to pick on MS and VPC is some real cool code but... It is sounding damn funny.

        If any Mac people reading this: Get it u

    • The question is what sandboxing really solves. Supposedly, we already have processes in isolated address spaces. They interact with the rest of the system through interfaces exposed by the operating system. You can sandbox all you want, but, eventually, you are still going to have some interaction between the sandboxed process and the rest of the system.

      I see much more value in writing software in languages where the now common types of exploits can't occur [inglorion.net]. If we can stop programs from wrongly referencing
  • PDFs have long been known as 'landmines of the Internet' for their long load times and the fact so many websites don't mark links as PDF so you never know when you're going to 'trip' over one.

    It looks like Adobe is just kicking their reputation up a notch.
  • and don't use Adobe's reader. Don't use Adobe's Acrobat either, if you don't have to. At least in the Windows world, there are plenty of alternatives out there, that often work better and more efficiently than Adobe's products, and are sometimes (get this) FREE! Are they as secure as Adobe's products? Who knows. For that matter, who knows how secure Adobe software is: big companies don't necessarily turn out more secure software than smaller ones. They can apply more programmers to a project and crank out m
  • by Zero__Kelvin ( 151819 ) on Saturday September 22, 2007 @12:38PM (#20712097) Homepage

    ""Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box."
    The keyword, as is so often the case with security vulnerabilities, is Windows . The real summary is that there is a flaw in Adobe Reader that allows a cracker to exploit a security vulnerability in Windows . In other words it is same story, different day. When an application as simple as a reader can have a flaw in it that leads to a compromise of the OS, the security flaw is in the OS , not in the application.
  • by operagost ( 62405 ) on Saturday September 22, 2007 @12:59PM (#20712305) Homepage Journal
    If the story's a day old before you report it, it's no longer a "zero-day" exploit.
  • by JRHelgeson ( 576325 ) on Saturday September 22, 2007 @01:40PM (#20712703) Homepage Journal
    This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.

    The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.

    This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.
  • Not a Zero-day (Score:2, Insightful)

    by stickystyle ( 799509 )
    I agree with the replies on bugtraq when this was announced earlier in the week, it is not a Zero-day. A zero day requires that the exploit be released AT THE SAME TIME AS THE VENERABILITY. There was no exploit released, thus this is just a venerability, a big one, but not a zero-day.
  • From TFA:

    The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

    So if Adobe never releases a fix, he will never release the details? That's rather open-ended. He should have set a reasonable timeline which includes a reason

You know you've landed gear-up when it takes full power to taxi.

Working...