Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."

Do people even still use Acrobat Reader?

[koro666]

I've been using Foxit Reader [foxitsoftware.com] for almost 2 years now.

Re:Do people even still use Acrobat Reader?

[Ninnle Labs, LLC]

Do people even still use Acrobat Reader?

Yes.

Re:

[blhack]

The worst are software vendors that require it, then force you "upgrade" to the latest version.
Yes, this happened to me. Yes, the "upgrade" that they are forcing me to use crashes when you run it on a roaming profile.
AWESOME!

Re:

[Fred_A]

Do people even still use Acrobat Reader?

Yes.

Indeed, because there are a still few reasons to use Arcoread, mostly when you use colour proofed PDF formats (X-3) for professional printing. Apparently only Adobe's reader fully supports those parts.

Apart from that I typically stick with Okular (Version 0.8.1 Using KDE 4.2.1) which is now quite complete enough for my needs. Although I haven't had to use documents with forms for a while so I'm not sure what the level of support is on that front. If it doesn't work it might be a problem for some (on top of

Re:

[John Dowdell]

"... i thought that they would atleast fix the major flaws in flashplayer by version 9 and im still with version 10 able to use the same exploits i used in flash 7."

Hi, if you think you know of an old flaw that no one has noticed, could you drop a note to the security team, please?
http://www.adobe.com/support/security/alertus.html

tx, jd/adobe

And?

[jgtg32a]

It was vulnerable also, they got the patch out quicker.

http://www.networkworld.com/news/2009/030909-foxit-pdf-viewer-also-open.html [networkworld.com]

Re:And?

[Rary]

It was vulnerable also, they got the patch out quicker.

Well, technically it was a different problem that just happened to be found in similar code. So, yes, it was also vulerable, just not vulnerable to the same problem.

"The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail Monday."

My Bad

[jgtg32a]

Yeah I didn't actually read that article, I had just heard that Fox-it had the vulnerability also and I just grabbed an article for Google as proof.

Shame on me, but in this case it is irrelevant.

Re:

[v1]

That just indicates that foxit decided to audit that bit of code closely to see if the problem was present in their implementation, and stumbled upon that other problem which they then fixed.

Re:And?

[Ninnle Labs, LLC]

No, Secunia reported the bug to Foxit after they discovered it.

The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit.

So, no, Foxit didn't do anything like you claimed and in fact may not have even noticed the bug until a later point had Secunia not pointed it out.

Re:And?

[CannonballHead]

The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images

I fail to see how that is "unrelated." Yeah, it wasn't the "same code" but it was the same code section - the code that parses the images. I'm guessing Foxit uses different code, so obviously it's not going to be the same code and thus not the exact same vulnerability...

"unrelated" and "completely different" seem rather strong words to use. Oh well. :)

Re:

[koro666]

It was vulnerable also, they got the patch out quicker.

Thanks for mentioning it, I just updated it as well.

At least though, Foxit does not install itself as a stupid browser plugin, so PDF files aren't automatically opened with it... (although they now have an optional plugin to do that, let's just hope it stays optional)

Re:

[sakdoctor]

Why isn't there a decent open source PDF reader? Not Sumatra, it's just a little too basic.

I'm not volunteering though, I just don't care enough about PDF as a format, but it seems odd that nobody does. In theory the PDF format isn't that bad, but people mostly experience it though Adobe's reader which causes most of the problems.

Also, stop fucking advertising for foxit.

Re:

[icebike]

There are several.

Unless your definition of "decent" means bit-for-bit identical to Acrobat, in which case there are none.

See any competent linux distro.

Re:

[larry bagina]

by definition, bit-for-bit identical to Acrobat is not decent.

Re:

[Anonymous Coward]

Why isn't there a decent open source PDF reader? Not Sumatra, it's just a little too basic.

I'm not volunteering though, I just don't care enough about PDF as a format, but it seems odd that nobody does. In theory the PDF format isn't that bad, but people mostly experience it though Adobe's reader which causes most of the problems.

http://en.wikipedia.org/wiki/List_of_PDF_software

Has the most common viewers.

Re:

[koro666]

Also, stop fucking advertising for foxit.

What's so bad about getting the world to know about a good alternative?

Re:

[innocent_white_lamb]

Acrobat Reader is the only PDF reader that works with all PDF files. I don't like that fact either.

Here is an example that renders properly only with acroread:

https://bugzilla.redhat.com/show_bug.cgi?id=220983 [redhat.com]

Re:

[jbn-o]

Foxit recently had a stack based buffer overflow that could lead to account exploitation. But the worst problem is that Foxit is proprietary software; uninspectable, unfixable by even the most technical user, and Foxit is unsharable to users [foxitsoftware.com] "on mobile devices or embedded devices including cellular phones, PDA's, and all other handheld devices". Just like with Adobe's proprietary PDF reader, the secrecy means that there's no telling how many other security problems are waiting to be exploited with Foxit.

Uninstalling doesn't help??

[erroneus]

There is a big problem I have with a number of software vendors. Their uninstalls don't do a complete uninstall! According to the article, uninstalling the reader leaves exploitable DLLs behind and remain hooked into Windows Explorer. That is just bad behavior by this software vendor. Uninstall should mean "get rid of it and all parts completely" and that should include registry entries, obscured or otherwise.

Software vendors at large have a pretty disrespectful view of end-user computers. They feel it is right and correct for them to effectively take control of the machines their software inhabits. They are very bad house guests indeed. It might be pushing a point, but all of this sort of behavior would seem to constitute some sort of criminal trespass into computer systems. I know that was certainly the case with Sony rootkits being installed.

It seems to me the only effective way to be sure of what is on your Windows computer is to do a fresh reinstallation of the OS and all applications any time a software change is made... that would be an add/remove or delete of an application. Don't want Adobe leaving crap behind? Reformat your system and install from scratch. I know that seems extreme, but it is likely the only way a user can have any reasonable hope of maintaining control over his computer systems.

Re:

[Bearhouse]

Indeed. Just lazy design & programming.

As most good Windows admin know, it's helpful to keep a 'clean' PC or image around, with a 'base' install of the OS and required apps on it. When a nuked PC comes in, just backup user data and reimage from your base. I do a complete reinstall every year on my own machines. Amazing how much faster they are afterwards.

Re:

[nate_in_ME]

Unfortunately, the practice of leaving DLLs behind is not an easy one to solve. The problem lies in the fact that there are many installers that don't play nicely, either installing a DLL without properly registering its use with Windows, or making use of an existing DLL without doing the same. A "proper" Windows installer is supposed to update the registry(at least the last time I checked, haven't really taken the time to read the most recent guidelines) with a list of shared DLLs that it uses, so that W

Re:

[mea37]

Well, if everyone were playing nice, wouldn't the Windows Indexing Service (and other services that can be used in this attack) count as ( / have registered themselves as) "users" of the DLL? So then leaving behind the DLL would be the "correct" behavior anyway?

Re:

[nate_in_ME]

I believe it depends on the order of the install...since the modifications are made by the installer of the "new" program, it's my understanding that Acrobat Reader would have registered itself with Windows Indexing Service, not the other way around. So, the uninstall of Acrobat should have fixed the issue.

Re:Uninstalling doesn't help??

[Culture20]

I'd rather have an installer that breaks another app, so that I reinstall the first program just to get the shared DLLs. That way, no unnecessary cruft is left behind.

Re:

[erroneus]

DLLs shouldn't be shared at all. There is no technical reason for it. In the past, hard drive space was an issue, but these days, space is measured in gigabytes rather than kilobytes. I have fixed many programs stuck in "DLL Hell" by acquiring an old version of a DLL and placing it in the same folder as the application's EXE. If software publishers did what Apple already does, which is putting everything associated with a program into the same folder, then those problems would certainly go away.

Re:

[nate_in_ME]

I don't believe that DLL sharing was ever really a space issue, but rather a situation where developers did not want to reinvent the wheel. For example, look at Firefox's "IE Tab" extension. This is possible because the MSHTML rendering engine that IE uses is also available for other programs to connect into as well. Without DLL sharing, there would be no real way to create something like this...

Re:

[khellendros1984]

How about when a patch for an exploit comes out? Copy that patched file into each of the 50 programs you have installed that use it? I actually hate it when I do a search for a dll and find 20 copies of the same thing, strewn around the drive.

Re:Uninstalling doesn't help??

[erroneus]

Unfortunately it would still be for the best. Very often software is written to link to misbehaving functions and system calls quite often. Updating a single DLL can break as much or more than it fixes. Truly there are arguments for either side of that position. But ultimately when it comes to a "software product" it should be as self-contained as possible. One vendor should not be capable of rendering another program useless by updating a single DLL. Applications should be compartmentalized and self contained and especially not linked into the operating system.

Re:

[byner]

You may have plenty of hard drive space, but I doubt you actually want the performance and memory hit of loading reusable components several times over.

I'd rather have the Windows UI components and libraries shared and loaded in memory once than bloat memory space by requiring programs to have their own copy many times over.

Shared libraries are important. A problem maybe, related to your concern, is that some software shouldn't be making everything shared and in the core system especially when they don't cl

Re:

[lgw]

I have many gigabytes of memory as well, and any DLL that takes more than a few milliseconds to load is crap to begin with.

Shared DLLs are nothing but a problem. The very idea of a DLL is a solution to a problem of the 1980s thats just out of place in the third millenium. When you ship an EXE, you should be statically linked with whatever libraries you need, simple as that. One EXE and you're done.

Re:

[gzipped_tar]

Shared libraries are not only used to save storage space, but also facilitates code sharing in memory. If everything links the libraries statically it would be a waste of memory space at run-time.

I agree that the role of "archives" of libraries today is diminishing in the face of cheaper storage. But sharing code among processes is still a major function of shared libraries.

Re:

[lgw]

I have more memory than even my bloatware needs, for non-gaming purposes. There's no longer any point in saving memory either. Everything linking statically would "waste" a few MB out of many GB of memory - worth it if it saves me even 5 minutes of "DLL Hell".

Re:

[WNight]

Static linking is a problem as you say, but the idea of having private copies of the DLL is still valid. The system could hash the DLL at load and merge identical ones for the same space savings.

Re:

[Jamie's Nightmare]

DLLs shouldn't be shared at all. There is no technical reason for it.

Congrats. I think that one will win the coveted "Asinine Statement of the Week" award. You've got my vote.

Re:

[daveime]

So why are we still teaching CS students that code modularization and re-use are good things ?

Surely the whole point of DLLs (and shared onjects on nix) was that different programs could re-use useful code ? Now every programmer has to re-invent the wheel (or at least anything above the HAL), to avoid using any third-party DLL, just in case it's vulnerable to some exploit ?

Shouldn't we just be teaching the students, "fuckit, throw more hard disk space at everything, and duplicate code as much as possible" ?

Re:

[erroneus]

The Apple approach to applications installation is by far the best for users. Everything is in a *.app folder so if you want to remove the app, just move it to trash and empty trash.

Of course not every application/utility that is made for Mac OS X behaves itself properly. The "log me in" client is nearly uninstallable, for example. And would it surprise anyone to learn that uninstalling Microsoft Office from a Mac is also rather painful and non-trivial?

There are lots of negative things I have to say abou

Re:

[Mozk]

What about the user preferences? Those aren't stored in the .app folder.

Re:

[cerberusss]

Problem is, I can't find the procedure for completely uninstalling Adobe Acrobat or Acrobat Reader. Anyone found this?

Re:

[D Ninja]

I second that - haven't been able to find anything on completely removing the Reader. Anybody have this information?

Re:

[cerberusss]

After reading the articles, a fix seems to be to uninstall Adobe Acrobat Reader, and disable the Windows Search service (because Adobe's IFilter DLL is not removed when uninstalling).

Next step is to install another PDF reader like Foxit. I did download Adobe Acrobat Reader again, but didn't install it. In case of emergency, I can always temporarily install it.

Re:

[mcgrew]

Software vendors at large have a pretty disrespectful view of end-user computers.

The question is, why do we put up with it? I blame (partly) the Windows regsitry. Before that ill-concieved monstrosity it was easy to uninstall a program -- just open the two plain English files (I've forgotten what they were called), find references to the software, and delete those references and deltree the app's subdirectory.

With DOS it was even easier, just deltree the directory (later versions of DOS, before that you'd D

Re:

[erroneus]

win.ini and system.ini aren't they?

Yes, I remember those days fondly. Those files still exist today but I doubt they are still being used. You could try it out by adding some "run =" lines or whatever it was we used to do when we didn't want to see LNK files in the startup group..?

Re:

[mcgrew]

Yep, those were the files. I never thought I'd miss them, but then I never thought I'd run across a dumb monstrosity like the Windows registry either.

Re:

[denis-The-menace]

FYI: They are only used by Windows 3.1 apps running on XP/Vista/Windows7
and by virus/Trojan writers.

Re:

[hesaigo999ca]

I couldn't agree more!

Abject Morons

[ewhac]

And people wonder why I'm still using Acrobat Reader 6. With JavaScript turned off.

And, seriously, how does an uninstaller that leaves DLLs behind ever pass a non-corrupt QA process?

Schwab

Re:

[v1]

how does an uninstaller that leaves DLLs behind ever pass a non-corrupt QA process?

it's always either payoffs or deadlines. (usually deadlines)

Re:

[icebike]

Adding JavaScript to a product who's design goals was to preserve formatting
equivalent to a printed page was probably one of the worst software decisions
I've seen.

Re:Abject Morons

[digitalunity]

I believe that decision was made to make interactive PDF's possible. There was a serious case of feature creep in the PDF specification. This stems from Adobe really being out of touch with what users expected PDF to be(just a universal page layout format) and what they wanted to make it.

PDF now supports buttons, Javascript and a whole slew of other features that for the most part are not typically used. In fact, anyone who wants to use those features probably shouldn't be using PDF at all since only the Adobe reader supports them! There isn't even a good open source PDF program that supports forms. Some readers display them properly, but none that I can find allow you to complete them and save the completed form.

Re:

[icebike]

PDF now supports buttons, Javascript and a whole slew of other features that for the most part are not typically used. In fact, anyone who wants to use those features probably shouldn't be using PDF at all since only the Adobe reader supports them!

Quite true.
Most use of Acrobat is in pursuit of a document that could reliably be expected to display and print the same on my machine as on yours. Adding these features detracts from its primary purpose.

I understand the desire for One Reader to Rule them ALL, but various call-home features and interactive content manipulation still was a wrong approach for a package with the original goal of faithful unalterable reproduction.

Fill in forms are supported by many reader compatible clones. Even this feature i

Re: "Abject Morons"?

[John Dowdell]

To read a page you wouldn't need JavaScript, true. But PDF is also a predictable way to work with editable forms, and these include input validation and business logic.

jd/adobe

Re:

[Cro Magnon]

QA process? What's a QA process?

QA Process

[Lead Butthead]

What's more likely is that internally there's a bug logged for the poor uninstall behavior somewhere inside the organization that started out its life as "critical" but over time gets downgraded by PHB as being "unimportant" and eventually ended up in the "low" bin where nobody ever looks at.

Adobe has taken its time with the patch

[sobachatina]

"Adobe has taken its time with the patch"

Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.

It is very naive to say this every time a patch for something is released by a company that "Slashdot" doesn't approve of. If I didn't know better I'd think the editors were just trying to get a rise out of the more childish component of their audience. (I know, I know, I must be new here.)

Re:

[Fulcrum of Evil]

It's very naive to assume that Adobe took so long because of the burden of testing. Frequently, companies simply don't consider exploits a priority unless shamed by the press.

Re:

[slashdot.org]

Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.

Uhm, what worse thing can they be held responsible for than having their software cause all these computers to get trojaned?

Especially since apparently due to their negligence, even after uninstalling, the risk persists.

The reality is that software mfgs aren't held responsible for anything ever. Which IMNSHO is ridiculous.

As one of th

Re:

[VeNoM0619]

Uhm, what worse thing can they be held responsible for than having their software cause all these computers to get trojaned?

Uhm, all these computers could have their OS partition trashed because of some Win X "feature" due to faulty testing.

Then the article would've been: "Adobe releases patch from outside source, breaking millions, instead of testing!"

I'm on Adobe's side, if you wanted your fix so badly/early, then take it from the "untrusted" source (oh but you wouldn't, now WOULD YOU?). Otherwise wait for the official release that has been tested more.

I avoid Adobe Anything(TM) if I can

[mandark1967]

I'm using Summatra PDF Reader because I like the small footprint and the fact it provides me with the basic options I need without hogging resources.

Is it affected by these vulnerabilites too?

Re:I avoid Adobe Anything(TM) if I can

[ratboy666]

And how do you know that there isn't a vulnerability?

I'll let you in on a "secret". JBIG2 is a standard bi-level compression technique, that has been standardized. It uses statistical prediction, which makes for some interesting math. A standard reference implementation is available that works, and offers "reasonable" performance.

Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.

It is, of course, possible to generate other implementations. I wrote an alternate encoder that performed an order of magnitude more quickly for a client. But, it requires a great deal of analysis and skill to do so (no, I never touched decoding -- that was a hardware function. JBIG2 was used to transmit maps to a printer, which used a hardware decoder).

Anyone using an implementation based on the reference is probably at risk of an exploit (if that was the original source). So, you cannot state that using a non-Adobe product makes you safe (unless a source review is possible, and I suspect that the skill needed for defect detection in the JBIG2 decoder is probably beyond most C programmers as well).

But, the critical (and, unfortunately, "normal") problem of having service DLLs linked into core OS constructs certainly broadens the attack surface. Normal behavior (that is, incomplete de-installation) of system level components (because there is no reasonable way to determine the consequence of complete removal) simply exaggerates the issue.

I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.

You are probably not safe, either.

Re:

[anss123]

Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.

Sumatra use jbig2dec. Don't know if that's vulnerable or not.

I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.

No. Abode software dig much deeper into the shell. Sumatra only has an icon for pdf files and opens when they're clicked (no filters, browser plugins, etc).

What about 6,7 and 8?

[fluor2]

We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?

Re:

[mottie]

You might be screwed on 6 but 7 and 8 are going to be fixed.

FTA: Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18.
http://www.adobe.com/support/security/bulletins/apsb09-03.html

Re:

[jagilbertvt]

The question then would be, is 6 vulnerable to this? Or any of the vulnerabilities since it's last patch (early 07 I think). I don't have 6 to test with, but I have to wonder when they say previous versions may be vulnerable.. Sounds like they just want you to upgrade a product that may be working fine (and at a cost of $99 for a standard upgrade copy, multiplied by the number of employees in your corp that may have it.. that's not cheap).

Re:

[Colonel Korn]

Go to the options menu and turn off javascript. Problem solved.

Re:

[oasisbob]

Go to the options menu and turn off javascript. Problem solved.

*Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required [didierstevens.com] at all to exploit this issue.

Re:

[Colonel Korn]

Go to the options menu and turn off javascript. Problem solved.

*Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required [didierstevens.com] at all to exploit this issue.

Wow, in that case I guess I'll just remove the association between pdf and any reader in my browser. Most web pdfs can be viewed as a pdf through search engines, anyway.

Re:

[Colonel Korn]

Go to the options menu and turn off javascript. Problem solved.

*Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required [didierstevens.com] at all to exploit this issue.

Wow, in that case I guess I'll just remove the association between pdf and any reader in my browser. Most web pdfs can be viewed as a pdf through search engines, anyway.

I meant as an html, but now that I think of it that may be insufficient as well. I guess I'll relegate pdf readers to inside of a VM from now on.

Re:

[slashdot.org]

We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?

Probably someone will come out with a proper removal of the search hook DLLs that apparently stay behind if you uninstall.

Other than that, I strongly suggest to find a non-Adobe product.

Yes, they may have a product that seems like it's the only choice. But do you seriously want to use software from a company that has blatant disrespect for it's customers? And becaus

Patching instructions

[Anonymous Coward]

I found online a PDF with these patching instructiAFDSFHRYI/%IGM;%&TQWEFÃ'WF NO CARRIER

The patch is bigger than the install?

[ThreeGigs]

Patch for Reader: 103 MB
Fresh download of Reader: 41 MB

Am I the only one who thinks that a bit odd?

Re:

[Anonymous Coward]

I'm sure the change log explains exactly what each of those 103 million bytes do, including the reasons for it being even bigger than the whole OpenOffice package, while still not being able to convert anything to a PDF.

Re:

[westlake]

Patch for Reader: 103 MB Fresh download of Reader: 41 MB Am I the only one who thinks that a bit odd?

I'd say that depends on how many versions of the Reader are being patched.

Doesn't help if you're stuck on 8

[myxiplx]

Well, I was just about to whinge that this still doesn't help those of us stuck on version 8, but I see that today Adobe have finally fixed the 9 month old bug that stopped us upgrading: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597&sliceId=1 [adobe.com]

Unfortunately for them, today was the day we migrated every single computer over to PDF-XChange. Barring any major problem, I can't see us using Adobe products for a long while. I'm not interested in sticking with any vendor that takes 9 mont

Pwnie award nominee

[coolamber]

This vulnerability has pwnie award written all over it.
I would like to nominate it for the most epic fail category.
http://pwnie-awards.org/2008/ [pwnie-awards.org]

The Final Straw

[Erik Fish]

This is what made me install AdBlock. I was good with just FlashBlock for years but with all the PDF exploits showing up in banner ads the past few months, last week I decided I'd had enough.

"Just" using a non-Adobe PDF reader is good until you grow up and realize that something not being displayed in a PDF could very easily mean serious consequences. Ever fill out an employment app in a PDF? Yeah.

acrobat alternative on Windows

[mzs]

I had been Windows free since 1996 (Mac, Linux, FreeBSD, and Solaris only), but recently I got a used XP machine because my kids were having trouble keeping-up in school with the computer stuff because they did not have the same programs at home. Well the XP machine was just too slow, so I bought a new Vista machine (I also have FreeBSD on it for me).

Wow that sounded like an alcoholic rationalizing falling off the wagon...

What is a good alternative to Acrobat for Windows? Preview.app is fine on the Mac and