Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Media

Adobe Confirms PDF Zero-Day, Says Kill JavaScript 211

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
This discussion has been archived. No new comments can be posted.

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Comments Filter:
  • Ditch Acrobat... (Score:5, Informative)

    by nweaver ( 113078 ) on Wednesday April 29, 2009 @02:21PM (#27763009) Homepage

    Adobe is really slow about security patches on Acrobat. This is just the latest.

    Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else [slashdot.org].

    • Re: (Score:2, Insightful)

      by TommydCat ( 791543 )

      Yeah... like if I'm offered the choices

      1. Disable javascript and kill the web
      2. Uninstall Adobe_who_evidently_can't_code_their_way_out_of_a_wet_paper_bag crap

      Why would I choose the former? Even if I do that I'm sure they'll have another exploit by next Wednesday that wouldn't be defanged by disabling a scripting language, looking at their track record [google.com]..

      Color me tired of this much more so than surprised..

      • Re:Ditch Acrobat... (Score:4, Informative)

        by Fatalis ( 892735 ) on Wednesday April 29, 2009 @02:34PM (#27763157) Homepage Journal

        It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

        • by TommydCat ( 791543 ) on Wednesday April 29, 2009 @02:37PM (#27763211) Homepage

          Ok, color me surprised then... Thank you for the clarification.

          I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...

          • by Gordo_1 ( 256312 ) on Wednesday April 29, 2009 @03:33PM (#27764009)

            Bloated? I don't think one should describe what Adobe has done to Acrobat Reader simply as "Bloat". I suggest redefining the term as a verb with a tip of the hat to the new masters, as in "you silly hack, you've adobed your software!"

            After getting fed up with Reader in the wake of the Feb. 19th PDF remote exploit notice (http://www.adobe.com/support/security/advisories/apsa09-01.html/ [adobe.com]) I decided to install FoxIt (I know, proprietary, not open source goodness)... But anyway, when I went to uninstall Adobe Reader, Windows claimed it to be taking up 221MB on my hard drive. 221 Megabytes! For a document reader!?

            After installing FoxIt, Windows claims that it takes up only 7.15MB, which I corroborated by checking the size of the install directory. For the life of me, I can't figure out what exactly it is that Adobe Reader does that FoxIt doesn't. They're functionality identical so far as I can tell. So what in god's name is Adobe doing with that extra 200 megabytes of disk space?

            • Re: (Score:2, Insightful)

              Precisely that bloat functionality.

              Advanced forms handling, embedded content, Adobe javascript, et cetera.

              Things most people never need and things that would use Microsoft Word if Adobe had never offered the functionality.

              You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

              • Re: (Score:3, Informative)

                by Kneo24 ( 688412 )

                You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

                I ran into something similar at work once. I had the guys in QA load up my thumb drive with all of the procedures that go for the product line I had inherited from one of the other leads there that... well, no need to digress... The documentation was just so fucking sloppy that most of it had to be completely rewritten from scratch. I couldn't make heads or tails of anything when I went to do any testing.

                I sat down with the technician that I was now in charge of for this stuff. As I was trying to have him t

            • by Anenome ( 1250374 ) on Wednesday April 29, 2009 @04:14PM (#27764511)

              "So what in god's name is Adobe doing with that extra 200 megabytes of disk space?"

              I shouldn't really be telling you this, but there's an easter-egg video involving Carrot Top hidden somewhere in Adobe Reader. Call it a result of the 'more megabytes = more powerful' school of software management :P

            • Re: (Score:3, Informative)

              by maxume ( 22995 )

              On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.

              Clearly they don't care about using my disk (obviously, neither do I).

            • Im on ur drive... eatin ur sectorz! om nom nom.

            • Re:Ditch Acrobat... (Score:5, Interesting)

              by Skuld-Chan ( 302449 ) on Wednesday April 29, 2009 @05:22PM (#27765261)

              For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.

              If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.

              If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.

              If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.

              So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.

              That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.

          • Comment removed (Score:5, Insightful)

            by account_deleted ( 4530225 ) on Wednesday April 29, 2009 @03:40PM (#27764107)
            Comment removed based on user account deletion
            • Re: (Score:3, Interesting)

              by Skuld-Chan ( 302449 )

              These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader [wikip

        • Re:Ditch Acrobat... (Score:5, Interesting)

          by wiredlogic ( 135348 ) on Wednesday April 29, 2009 @03:11PM (#27763703)

          For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

          Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

        • by Deanalator ( 806515 ) <pierce403@gmail.com> on Wednesday April 29, 2009 @03:27PM (#27763905) Homepage

          Check out the stuff Immunity is selling.
          http://www.immunityinc.com/ceu-index.shtml [immunityinc.com]

          They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

          Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

          The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      According to Secunia disabling Javascript does not mitigate the risk. Old news?

      http://secunia.com/blog/44/ [secunia.com]

    • by OakDragon ( 885217 ) on Wednesday April 29, 2009 @03:37PM (#27764071) Journal

      Adobe is really slow about security patches on Acrobat.

      Have you updated the Adobe Updater? Perhaps what we need is an updater to update the Adobe Updater.

    • by gilgongo ( 57446 )

      And if you need some further discussion on the subject of The World's Worst Software [slashdot.org]...

  • by idontgno ( 624372 )

    kill Javascript.

    And while you're at it, deep-six the rest of that Web 2.0 crap.

    Just not on my lawn, you crazy kids!

  • Y'know... (Score:5, Insightful)

    by Mr. DOS ( 1276020 ) on Wednesday April 29, 2009 @02:30PM (#27763121)

    ...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

    It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

          --- Mr. DOS

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The average user immediately presses 'accept' or 'ok' on any prompt that comes up when they open a file without reading the message or thinking about what it means. Adding this requirement is just annoying for users and does absolutely nothing.

      What I would like to see is a way to deploy Reader to client PCs with JavaScript disabled through a configuration file or command line flag. It is not realistic to expect users to go to preferences and disable JavaScript on an application that is used to view document

    • I'm told we can kill JavaScript because our "IntraNet" (cringes) uses PDFs with JavaScript!

      Adobe could also implement Zones or something like it but that idea didn't work too well in IE.

      If Adobe can put sound and videos in PDFs, why not security? They can't say it's because it would stops things from working, they already have DRM built-in to PDF.

  • by nine-times ( 778537 ) <nine.times@gmail.com> on Wednesday April 29, 2009 @02:35PM (#27763175) Homepage

    Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.

    What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.

    • Re: (Score:3, Funny)

      by doi ( 584455 )
      You mean like TEX?
      • Much as I like [La]TeX, using a format or document interchange that runs in a turing-complete interpreter with full access to my filesystem and the ability to run external commands doesn't seem like an improvement, security-wise, over PDF. DVI, maybe...
    • by characterZer0 ( 138196 ) on Wednesday April 29, 2009 @02:42PM (#27763265)

      Programatically clone a page to the end of the document.

      Calculate and fill fields based on the value entered into other fields.

      Update reference data from the web.

      There are good uses.

      • All of these things seem pointless with 'always on' internet connectivity. Why not just go back to the provider for a new version?

        These architectural considerations for reader are so 1999.

      • by iamhigh ( 1252742 ) on Wednesday April 29, 2009 @03:21PM (#27763823)
        And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.
      • Re: (Score:3, Interesting)

        by PhxBlue ( 562201 )

        Programatically clone a page to the end of the document.

        I'm not familiar with what you're talking about, here -- can you point me to an example? Also, when would you need to do this?

        Calculate and fill fields based on the value entered into other fields.

        PDF doesn't need to be a spreadsheet.

        Update reference data from the web.

        Seems like HTML/XML/Javascript would be a better solution to that, don't you think?

      • These are good uses of javascript, but bad uses of pdfs!
        Programatically clone a page to the end of the document. print these dynamic fields, so what advantage does using a pdf offer over a webpage (or if you cant get a webpage into a 1 file format then a small java applet seams better suited than a pdf)?
        Update reference data from the web. - doesn't it make more sense to update your pdf?

    • by mcrbids ( 148650 )

      Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app?

      No, we can't.

      Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money

      • by smoker2 ( 750216 )
        Name those apps ....
      • by bcrowell ( 177657 ) on Wednesday April 29, 2009 @06:44PM (#27766095) Homepage

        Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

        Yep. They want flash, pdf, and AIR [wikipedia.org] to be ubiquitous. This [newsweek.com] article shows their point of view: "What's wonderful for Adobe is, we are pretty much everywhere you look. [...] Just about every Web site uses Flash. Every tax form you download off the IRS is done in PDF. So it's OK if the average consumer does not know who Adobe is. We're almost like air." They want their suite of tools to be a ubiquitous consumer-level software tool like Windows, and they understand that if they're going to make money that way, they have to convince people that their tool is better than the free alternatives, just as MS has to convince people to desire Windows rather than Linux.

        Adobe is very clever about making their formats and implementations open enough to get them widely adopted, while maintaining their market position via a combination of (a) the first-move advantage when they release new features, and (b) keeping certain aspects of their formats and implementations just proprietary enough to maintain the perception that the competition isn't as good. You see it with flash, where they've opened up a lot recently, but for most developers there is really no viable alternative to using Adobe's tools. You see it with pdf, where they sell people snake oil, e.g., convincing them that the DRM features are useful, even though they're trivial to circumvent.

        One of the big things working in their favor is patents. E.g., flash supports mp3 but not ogg, which makes it difficult to make a legal, OSS toolchain for flash development, because the license for mp3 forbids distribution of encoders in large numbers without paying a royalty. Ditto for patented color management and patented video codecs. Any patented special sauce they can add to their apps makes it easier for them to differentiate themselves from the free competition.

    • Re: (Score:3, Funny)

      Oh, fine. Next you'll be telling me that you don't want moving parts in your books. Well, maybe you can explain to my little boy why Mr. Giraffe won't wake up when we open that page in Happy Fun at the Pop-Up Zoo!, or why Baby Roo won't peek out of Mama Roo's pouch any more.

      Besides, we've already learned to skip the page with Mr. Angry Monkey.

      • by icebike ( 68054 )

        Does Mr Giraffe reach over and grab the phone and call the publisher each time you read the book, reporting your name and address each time it does?

    • No, actually, Adobe can't do that. If they want to deploy software to the masses, they need to either make it part of Reader or make it part of Flash. Anything else is bound to fail.

    • by colfer ( 619105 ) on Wednesday April 29, 2009 @03:02PM (#27763535)
      The US Postal Service click-n-ship requires you turn on that JS crap in Acrobat. Once you click "yes", Acrobat leaves it on unless you go disable it again, each time. Vendors like the USPS need to get a clue.
    • Well, it's only following an evolution in documents. Pretty soon, a document reader/creator becomes 'feature complete' in respect to fulfilling those functions, so firms start adding features that enable documents to become, in effect, working applications. End users find them to be terribly effective in what the want as far as functionality goes, but you get with it the standard fair of problems of layering a development environment on the foundations of something that was never intended to be that.

  • by wiggles ( 30088 ) on Wednesday April 29, 2009 @02:36PM (#27763201)

    Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.

    Seems like a solution in search of a problem to me.

    • Not that I think we need JS in acrobat either, but I bet someone said the exact same thing as you when someone told them about the idea of putting Javascript in web browsers.
  • Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

    • by Red Flayer ( 890720 ) on Wednesday April 29, 2009 @02:56PM (#27763453) Journal

      Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

      That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

    • Re: (Score:3, Funny)

      You'll be fine unless there's a buffer overflow. Though I suppose remote execution would be a problem if you're in the shower and some jackass decides to flush an output stream.
    • by RobBebop ( 947356 ) on Wednesday April 29, 2009 @03:19PM (#27763793) Homepage Journal

      Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

      Woah now! Don't let the cat out of the bag too early. Considering how far toilets have come over the century, you'll be happy with a little Javascript injection turning your toilet into a Spam Zombie.

      Let's review:

      1. Toilet 0.0: A bush. Possible attack vectors include bee stings and bear claws.
      2. Toilet 1.0: A hole in the ground. Insects and burrowing creatures stung and bit you when you dug your hole to close to them.
      3. Toilet 2.0: The community toilet. Walls give you privacy, but god awful smells make it painful to use.
      4. Toilet 3.0: The Flush Toilet. Don't put too much in or it overflows.
      5. Toilet 4.0: The Autoflush Toilet. Same as previous, but multiple flushes each time you try to wipe yourself.
      6. Toilet 5.0: (coming soon) Internet Integrated Diagnostics Toilet. Javascript vulnerabilities and toxic Chinese workmanship.
    • Here at the office, we have auto-flushers.

      They usually wait until you adjust a little and then power-flush a gallon of water in a bidet-like fountain, then when you leave spray you again. Inevitably, every toilet will be, shall we say, visibly un-flushed upon entering the rest room, so you have to pre-flush using the manual black button.

      Now, despite the obvious bugs, it has to have some sort of logic in there. I was going to reply saying "no, you're an idiot", but in preparing my response I decided that w

  • by 140Mandak262Jamuna ( 970587 ) on Wednesday April 29, 2009 @02:39PM (#27763233) Journal
    Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?
  • We don't need JavaScript in a PDF viewer, at least not for normal purposes. The problem is that Adobe keeps putting additional functionality in the reader. Functionality that I don't need 99% of the time. It's hard enough to create a secure document viewer thats able to do font rendering and vector graphics and such. Lets focus on that and use another viewer for forms and such. Heck, create a PDF viewer first where I can normally select and copy text.

    BTW, this is how I currently use PDF documents. I use a s

  • Okular instead (Score:3, Informative)

    by CajunArson ( 465943 ) on Wednesday April 29, 2009 @02:44PM (#27763297) Journal

    Okular rocks, and it apparently can run on Windows [kde.org] as well.
    My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.

  • Mac? (Score:3, Insightful)

    by dingen ( 958134 ) on Wednesday April 29, 2009 @02:44PM (#27763299)
    There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?
    • I'd guess, the same type who find Adobe Reader on Linux/Gnome useful, i.e., masochists, sadist IT guys, and IT guys who don't know any better. Oh, and those who need to need to fill out forms in PDF's.

            --- Mr. DOS

      • If you are using the built in reader that comes with gnome, shouldn't you by the same token be judged as masochist?

        I mean, I would be really HAPPY! if it worked right, but problem is that it is full of rendering bugs and memory leaks.

        I had to reluctantly install Acrobat from medibuntu after running into several PDFs which had serious problems.

           

  • by Manip ( 656104 ) on Wednesday April 29, 2009 @02:45PM (#27763309)

    Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.

    It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!

    • Hey, isn't this a golden, golden opportunity for the open source community? Here you've got the industry leader droppin' it like it's hot, time to pickup the ball. Chop, chop! How hard could it be to code a bare-bones PDF reader (asks the nonprogrammer)?

      The only features I have to have are the various view options, the ability to fullscreen it, and the fact that it saves my position in the document between views (and actually, the adobe reader sucks at this because it only saves upon closing, so if your sys

  • I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.
    • Okular allows for you to fill in forms, and even save the form data in the PDF itself, putting it one step ahead of the free Adobe reader.

  • by biddly718 ( 1382689 ) on Wednesday April 29, 2009 @03:06PM (#27763591)
    According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/ [secunia.com]
  • by Allen Varney ( 449382 ) on Wednesday April 29, 2009 @03:25PM (#27763887) Homepage
    It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"
  • Sumatra (Score:5, Informative)

    by Tubal-Cain ( 1289912 ) on Wednesday April 29, 2009 @03:27PM (#27763915) Journal
    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...
  • I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.

    I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.

    Finally, all PDFs are associated with Preview and not Acrobat.

  • Ok, how does Acrobat/PDF thing impact the finding, downloading, and viewing of porn? Not all? Then why use it?

  • by cyberfunkr ( 591238 ) on Wednesday April 29, 2009 @04:23PM (#27764585)

    "Negative-One-Day Exploit"

    Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.

    As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."

Technology is dominated by those who manage what they do not understand.

Working...