Adobe Finally Fixes Remote Launch 0-Day

Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.

It's not a 0-day anymore....

[snowraver1]

Why is every unpatched exploit a 0-day attack? Wouldn't this be more like a multi-month exploit?

Re:

[spazdor]

I logged in to ask exactly this.

If a company patches 0-day exploits, their dev team is really on top of shit.

Re:

[Monkeedude1212]

If a company patches 0-day exploits, their dev team is really on top of shit.

Or bumbling GENIUSES. Since the definition of a 0-day exploit is a vulnerability the developers don't know about.

Re:

[spazdor]

Nah, 0-day remains 0-day throughout the first ("zeroth") day in which it's released. So if the devs can get a patch out the door the same day that the exploit is first disclosed in public, it counts.

Re:

[Monkeedude1212]

I don't know of any company that has managed to do that though. In most cases, they are aware of the exploit at least a day before patching it. I mean, I can't imagine finding a solution, implementing it, and fully testing it in under 24 hours. I CAN imagine finding a solution, implementing it, and pushing it out, but that's dangerous.

Re:

[tomhudson]

Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.

Of course, we've seen (here on slashdot) what happens when you try to do that too often ... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.

Re:It's not a 0-day anymore....

[Darkness404]

Because its an attack out in the wild that the developers didn't know about and before a patch can be shipped.

Was it ever a 0-day?

[SanityInAnarchy]

I only saw a proof-of-concept. Have people actually been exploiting this?

Re:

[drinkypoo]

I only saw a proof-of-concept. Have people actually been exploiting this?

Further, there are 24 hours from first disclosure to the end of when you can call it a Zero-day exploit. But I think that you still get to call it a Zero-day exploit after days have passed.

Re:

[chrisG23]

Yes. If you do a google search for CVE-1297 (going from memory here, the CVE number might be off (CVE's are the numbering scheme used by the Mitre organization. One of the things they do is publish details on exploits/vulnerabilities as they happen, and security people use them as a reference point)) zero day you will find some analysis that was done on a pdf found in the wild.

Re:It's not a 0-day anymore....

[vawarayer]

Details in the PDF file attached to this e-mail.

Re:

[mcgrew]

When I got up this morning and fired up the little netbook, I got a message saying that Adobe had an update -- but the thing wasn't even on the internet; there were no local wifi signals this morning.

I wonder if it's really the patch, or if the Adobe bug let someone in my box? I dread internet security updates, and wish that, with software I've paid for at least (not free stuff like PDF readers) they'd snail mail a CD to me.

Re:It's not a 0-day anymore....

[Skuld-Chan]

The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.

Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

Re:It's not a 0-day anymore....

[grcumb]

Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

No, zero-day exploits are are... (wait for it) actively exploited in the wild before the first 'look what I found' ever appears.

Re:

[Skuld-Chan]

Isn't that kinda what I said?

Re:

[lennier]

Nope. Exploitation and disclosure are two completely different things.

If you've found an unpatched exploit and you're a black hat, are you going to blog to the whole world about it? Or quietly add it to your botnet kit without telling anyone?

If the second, it's a 0-day. No warning, no defense, no lead time, just blam, click the wrong web page, read the wrong email, or open the wrong PDF and you're rooted without knowing it.

Re:

[grcumb]

Isn't that kinda what I said?

No, that's kinda what you implied, but you left the door open for people to infer that you also meant that a zero-day was when a researcher announced a potential exploit without warning anyone else.

Re:

[TangoMargarine]

Yes, I wish every exploit could just be called an exploit (sans "zero day" in front of everything) unless it's specifically 1) a vulnerability the company has chosen not to fix, or 2) a vulnerability some guy somewhere knew about but hadn't used in order to keep it valuable. It's like if we were to start calling Microsoft Office "Microsoft Office for Windows" incessantly. It's assumed, unless you're specifically on a Mac or running it in WINE or something.

I'm pretty sure. Amiright?

It is 0 day but Adobe isn't sane so...

[Ilgaz]

Normally, a "0 day attack" accompanied with some black background, text like html page occuring means

1) Company doesn't take it serious and demonstrates their own case or explains why it is non issue for 99.9% (of course, add to fix list)

2) Company takes it serious (sends out an emergency hotfix which may remove functionality and not very tested but, it works until real thing ships)

As Adobe took it serious but didn't ship a God damn ".bat" file (yes, ms-dos .bat is enough) to remove the component which isn'

Re:

[The MAZZTer]

At first I thought you were just clueless, then I realized you were just a troll, now I'm just confused.

Re:

[s122604]

Clueless (about this), not a troll, I truly just don't know.

If I have flash plugins installed, but not acrobat, and I did my browsing in an account without admin privileges, how vulnerable would I have been?
If you can't answer, perhaps you are clueless as well?

Re:

[Teun]

You are clueless, what does Flash have, except the brand name Adobe, in common with Acrobat Reader?

Anyhow, would this have been a Flash vulnerability it could have affected the account you work in.

Re:

[mcgrew]

He's trying to be funny. Not sure if he's succeeding (I was up late last night and my cerebral cortex is malfunctioning this morning).

Re:

[xie]

You would have to be running pre-10.1 version of flash first. Then the exploit would have to force your system to execute code that was written for *nix. Since Windows is the majority of the market I doubt anyone has taken the time to write such code for this exploit. I think your safe. :)

Re:

[Teun]

Doh! What does an Acrobat Reader vulnerability have to do with Flash?

Re:Still I don't know

[lgw]

Apparantly, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works - I thought this was the vulnerability inherent in the PDF spec (Foxit had a patch out the same week this was disclosed).

Re:

[s122604]

Thank you for the kind explanation

I still don't understand why I was modded down to troll, twice
my question wasn't intended to offend/inflame anyone, but apparently it did

Re:

[ThatsNotPudding]

Apparently, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works

Because both were built upon the same solid Adobe bedrock of swiss cheese, spaghetti code, and apathy.

Re:

[lgw]

I think it's mostly the apathy. PDF was really great when it was new, and really was a page description format not a web portal. Far beteter than sending ps files to the printer when it took 10 mintues per page just to send the bits. Adobe pisses me off so much because they used to be genuinely innovative and useful.

Re:

[Anonymous Coward]

Don't get fooled into thinking a non-admin account is safe. Sure, unless you're root they probably can't set up a mail server, but check out all the files in your Documents directory. See anything the has financial information? Maybe a password list (encrypted or not)? How about email, do you store it on your computer? Do you use your browser to access any useful websites like email or banking sites? If you create a dummy account with highly restricted access (ie, you know what you're doing) you can p

Re:

[LordLimecat]

Sure, unless you're root they probably can't set up a mail server,

Whys that exactly? Does opening sockets require admin now?

Re:

[Dog-Cow]

In Unix, for port 25? Yes.

Re:

[Tim C]

But since when did a botnet node's mail server have to listen on port 25?

Re:

[Achromatic1978]

Why would a botnet node be running a mail server?

For spam, it could receive encrypted email through an RPC or other socket, and run an SMTP client.

Seriously, I think the first RBL check 99% of mail servers out there do is for "is originating SMTP server on a dynamic or residential connection".

Re:

[sitharus]

As this is an issue in Adobe Acrobat and Adobe Reader and you don't have either of them installed, you're not affected by this bug. It's very hard for software you don't have installed to cause problems.

There are other bugs in Flash though, they may cause problems, but this isn't one of them.

Re:

[chill]

As this is an issue in Adobe Acrobat and Adobe Reader and you don't have either of them installed, you're not affected by this bug.

Would that this were so. One of the issues was with the PDF spec itself. Other PDF tools, such as Fox-It, were affected as well and patched recently.

Re:

[Monkeedude1212]

I have used my ubuntu machine at home to look at several questionable flash based websites in the last few weeks

Well... Umm... You see, this fix has nothing to do with Flash, it's entirely in Adobe Reader...

But... Perhaps you should do a scan just in case. I'm not sure how questionable the sites you visit actually are, but if they are half as questionable as the sites I visit, you probably caught Erectile Dysfunction or something from just looking at it.

Re:

[mcgrew]

Check your email, I'm sure you can find some cheap v1agra.

Another PDF reader

[Anonymous Coward]

Missing from the summary is gsview. It makes a very secure pdf reader that works on windows, although it certainly isn't anything nice to look at. Uses ghostscript for the backend.

Re:

[colinrichardday]

I didn't see any MathML tests, and Firefox supports MathML rather well.

The Microsoft Word of PDF viewers

[MacCoder]

For the 90% of us who don't require all the minutiae of functionality and cruft which Adobe Reader offers, there are options. Obviously Mac folk are covered by Apple's built in Preview, but on Windows, Sumatra PDF is amazing and ridiculously small. It's better than Foxit, in my opinion, for barebones PDF viewing in Windows. Check it out! http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]

Re:

[MobileTatsu-NJG]

Seconded. I use a portable version of it found at portableapps.com. We've found that to be friendly at places that don't let you have admin access to your machine for things like installs.

Thanks, but no thanks.

[mapuche]

Thanks for the link. Comparing some documents side by side between Foxit and SumatraPDF, Sumatra rendering has some issues with gamma and images. Text rendering is a little better in Foxit. I can live with the yellow blank starting page, though.

Re:

[drinkypoo]

SumatraPDF fills a nice niche. If you hardly ever use Windows, it is sufficient for most purposes (occasional PDF viewing.) I have three windows systems which I use for gaming and stuff like that (e.g. a netbook which runs streets and trips; there's no good Linux navigation software.) They all have SumatraPDF and I've never been unable to read anything I've opened with.

It has long since gotten to the point where PDF is easier to deal with on Linux than Windows. Especially since if you really have to, you ca

Re:

[FinchWorld]

I've always had issues with sumatra, it seems to render some datasheets incorrectly, every now and again it'll consume 100MB+ ram, though that goes away when closing reopening pdfs, but most annoying is it'll happly stretch and print landscape documents on portrait (though you told it not too) and create several megabyte files to send to the xerox (which it really doesn't like).

Im having better look with foxit, even if it isn't as light weight.

Re:The Microsoft Word of PDF viewers

[lgw]

Sadly, my employer has chosen a payroll provider (ADP) that requires Adobe Reader specifically to view paystubs. Foxit won't work, nor will any of the other options (apparantly Acrobat has some stupid web toolbar option that's beyond PDF). Why would anyone do that? Now when I need to see my paystub I have to download 200MB of Adobe cruft, then later uninstall it along with Adobe Download Manager and a bunch of other crap that Adobe stuffs in along the way. Man, I hate Adobe these days.

Re:

[laptop006]

Mine uses ADP as well, but Evince on Linux works fine for me.

Re:

[tehcyder]

Wouldn't it be easier just to get them to print it out and post (snail mail) it to you?

Re:

[lgw]

That doesn't seem to be an option. Having them printed out and sent to the receptionist for hand distribution didn't fill me with joy.

Re:

[glwtta]

I'm not seeing how it's better than Foxit. Rendering seems to be slower, for one thing. And the minimalist tool bar is great and everything, but having the zoom control buttons accessible in one click is handy (or to put it another way, hiding them in a menu is annoying). No tabs, either.

Re:

[Zadaz]

Ever since Google put a PDF reader in Chrome it's been all I need for most things. Simple, fast, no cruft.

(To use it you need the dev version of Chrome. To enable it go to chrome://plugins/ and click on "Enable" for the "Chrome PDF Viewer" plug-in.)

Any good reader for Win98?

[UBfusion]

Thanks for bringing up Sumatra - do you happen to know any good pdf viewer for windows 98? (I tried Foxit 2.x but it's buggy as hell in win98).

I Uninstalled Adobe Reader

[puppetman]

after reading the summary and the Brian Krebs blog. I realized that Adobe is shipping a buggy, risky piece of software.

I installed Foxit Reader (minus the Ask.com search bar)..

It seems much snappier, and is significantly smaller.

Re:I Uninstalled Adobe Reader

[Skuld-Chan]

It's not like Foxit is completely without security flaws either.

Re:I Uninstalled Adobe Reader

[Skuld-Chan]

And doing just a bit of research - Foxit only fixed this exact same bug 2 weeks earlier than Adobe.

Re:

[ozphx]

I did this. I also uninstalled Java after getting pwned by that crap that breaks out the sandbox and manages to set your proxy to loopback before crapping on about all the "viruses" you are infected with.

Seriously only going to use addins that run in-process now - at least I slightly trust the CreateRestrictedToken API that IE8/Chrome use for tab processes.

MSP installer

[darthservo]

The MSP Installer [adobe.com] is also available for those who may use Adobe Reader in silent installs/updates.

Side rant: Why does Adobe still only offer the unpatched versions of Reader on their front page?

Re:

[jo42]

In the past, we delivered Adobe Reader updates as full installers or patches (for instance, 9.x = full installer, 9.x.y = patch). The Adobe Reader Download Center at http://get.adobe.com/reader [adobe.com] always offers the most recent full installer of Adobe Reader, which is currently Adobe Reader 9.3. After installation, the Adobe Reader Updater will automatically check and offer the latest patches to keep end-users up-to-date (as of today, the latest patch is Adobe Reader 9.3.3).

What a bunch of incompetent ass clowns. They can't even offer up a downloaded-able 9.3.3 install yet. You have to do it in two stages. If I was running the show, the people that crapped out this dung-pile would be looking for work tomorrow morning.

Re:

[Jesus_666]

What do you expect? This is Adobe we're talking about. Their name has been translating to "half-assed software development" for the last couple years.

:( multi-step update

[Arakageeta]

Ugh. I just updated on my Mac running 10.6.4. It looks like Adobe is still distributing Reader 9.3.0 as the default distribution package. I had to download/install this version and then apply individual patches for 9.3.1, 9.3.2, and finally 9.3.3. Annoying.

Perhaps it would have been easier had I updated from within Reader?

Worse on 10.5.8/PPC

[Ilgaz]

This time, whatever these idiots did, the jump from 9.3.0 to 9.3.3 doesn't work at all. It may have something to do with the idiotic "repair adobe pdf viewer" plugin dialogue, which has no title and opens at background, unclickable.

Idiots (hopefully they read) still install Adobe Updater to Utilities but they were lazy to feed it with data so, the dedicated (and working) Updater doesn't work too. Of course, it is still added to launchd per user schedule.

Man how worse you can get? I mean, I am not like those

is this distributed through windows update?

[Anonymous Coward]

is it? oh shit

Thanks for the fix, adobe

[eudaemon]

I appreciate they probably had some QA to do in order to release this puppy and it took a while, but I loaded Evince [gnome.org], un-installed flash and called it a day. If you can't see it on youtube using their HTML 5 beta [youtube.com] then that's a real good time to boot up Linux even if it's just in Xen [xen.org] or Oracle/Sun Virtualbox [virtualbox.org] running on Windows. It works just fine for web browsing and less zero day exploits.

Horray!

[Zadaz]

It's been nearly a week since I updated Reader! About time for another download install and unnecessary reboot!

Every single time Reader/Acrobat updates it resets its self as the default viewer. That's completely inappropriate behavior, especially for a 'security update'. (And no, I can't uninstall it. Job requires proofing PDF in Reader just like all my poor clients.)

I saw/overheard this in a bar recently (seriously):
Girl: So where do you work?
Guy: Adobe.
Girl: Oh yeah, you're the guys always asking me to

Re:

[Tteddo]

Hah! I had a client tell me about a problem with the font size on their website (it's already dynamic, set at 1em). His proof was that the person that complained worked for Adobe. Yeah, you know that Reader thing that bugs you all the time? That's Adobe.

Adobe, stop forcing restarts

[scdeimos]

When using ExitWindowsEx() at the end of your patch install, don't use the damned EWX_FORCE flag. It doesn't even give users enough time to respond to the "Save? Yes/No/Cancel" dialogs popping-up before the applications are kill -9'd and users lose all their unsaved data.

Re:

[butlerm]

If the Windows developers had a clue, they would make it so that application developers could update their software without requiring a reboot much of the time. Reboot intervals should be measured in years, not hours.

The Windows mandatory file locking scheme is brain damaged. Windows filesystems need to support a mode where a file can be replaced (Unix style) without disturbing people who currently have a file open for read only access (like running executables, for example).

About freakin time

[hesaigo999ca]

It's about time, however there are still a few more exploits that have not been addressed....until these have been fixed too, i am sticking to fox it pdf reader....