Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Windows

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader 117

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].
This discussion has been archived. No new comments can be posted.

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

Comments Filter:
  • by Carewolf ( 581105 ) on Wednesday June 24, 2015 @12:19PM (#49978853) Homepage

    Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.

    • The PDF rendered fine on OS X, not sure if that means its cleanly constructed, but it's readable, and not corrupt to the PDF previewer.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Thank God I'm using Firefox. Had I accidentally clicked on that link, I'm sure I would have had a good 2 to 3 minutes to realize my mistake and to close the browser window, since that's just about how long it takes for Firefox's shitty builtin PDF.js PDF viewer to kick in and render even the smallest of PDFs.

      • by ichthus ( 72442 )
        I know, right? That's how long it takes on my 200 MHz Pentium system too.
        • Re: (Score:2, Offtopic)

          by drinkypoo ( 153816 )

          I know, right? That's how long it takes on my 200 MHz Pentium system too.

          That's how long it takes on my six-core, eight-gig, SSD system. It is seriously pathetic how long it takes Firefox to view a PDF by itself.

          • How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.
            • Re: (Score:2, Funny)

              by adolf ( 21054 )

              How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

              How can you let your browser view [GIF/JPEG/CSS/HTML] by itself? It will open malicious [user-requested content] automatically, adding a big security hole without much use.

              (When you get your head out of the sand, we'll talk about security.)

              • by raymorris ( 2726007 ) on Wednesday June 24, 2015 @04:50PM (#49981025) Journal

                Pdf is a subset of PostScript, a turing complete programming language. It's most often used for rendering documents, but is in no way limited to that. You can program an emulator in ps and run Linux inside your pdf. Gif and jpeg are not executable code. They are just (compressed) color VALUES).

                There was one security hole in one specific executable LIBRARY which processes jpegs, but jpegs themselves are not executable and therefore essentially safe. Not so for pdf.

                It is hoped that pdf is slightly safer than pure PostScript, but it's not FUNDAMENTALLY safer.

          • by adolf ( 21054 )

            The answer to the question that you did not ask is Pale Moon [palemoon.org].

            • The answer to the question that you did not ask is Pale Moon.

              Hilariously, I am running Pale Moon (x64 even) rather than actual Firefox. It's exactly as bad in this regard.

              • by adolf ( 21054 )

                What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

                • What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

                  I don't know, but I have done. Now I use SumatraPDF externally.

                  • I'm also running Pale Moon x64 (latest version) and it doesn't try to display PDFs. It just offers a download link (as I would hope, because I like to use an external reader).

                  • by adolf ( 21054 )

                    Well, you're on the right path: Pale Moon doesn't have pdf functionality OOTB. Look for and destroy a pdf.js in your profile directory, perhaps? Because whatever you have isn't getting updated, and according to TFS, that can be a problem from time to time.....

                    And yes, again: Firefox's pdf viewer is disgusting. Gmail's JS-based viewer actually provides presentable documents, and they seem to even print OK, but Firefox's interpretation of pdf (IN THE SAME BROWSER!) reminds me of the early days of Ghostsc

      • by Trogre ( 513942 )

        Heh, yes PDF.js is possibly the worse PDF renderer to see the light of day, with the possible exception of Apple's Preview.

        Thankfully just about every Firefox user redirects PDFs to open with okular or SumatraPDF.

  • Drops? (Score:5, Insightful)

    by thechemic ( 1329333 ) on Wednesday June 24, 2015 @12:22PM (#49978879)

    He dropped them from his to do list?

    He was carrying them around and dropped them?

    Slang for "He published them" ?

    He dropped them from his research list?

    He dropped the vulnerabilities from his own systems?

    Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

  • by Anonymous Coward

    I wish I could do without Adobe Reader. I really wish I could.

    Huge piece of bloated software. One of the largest virus vectors out there today. Unwieldy to deploy, manage. Filled to the brim with up selling features and advertisements. (Not as bad as Java, thankfully) You can fix a lot of that with group policies and Adobe's custom package generator but damn it's a pain in the as every time an update rolls out.

    There are a lot of PDF alternatives now, but fuck it if Adobe hasn't sunk their hooks in so many l

    • by thechemic ( 1329333 ) on Wednesday June 24, 2015 @01:27PM (#49979475)
      We installed Foxit Enterprise Reader and disabled in-browser PDF viewing for all browsers. This forces PDF downloads and everything displays wonderfully. It's lightning fast too!
      • I left Foxit behind when they started pushing crapware installs, and more critically, when it had some problems rendering some fairly basic PDFs correctly. Back to Adobe Reader for me as well.

        It's like that with MS Word docs as well. The damn things are so complicated that only the original code has a prayer of rendering it correctly, and even then not always.

  • "Curses! Foiled again!" says the NSA. Why in the heck aren't they doing this research again? Oh, because security is only for the strong.

    (Sorry for the slightly off-topic post guys, but it really riles me up that people aren't doing their jobs)

    • The NSA is an offensive organization, not a defensive one. That's it's mission. There's a very good argument to make that it should be prioritizing defense over offense, especially given, say, the OPM EPIC hack, but that's not it's mission right now.

      • by Bob the Super Hamste ( 1152367 ) on Wednesday June 24, 2015 @01:18PM (#49979383) Homepage

        The NSA is an offensive organization

        You could have just stopped there.

        • I could have, but it's important to remember that things aren't written in stone, and that we can change its mission through public debate and the political process. Ostensibly, anyway.

      • by vux984 ( 928602 )

        The NSA is an offensive organization, not a defensive one. That's it's mission.

        That's according to you. Now according to the NSA their mission, from their Mission pagel:

        "The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances."

        https://www.nsa.gov/about/miss... [nsa.gov]

        Offense is definitely a big part of there job. But right up there with SIGINT is IA (information assurance); so what is IA?

        Well I could look in a dictionary but lets see what the NSA thinks it is instead... since they are the ones charged with doing it:

        https://www.nsa.gov/ia/ia_bann... [nsa.gov]

        NSA's Information Assurance Directorate delivers mission enhancing information assurance technologies,

    • by ShaunC ( 203807 )

      Why in the heck aren't they doing this research again?

      They are, but when they find something, they add it to their arsenal and use it themselves instead of alerting anyone to the vulnerability. This fact was the subject of some hand-waving from the White House earlier in the year. There's a good chance NSA has known about several of these for a long time, which is a little disconcerting since the Adobe Type Manager exploit may date back to 1998.

  • Hmmm ... (Score:4, Funny)

    by gstoddart ( 321705 ) on Wednesday June 24, 2015 @01:13PM (#49979333) Homepage

    So, if I assume there's been at least one monthly major security issue attributable to Adobe (maybe twice monthly, once for Reader and once for Flash) ... and if we extend that over the last decade or, it becomes pretty obvious that Adobe writes some shitty code.

    I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.

    Pity we couldn't bill them for all the wasted time and resources.

    • To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?
      • To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?

        Well, there's Adobe Flash Player... which is the more wretched hive of scum and villainy?

    • Everybody writes shitty code. Not all code is as widely distributed as Adobe's.

  • Is there a good program that just *reads* without this constant useless updates and a 'need' for internet connection? Or should i just use an older version? Like 10 or 11?
  • I vote Adobe the worst software provider in terms of quality. We bash Microsoft quite a bit but think about it. Shockwave, Flash now Acrobat Reader must be the crappiest three pieces of software in terms of quality and vulnerabilities. I guess when you couple Adobe + Windows it's truly craptacular!

  • Before too long smart people will start using pencil and paper again.
    • I hope you realize that no smart person could respond to your post with said equipment. I guess this puts me in the dummy crowd.

      • by KGIII ( 973947 )

        I guess they could *then* (after using pencil and paper) do OCR on it and submit it but that really defeats the point.

    • "Before too long smart people will start using pencil and paper again" for anything requiring security.
      for social media... these tools are fine.

    • Wait, when did we (anyone needing to do anything remotely complex) stop using paper and pen (or pencil, or pen tablet; insert preference here)?

      I find that even if it's just on a pen tablet, the act of writing/sketching helps me process ideas and complex situations more effectively than mere rumination or typing.

  • The research has dropped 15 vulnerabilities? What does that mean? They did have the vulnerabilities but have now discarded them?

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...