Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].

PDF link to PDF exploit

[Carewolf]

Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.

Re:

[saloomy]

The PDF rendered fine on OS X, not sure if that means its cleanly constructed, but it's readable, and not corrupt to the PDF previewer.

Re:

[Anonymous Coward]

Thank God I'm using Firefox. Had I accidentally clicked on that link, I'm sure I would have had a good 2 to 3 minutes to realize my mistake and to close the browser window, since that's just about how long it takes for Firefox's shitty builtin PDF.js PDF viewer to kick in and render even the smallest of PDFs.

Re:

[ichthus]

I know, right? That's how long it takes on my 200 MHz Pentium system too.

Re:

[drinkypoo]

I know, right? That's how long it takes on my 200 MHz Pentium system too.

That's how long it takes on my six-core, eight-gig, SSD system. It is seriously pathetic how long it takes Firefox to view a PDF by itself.

Re: PDF link to PDF exploit

[Zorpheus]

How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

Re:

[adolf]

How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

How can you let your browser view [GIF/JPEG/CSS/HTML] by itself? It will open malicious [user-requested content] automatically, adding a big security hole without much use.

(When you get your head out of the sand, we'll talk about security.)

images aren't a programming language

[raymorris]

Pdf is a subset of PostScript, a turing complete programming language. It's most often used for rendering documents, but is in no way limited to that. You can program an emulator in ps and run Linux inside your pdf. Gif and jpeg are not executable code. They are just (compressed) color VALUES).

There was one security hole in one specific executable LIBRARY which processes jpegs, but jpegs themselves are not executable and therefore essentially safe. Not so for pdf.

It is hoped that pdf is slightly safer than pure PostScript, but it's not FUNDAMENTALLY safer.

Re:

[adolf]

The answer to the question that you did not ask is Pale Moon [palemoon.org].

Re:

[drinkypoo]

The answer to the question that you did not ask is Pale Moon.

Hilariously, I am running Pale Moon (x64 even) rather than actual Firefox. It's exactly as bad in this regard.

Re:

[adolf]

What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

Re:

[drinkypoo]

What did you do to Pale Moon to allow it to grok PDFs, and why haven't you undone it yet?

I don't know, but I have done. Now I use SumatraPDF externally.

Re:

[weilawei]

I'm also running Pale Moon x64 (latest version) and it doesn't try to display PDFs. It just offers a download link (as I would hope, because I like to use an external reader).

Re:

[adolf]

Well, you're on the right path: Pale Moon doesn't have pdf functionality OOTB. Look for and destroy a pdf.js in your profile directory, perhaps? Because whatever you have isn't getting updated, and according to TFS, that can be a problem from time to time.....

And yes, again: Firefox's pdf viewer is disgusting. Gmail's JS-based viewer actually provides presentable documents, and they seem to even print OK, but Firefox's interpretation of pdf (IN THE SAME BROWSER!) reminds me of the early days of Ghostsc

Re:PDF link to PDF exploit

[drinkypoo]

Chrome does a fantastic job rendering pdfs very quickly.
Why do you continue to use that pathetic browser?

I use both browsers. I use Chrome mostly for google sites, and anything that won't load in Firefox. I use Firefox mostly because I want Chrome to have competition, but also because noscript is still better on FF than on Chrome. And also because chrome's built-in cookie control is total shit which breaks sites so you either don't use it or you have a hard time with many websites, but cookiesafe works great all the time.

Re:

[ttucker]

I dropped Firefox because it is built on the carcass of an ancient browser, and its developers are more worried about playing tech specification hardball than implementing features that are/will be needed.

Re:PDF link to PDF exploit

[drinkypoo]

I dropped Firefox because it is built on the carcass of an ancient browser

And Chrome sprang fully-formed from the brow of its creator when they spake the word?

Re:

[turning in circles]

Why are you talking about browsers like it's an either/or? I use Firefox, Chrome, Opera, Iron, and even Internet Explorer depending on what I want to be doing, what cookies I want kept on the browser, etc. Firefox is poor at reading pdfs, though.

Re:

[LordWabbit2]

I agree, I use different browsers to separate accounts/cookies. I don't want one google portal for all my google accounts, fuck that. I use different browsers to keep my shit apart. Browsers are largely all the same - sure there are some that do x better and some that do y better. I prefer debugging javascript code in IE because of the better integration it has with Visual Studio, general browsing in Chrome because of the process isolation, Firefox for certain plugins that either don't exist in other br

Re:

[turning in circles]

More specifically SRWare Iron [srware.net] which also can be loaded and run from a flashdrive. My brother turned me onto this, I confess.

Re:

[WuphonsReach]

I dropped Firefox because they no longer have a usable sync across multiple devices. With two laptops, a desktop, a cell phone and a tablet, some sort of bookmark/password/history sync is absolutely essential to me.

Right now my options are... Chrome.

The killer feature for Firefox or Opera would be to offer some way to sync to any WebDAV backend. Then I could setup something like Owncloud / Seafile on my own hardware..

Re:

[ttucker]

I dropped Firefox because it is built on the carcass of an ancient browser

And Chrome sprang fully-formed from the brow of its creator when they spake the word?

Chrome is based on a rendering engine that was originally created by Apple in 2001. Webkit was a fork of KHTML, which was at the time a very short and cleanly written open source project. When Webkit began to impose crufty legacy problems on Chromium, a new fork was created with the intention of excising problem code. The Mozilla foundation got too comfortable with Firefox, and it is losing relevance quickly.

Re:

[drinkypoo]

Webkit was a fork of KHTML, which was at the time a very short and cleanly written open source project.

It was short because it was a half-assed rendering engine. It didn't become capable of rendering pages of any complexity until Apple got their hands on it.

Re:

[Bing Tsher E]

I use SeaMonkey because it's built on the legacy of an ancient browser. Both in codebase and in architecture.

Re:

[Trogre]

Cool. Show me another browser that does hierarchical side tabs and we'll talk.

Re:

[ttucker]

If you'd ever bothered to actually pay attention to Mozilla's bug tracker or Firefox release notes then you'd understand how full of shit you really are. But who needs reality to get in the way of their fantasies?

My opinion is formed basically entirely on asinine bugtracker comments from core developers. One of my biggest peeves is the reluctance and downright refusal to consider moving forward from NPAPI, even though it is one of the biggest security risks for web browsing.

Re:PDF link to PDF exploit

[preflex]

You still use NoScript?
uMatrix [mozilla.org] is available for Firefox now.
Goodbye NoScript. Goodbye RequestPolicy. Goodbye CookieSafe. uMatrix does it all and does it better.

Your web browser is a dog. uMatrix is its leash.
It's available for Chrome [google.com] as well.

Re:

[drinkypoo]

I might give it a try, but what I have now is working pretty well. I have a couple of special cases I'll throw it at, and see what happens.

Re:

[MyFirstNameIsPaul]

How does it do with handling XSS attacks? NoScript has been out in front on this for a long time.

Re:

[theArtificial]

In the same vein uBlock Origin [google.com] is pretty sweet, too. I recently came across uMatrix and I dig the interface.

Re:

[labnet]

Chrome does a fantastic job rendering pdfs very quickly.
Why do you continue to use that pathetic browser?

I use both browsers. I use Chrome mostly for google sites, and anything that won't load in Firefox. I use Firefox mostly because I want Chrome to have competition, but also because noscript is still better on FF than on Chrome. And also because chrome's built-in cookie control is total shit which breaks sites so you either don't use it or you have a hard time with many websites, but cookiesafe works great all the time.

Plus it has proper side tabs with the Tree Tab control. Something chrome removed a couple of years ago.

Re:

[Trogre]

Heh, yes PDF.js is possibly the worse PDF renderer to see the light of day, with the possible exception of Apple's Preview.

Thankfully just about every Firefox user redirects PDFs to open with okular or SumatraPDF.

Re:

[ttucker]

I can trust my Okular software to view it. Can *you* trust your software? No? Then why are you still using it?

Sounds like hubris.

Drops?

[thechemic]

He dropped them from his to do list?

He was carrying them around and dropped them?

Slang for "He published them" ?

He dropped them from his research list?

He dropped the vulnerabilities from his own systems?

Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

Re:Drops?

[belthize]

He held the exploits palm down before dropping them and then simply walked away exclaiming "Mateusz out".

Re:

[pr0fessor]

Where they on Magic Cards or in Pokeballs?

Re:

[Anonymous Coward]

It's just Dice trying to sound "hip" and "with it". I can't wait for Nerval's Lobster to use that in his next sponsored submission.

Re:

[Fortran IV]

Not Dice's fault (this time); the summary just quotes The Register's opening hook.

Re:

[bluefoxlucid]

Look we have an editor constantly ranting about "fat" and "beets" as if nobody ever feeds him.

Re:Drops?

[drinkypoo]

Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

If you're not a slashdot subscriber, who cares what you think? If you are a slashdot subscriber, that goes double.

Re:

[jabberw0k]

When a publisher drops a title, that means it is no longer in publication. Original headline is complete confusion.

Re:

[Quirkz]

When you have "extremely powerful primitives" the only thing you can do is drop.

Re:

[thechemic]

LOL

Re:

[TechyImmigrant]

>"Dropping a vulnerability" is common security community vernacular

Is it? Maybe I live in a security researcher bubble that doesn't interact with the cool security researcher kids who use 'drop' in place of 'publish'.

Re:

[puddingebola]

Thank you for dropping some science. Word.

Re: Drops?

[dasacc22]

Words.

I wish I could quit you, Adobe Reader.

[Anonymous Coward]

I wish I could do without Adobe Reader. I really wish I could.

Huge piece of bloated software. One of the largest virus vectors out there today. Unwieldy to deploy, manage. Filled to the brim with up selling features and advertisements. (Not as bad as Java, thankfully) You can fix a lot of that with group policies and Adobe's custom package generator but damn it's a pain in the as every time an update rolls out.

There are a lot of PDF alternatives now, but fuck it if Adobe hasn't sunk their hooks in so many l

Re:I wish I could quit you, Adobe Reader.

[thechemic]

We installed Foxit Enterprise Reader and disabled in-browser PDF viewing for all browsers. This forces PDF downloads and everything displays wonderfully. It's lightning fast too!

Re:

[Dutch Gun]

I left Foxit behind when they started pushing crapware installs, and more critically, when it had some problems rendering some fairly basic PDFs correctly. Back to Adobe Reader for me as well.

It's like that with MS Word docs as well. The damn things are so complicated that only the original code has a prayer of rendering it correctly, and even then not always.

Re:

[KGIII]

You convinced me to dig out a second laptop. I uninstalled FoxIt and can find no browser hooks in FF, Opera (beta), Chrome, left over files, files in the profile, or even any registry entries. This is the latest version on Windows 7. Where should I be looking for remnants?

"Curses! Foiled again!" says NSA.

[Torodung]

"Curses! Foiled again!" says the NSA. Why in the heck aren't they doing this research again? Oh, because security is only for the strong.

(Sorry for the slightly off-topic post guys, but it really riles me up that people aren't doing their jobs)

Re:

[StikyPad]

The NSA is an offensive organization, not a defensive one. That's it's mission. There's a very good argument to make that it should be prioritizing defense over offense, especially given, say, the OPM EPIC hack, but that's not it's mission right now.

Re:"Curses! Foiled again!" says NSA.

[Bob the Super Hamste]

The NSA is an offensive organization

You could have just stopped there.

Re:

[StikyPad]

I could have, but it's important to remember that things aren't written in stone, and that we can change its mission through public debate and the political process. Ostensibly, anyway.

Re:

[vux984]

The NSA is an offensive organization, not a defensive one. That's it's mission.

That's according to you. Now according to the NSA their mission, from their Mission pagel:

"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances."

https://www.nsa.gov/about/miss... [nsa.gov]

Offense is definitely a big part of there job. But right up there with SIGINT is IA (information assurance); so what is IA?

Well I could look in a dictionary but lets see what the NSA thinks it is instead... since they are the ones charged with doing it:

https://www.nsa.gov/ia/ia_bann... [nsa.gov]

NSA's Information Assurance Directorate delivers mission enhancing information assurance technologies,

Re:

[ShaunC]

Why in the heck aren't they doing this research again?

They are, but when they find something, they add it to their arsenal and use it themselves instead of alerting anyone to the vulnerability. This fact was the subject of some hand-waving from the White House earlier in the year. There's a good chance NSA has known about several of these for a long time, which is a little disconcerting since the Adobe Type Manager exploit may date back to 1998.

Re:No surprises there

[Fortran IV]

It would have been nice if The Register's somewhat hysterical FA (much less the Slashdot summary) had made clear up front that Microsoft patched most of the Windows vulnerabilities all the way back in March (MS15-021), and the last one in May (MS15-044). According to j00ru's blog post, Adobe patched their holes in May as well.

j00ru was clear enough in his blog post, but El Reg decided to stick in one line: "Microsoft and Adobe issued patches in three updates."—six paragraphs down, looking more like an image caption than part of the article. Sheesh.

Hmmm ...

[gstoddart]

So, if I assume there's been at least one monthly major security issue attributable to Adobe (maybe twice monthly, once for Reader and once for Flash) ... and if we extend that over the last decade or, it becomes pretty obvious that Adobe writes some shitty code.

I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.

Pity we couldn't bill them for all the wasted time and resources.

Re:

[Anubis350]

To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?

Re:

[drinkypoo]

To give them *some* credit, how many other pieces of software are as ubiquitous as Adobe Reader?

Well, there's Adobe Flash Player... which is the more wretched hive of scum and villainy?

Re:

[StikyPad]

Everybody writes shitty code. Not all code is as widely distributed as Adobe's.

Getting tired...

[NotThisMind]

Is there a good program that just *reads* without this constant useless updates and a 'need' for internet connection? Or should i just use an older version? Like 10 or 11?

Re:

[Virtucon]

foxit reader. http://www.foxitsoftware.com/d... [foxitsoftware.com]

Re:Getting tired...

[drinkypoo]

I use SumatraPDF. AFAIK it's the smallest windows PDF reader which is worth using, I believe it's smaller than Foxit. But it's been a while since I installed Foxit, so a comparison would take effort.

Re:

[Anonymous Coward]

Modern versions of foxit have quite a lot of bloat.

Can we just take a vote

[Virtucon]

I vote Adobe the worst software provider in terms of quality. We bash Microsoft quite a bit but think about it. Shockwave, Flash now Acrobat Reader must be the crappiest three pieces of software in terms of quality and vulnerabilities. I guess when you couple Adobe + Windows it's truly craptacular!

Re:

[Fortran IV]

And 8 of the 10 Windows vulnerabilities were related to the Adobe Type Manager Font Driver (ATMFD.DLL). I don't know how much of ATMFD was written by whom, but according to Wikipedia, "Adobe licensed to Microsoft the core code." That makes Adobe responsible for 13 of the 15 vulnerabilities, including all 9 of the most dangerous.

Smart people

[AndyKron]

Before too long smart people will start using pencil and paper again.

Re:

[Spinlock_1977]

I hope you realize that no smart person could respond to your post with said equipment. I guess this puts me in the dummy crowd.

Re:

[KGIII]

I guess they could *then* (after using pencil and paper) do OCR on it and submit it but that really defeats the point.

Re:Smart peopleFTFY

[zlives]

"Before too long smart people will start using pencil and paper again" for anything requiring security.
for social media... these tools are fine.

Re:

[weilawei]

Wait, when did we (anyone needing to do anything remotely complex) stop using paper and pen (or pencil, or pen tablet; insert preference here)?

I find that even if it's just on a pen tablet, the act of writing/sketching helps me process ideas and complex situations more effectively than mere rumination or typing.

Horrible wording

[Trogre]

The research has dropped 15 vulnerabilities? What does that mean? They did have the vulnerabilities but have now discarded them?

Re:

[ttucker]

Where does OpenSSL fit into your story? No software is perfect, and assuming it is invites peril.

Re:It's Adobe fault

[JcMorin]

Where is Windows fault in that? The version of Adobe PDF Viewer for Windows that has a bug...

Re:

[ArcadeMan]

If you're still using Flash and Adobe Reader in 2015, you're just asking for trouble.

Re:

[zlives]

same can be said for if you are still using windows... or heck anything connected to the internet period.

Re:

[bev_tech_rob]

People still have Adobe Reader installed?

Lots of people...get out of your mom's basement or out from under your rock...

Re:

[Bing Tsher E]

Lots of people haven't upgraded from Adobe Reader.

We have work to do educating people.