Zero-day Exploit in PDF With Adobe Reader

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

xpdf etc

[eneville]

my xpdf brings all the boys to the yard and they're like, its better than yours

Re:xpdf etc

[CRCulver]

You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.

Re:xpdf etc

[eneville]

You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago. what corporation actually makes use of forms? isn't that what html is ok for? if one wants to do a form, why not have a code hook that can validate the form data before printing. in most cases, i bet people send the whole pdf to print rather than just the page with the form, so it's probably better all round to keep forms on the web, where most people can get to it.

Re:xpdf etc

[shutdown+-p+now]

You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.

While this is mostly true, I would like to point out that the most recent version of Evince (the one that ships with Gnome 2.20) supports PDF forms. Does this leave any piece of PDF functionality not yet implemented by FOSS readers?

Re:xpdf etc

[kebes]

Lacking features can be a good thing.

I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.

Re:xpdf etc

[eggnoglatte]

what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.

Re:xpdf etc

Maybe someday when acroread stops consuming 100% cpu if left minimized for a few hours, I'll use it. Until then, xpdf is my reader of choice.

Re:xpdf etc

[Angostura]

Exactly my strategy. I have Acrobat reader installed but use it about once every two years. The rest of the time I use OS X Preview.

Re:xpdf etc

[thrawn_aj]

I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc.

People have different definitions of "bloat". Mine is when you have to clutter up your system with more than one application to d the same job. Besides, I'm of the opinion that it's alright to use the incredibly fast and high-RAM computers of today to run these application without being stingy about resources for every single thing (unless it actually does slow down your system). While I've pitied the users who have 16 things in their system tray that eat up resources (Acrobat does this too btw, with its quick load helper service), it is also true that today's systems are built for multi-tasking in a way that is frequently not taken full advantage of, especially by power users who pride themselves on choosing efficient programs (which is great!) and getting rid of bloat (while at the same time having several different programs that have overlapping functions).

I also like how given ONE zero-day sploit from acrobat reader and we have the usual gurus predicting doom and calling on corporations to switch to xpdf (if it wasn't so ridiculous as to be funny, I'd be concerned :P) and "why do we need pdf forms anyway when you can have html forms?".

Re:xpdf etc

Good security practice means opening suspect, or even untrusted, documents with an application with less glitz. Inspect the document, watch for errors while opening, etc. You should never need glitz features on a suspect, or even untrusted, document. If you want to work with a suspect, or even untrusted, foreign document then you should consider saving it as a different file using the program with less glitz and observe how the document is affected.

The world wide web was a great idea when web pages had less embedded content. Now it's a security nightmare. You can thank the advertising industry for that.

Amateurs get hooked on featureware.

Re:xpdf etc

[cortana]

DRM, execution of JavaScript code and selective toggling of layers.

Re:xpdf etc

[1u3hr]

I think the sensible strategy is to use a fast, minimalist PDF reader

I use Acrobat 4. It can display and print 99% of the PDF files I need. I can warm up a later version of the reader if I have to, a few times a year. It's much smaller and faster than current versions, and I doubt it is vulnerable to any exploits, at worst it would crash or fail to open a document.

Also Elcomsoft's Advanced eBook Processor to strip away silly print or selection restrictions is useful. Thanks Dmitry.

Re:xpdf etc

[eneville]

what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF. perhaps there is a use for pdf forms, however, the world span perfectly ok before their existence, and i'm sure it will spin just fine without it. what i do think, however, is that there is little calll for them. if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in, it's something that i seriously can't see much of a requirement for. sorry.

Re:xpdf etc

[operagost]

Like the GP poster said, obviously there IS GREAT CALL FOR THEM, as many organizations are using them! Would you rather they send out proprietary Word documents to fill out and print? Because you can't have text entry fields in a plain text file or even an RTF.

Re:xpdf etc

[p0tat03]

Lacking features can be a good thing.

Not accusing of anything, but this is altogether too often used by FOSS advocates to justify the lack of features or polish.

use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features

The security issues still remain - all an attacker has to do is disguise his PDF as a PDF form and shabam, your employees fall hook, line, sinker, and your network is now compromised. A pinhole in a submarine will still let water in, even if 99% of the rest of the surface is perfectly sealed.

Re:xpdf etc

[VGPowerlord]

Adobe recently threatened to sue a company that wanted to include PDF output into their word processor.

Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat).

PDF isn't an open standard. If you want to implement it, Adobe apparently retains the right to sue you for it at any time.

Re:xpdf etc

[corsec67]

Yeah, but he was talking about functionality. Why make something intentionally broken?

Re:xpdf etc

[shutdown+-p+now]

DRM, execution of JavaScript code and selective toggling of layers.

No idea about the rest, but at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set. Of course, it being open source, it is easily disabled, and some distros disable it in their packages (I recall Gentoo was doing so).

Re:xpdf etc

[Mazin07]

They can't show 3D models in a PDF document!
How can I ever switch to a FOSS reader when I can't enjoy interactive 3D demonstrations inside my PDF document?

Re:xpdf etc

[ogrizzo]

Comments!!!! Acrobat's ability to add comments to pdf files is one of the few things that make me ever think about using OSX (I cannot think of anything that would make me wish to run Windows, though :)

It looks like it's a planned feature of evince.

Re:xpdf etc

As long as we are asking for things most people dont need - I'd like to point out, that in addition to forms support, Clippy is missing as well.

Re:xpdf etc

[Planesdragon]

Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat). Yes, it does. If you don't have a monopoly, it means nothing. (Ever notice how Adobe doesn't care that OpenOffice has PDF output?)

Re:xpdf etc

[Cecil]

Well at least there's still the option to just print it out as-is and write on it. How quaint. :)

Re:xpdf etc

[eneville]

Like the GP poster said, obviously there IS GREAT CALL FOR THEM, as many organizations are using them! Would you rather they send out proprietary Word documents to fill out and print? Because you can't have text entry fields in a plain text file or even an RTF. WTF? how do you think people would do this PRIOR to the GUI word processors? it's not like HTML and PDF invented a text box. back in the day with BBS software we had 300baud lines and plain ascii terminals, but everything worked just fine. someone did try to make headway with gui functionality by the name of RIP but it was not widely implemented.

fwiw, this is an example of what a plain text application form might look like. it shouldn't require a genius to fill out, and probably is simpler to use than a PDF viewer

Name: ________________________________
House number/name: ___________________
Street: ______________________________
Town: ________________________________
Postcode: ___________

Re:xpdf etc

[zCyl]

at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set.

An intentional defect is not a feature.

Re:xpdf etc

[BillyBlaze]

Heh, KPDF has a checkbox for whether you want it to respect that DRM. Um, no thanks. (There's also a compile-time option to make it mandatory, for the wussier binary distros.)

Re:xpdf etc

[fbjon]

if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in, How can you get consistent formatting with plain text, when printed out? What's the font size, paper size, etc. etc.? Plaintext will likely give you 6 pages of unreadable monospaced text, instead of one neatly organised and easy-to-fill page.

Re:xpdf etc

[VGPowerlord]

I did notice that. I have a famous quote for you, though:

In Germany, they came first for the Communists, And I didn't speak up because I wasn't a Communist;
And then they came for the trade unionists, And I didn't speak up because I wasn't a trade unionist;
And then they came for the Jews, And I didn't speak up because I wasn't a Jew;
And then . . . they came for me . . . And by that time there was no one left to speak up.

-- Martin Niemöller

Adobe has already acted in bad faith once, there's nothing stopping them from doing so again.

Re:xpdf etc

[eggnoglatte]

the world span perfectly ok before their existence, and i'm sure it will spin just fine without it Well, duh. Before PDF forms most official forms were provided as hardcopy only, so you had to fill them in with a pen. Do you really want to go back to the day where you have to start over again when you made a mistake in one of the boxes?

then i suggest sending out a plain text file and request that it is filled in, it's something that i seriously can't see much of a requirement for. sorry. Then you obviously have never worked in a professional environment. Just the other day I used PDF to sign two legal documents (forms) with my certified electronic signature. I now have one copy on my file system that I can index for search, and the party I was dealing with has another copy with a legally binding signature that they can save electronically and/or print at their leisure. Until the free PDF readers include these critical workflow features they are not fit for any serious environment.

Re:xpdf etc

[Chemicalscum]

what corporation actually makes use of forms?

Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms

The multinational corporation I work for doesn't. I have yet to receive a government PDF form here in Canada.

The Evince developers are working on a form filling function for it. So I hope I never have the need to install Acrobat Reader on my home Linux system. At work on XP I use Foxit reader as my Acrobat Reader installation is so fucked up.

Re:xpdf etc

[eggnoglatte]

That is one fo the reasons why the government forms are using PDF, I am sure. PDF is an open format, so you can get free software to print it and fill in the form, even if it is cumbersome. Of course you really want to keep electronic copies for your own reference in many cases, so you can leater do searches for them, etc.

Re:xpdf etc

what corporation actually makes use of forms?

Oh, I don't know. This company I work with every year to file taxes uses PDFs which you can download then complete. Perhaps you've heard of them? They're called the IRS.

http://www.irs.gov/formspubs/lists/0,,id=97817,00.html

My State & City also have PDF forms online that you can complete.

Re:xpdf etc

[OrangeTide]

Many of us apply the patch to disable the restrictions on printing and cut and paste. It's kind of annoying to build it yourself if you're all into Debian, SuSE, Redhat or one of the other precanned distros. Gentoo and Slackware users though generally do the patch, if only to get cut and paste to work sanely.

Re:xpdf etc

[eggnoglatte]

I don't know, does it support public key signatures, yet? And comments, as somebody else has pointed out.

There is also the 3D support, but I doubt that is a big issue for most users.

Re:xpdf etc

The security issues still remain - all an attacker has to do is disguise his PDF as a PDF form

Yes, but he has to know that this is necessary, and then he has to go to extra trouble to produce a form, and he also has to come up with a very convincing story behind it; your employees won't be expecting to receive a form, so they'll open it up in the non-form-capable reader first, so it will have to be sufficiently convincing for them to still want to open it in Adobe Reader without checking with someone else first.

A pinhole in a submarine will still let water in, even if 99% of the rest of the surface is perfectly sealed.

Perhaps, but it will let water in much more slowly than a gaping hole -- so it may not endanger anyone at all -- and it is much more easily fixed when discovered.

The security issues will always remain. Even if your network security is perfect, "all" an attacker has to do is get a job as a network administrator at your company, and shabam, your network is now compromised! The point is that you can reduce the security issues by restricting the use of unnecessarily powerful software, and that's generally worth doing.

Re:xpdf etc

[ogrizzo]

Good luck writing a parser that will work flawlessly for every form returned: most likely it's faster and cheaper to pay a human to enter those data.

Re:xpdf etc

Dude, quit reading about the way computing use to be 15 years before you were born. In a few years, when you graduate High School, and get into the read world and maybe even a job, you'll see there are PDF forms everywhere. There is NO stopping or even slowing down their use.

Companies and government entities use PDF forms because they are an electronic version of their normal paper forms. I've never seen an HTML form, plain text form or any of that like look anything like the official paper form I've ever had to fill out. Well only a few times when it was obvious the form was created in plain text or HTML and then printed out.

Re:xpdf etc

[eggnoglatte]

I have yet to receive a government PDF form here in Canada. Go look on the government of Canada and the provincial (I live in BC) web pages. Pretty much any form you'll ever need to fill in is there as a PDF, and many of them (I'd say about half of the ones I've had to deal with) are instrumented for being filled in electronically. Of course, I you just open them in a reader that does not support forms then you'd never know.

The Evince developers are working on a form filling function for it. So I hope I never have the need to install Acrobat Reader on my home Linux system. I agree that is good news, so this may be an evolving possibility.

At work on XP I use Foxit reader as my Acrobat Reader installation is so fucked up. From the original blog: Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.

Re:xpdf etc

[eneville]

Dude, quit reading about the way computing use to be 15 years before you were born. In a few years, when you graduate High School, and get into the read world and maybe even a job, you'll see there are PDF forms everywhere. There is NO stopping or even slowing down their use.
i don't normally reply to this sort of comment, but dude, i was there, writing programs for Remote Access 2.02 and was a sysop of my own BBS, back in 91. we didnt have pdf back then, but most people could understand how to reply to a text application just fine.

Companies and government entities use PDF forms because they are an electronic version of their normal paper forms. I've never seen an HTML form, plain text form or any of that like look anything like the official paper form I've ever had to fill out. Well only a few times when it was obvious the form was created in plain text or HTML and then printed out. i guess you were not around in the early days. the reason the organisations use pdf and other gui stuff is because they're too simple minded to look at stuff in plain text format. i'm not sure when this trend of thought started but it's not getting the world anywhere fast.

Re:xpdf etc

[eneville]

if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in, How can you get consistent formatting with plain text, when printed out? What's the font size, paper size, etc. etc.? Plaintext will likely give you 6 pages of unreadable monospaced text, instead of one neatly organised and easy-to-fill page. why do you want to print it? most plain text readers will print just fine. even if it's copied into word or something. but most digital applications are sent via email. and yes, we use plain text for that also. if you want a good idea of large organisations using plaintext applications, why not look at nominet. http://www.nic.uk/registrars/systems/auto/

Re:xpdf etc

Godwin hates you. Really. Drawing parallels between Adobe and the Nazis? It really doesn't help your argument in any way.

Re:xpdf etc

[Gothmolly]

Thats funny - I work for one of the top 10 US banks, and none of our forms are PDFs. Corporate culture is a strange thing.

Re:xpdf etc

[Yvan256]

I was a sysop of my own BBS, back in 91. we didnt have pdf back then, but most people could understand how to reply to a text application just fine.

And back then, people who used computers knew how computers work.

This is 2007, where people don't even know the differences between .txt, .rtf, .doc, .pdf or .html

Re:xpdf etc

[LostEmail]

I'm not sure you get why people use pdfs. Its so that there is a consistent PRINT of the document. Plain text doesn't guarantee anything for the print (and if it did it wouldn't be plain text now would it.) In addition, you can't include graphics and logos on your forms and no ASCII art isn't good enough.

Re:xpdf etc

PDF isn't an open standard. If you want to implement it, Adobe apparently retains the right to sue you for it at any time.

Umm..MS DID implement it. Implementation is no problem. Preventing fair competition by bundling could be a problem (see also: jvm, media player, etc.).

Re:xpdf etc

[(negative+video)]

Do you really want to go back to the day where you have to start over again when you made a mistake in one of the boxes?

You apparently really want to harness yourself to paper pulp and simulacra thereof.

Just the other day I used PDF to sign two legal documents (forms) with my certified electronic signature.

Public key cryptography and digital escrow agents are general purpose. There is no call to lock yourself in to a particular vendor's revenue stream.

Until the free PDF readers include these critical workflow features they are not fit for any serious environment.

Serious digital contract environments, such as Fedwire, use formats that are simple, heavily reviewed, and verifiable by direct personal inspection of the raw protocol data.

And that does NOT describe the Adobe cesspool: huge, complicated, hellishly buggy, and with a specification that constantly changes for the sole purpose of keeping their customers paying $$$ on an upgrade treadmill. Adobe products also tend to be infested with Javascript, which makes it trivial to create a document that changes the displayed contents once a chosen date has passed; a cleverer forger can use subtle bugs and version differences to this end even if Javascript is disabled. With such a flawed product, the counterparty (or their hired gun) can cause all sorts of mischief.

Oh, and of course Adobe intends that their products run on Windows machines that promiscuously use the public Internet, so security is already a lost cause.

For important contracts, you either have to use paper, or you have to use a simple digital format that you can personally verify. I recommend 80-column ASCII plain text.

Re:xpdf etc

[williamgrant]

Evince in GNOME 2.20 (released a couple of days ago) will be in Ubuntu 7.10 and various other distros in the next few months, and supports PDF forms.

Re:xpdf etc

[syedelyas]

this pdf should be secure, it been used widely for universities where lecturer puts notes and question in there.. and if it can be exploit, so hard to believe it

Re:xpdf etc

[eneville]

I'm not sure you get why people use pdfs. Its so that there is a consistent PRINT of the document. Plain text doesn't guarantee anything for the print (and if it did it wouldn't be plain text now would it.) In addition, you can't include graphics and logos on your forms and no ASCII art isn't good enough. that sir, is utterly useless, and what happens when the paper size changes? the constancy is totally lost.

Re:xpdf etc

[jthill]

Too simple-minded is right, of course. (Insert rant about the salary-justifying pointlessness of most office work here).

But nobody at all wants to decipher human-mangled data-entry forms. If you gotta do forms, PDF's forms are exactly what the doctor ordered: visually identical to the paper version and electronically enhanceable up the wazoo.

Re:xpdf etc

[cthulhu11]

I encounter this all the time. Many people seem to think that MS Werd's .doc files are the only way text can live in a file.

Re:xpdf etc

[dido]

what corporation actually makes use of forms?

They're not quite corporations, but well, the US Government seems to, as does the Japanese government. I've filled out visa applications for both countries and they come with a PDF form that you can use to fill out all the relevant details and sundry. As for the US visa application, there are two documents, one of which is filled out on a web form on the US State Department's website that generates a PDF that you print (doing exactly what you describe, with all the validation), and another supplemental application that can be filled out as a PDF with forms, although in the past IIRC they used PDF's with forms for both. The Japanese visa application consists of a single PDF with forms that you can fill out and print. In both cases, you could just simply print them out and write your answers by hand if you were so inclined, although that's a lot less convenient. I imagine these and many other governments also make use of PDF's with forms for many other applications in addition to visa applications for foreigners.

Re:xpdf etc

[ookoi]

And on windows there is FoxIt it is not open source (i think, i have not checked) but at least it is lightweight in comparison with acrobat. By the way, there is another thing totally insane with acrobat, it's the automatic updates... So now, you have to download updates for win, ff, java, adobe, each times there is an update... It's really crazy.

Re:xpdf etc

[VGPowerlord]

My intent wasn't to draw parallels to Nazis... it just turns out when I looked it up that the original quote was about nazis.

smug

[ch0ad]

i bet it doesnt work with ubuntu's pdf viewer :p
/smug

about time i got modded as a troll neway

Re:smug

[doombringerltx]

If saying linux is more secure than windows is your idea of trolling slashdot, then you *really* must be new here

Re:smug

[astrosmash]

A lot of things don't work with Ubuntu's pdf viewer.

Re:smug

i bet it doesnt work with ubuntu's pdf viewer :p

You mean, just like every other PDF document? // that's a troll for you

Re:smug

Like a pdf itself, for example...

Re:smug

[ch0ad]

lol. indeed.

Re:smug

[Timmmm]

That made me cringe. Now I know why women always specifically want a man with a good sense of humour.

Lacks details

[140Mandak262Jamuna]

The article is sorely lacking in details. There was a vulnerability report earlier about PDF files that open external links. At that time slashdot discussions were very critical of adding javascript kind of functionality and opening external links and invoking the browser from pdf reader. A plain and simple document reader/renderer has no need for all these hooks that allow for bells and whistles. It was alleged every bell and every whistle could be a potential attack vector. Well, presently I have disable javascript, external links etc in my pdf reader. Hope it is enough plug the hole.

Re:Lacks details

[RAMMS+EIN]

The summary makes me think it is some kind of stack smashing attack; probably an integer overflow. These can occur in the PDF parsing code, before you even have to look at features like scripting. On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.

Also, an integer overflow was recently found and fixed in xpdf. This could be the same bug.

Re:Lacks details

[bcrowell]

On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.
No. Postscript is a Turing-complete language. People have, e.g., written calculator programs in postscript, and implemented Conway's game of life in it. PDF is not Turing-complete, and that was an intelligent, intentional design decision. I think it had less to do with concerns about security than with not wanting to run a program on your printer without having any possible way to tell whether the program would ever terminate.

Re:Lacks details

[mikael]

Just a brief skim through the PDF specification document (1310 pages!) will reveal that a PDF document viewer has to support image reading and loading, JPEG, CCITT and LZW compression (page 39). Any vulnerabilities in standard image libraries may very well be present in the document reader.

The specification even extends into advanced CAD techniques (Coons patches and tensor products in page 232) for background shading, 3D artwork (page 789-841) which is more based on objects, nodes, multiple lightsources and user input (very close to an entire scene-graph API). Given the hierarchical format of PDF, they could very well absort VRML and other 3D formats into the specification.

There are also a few stacks that are used for rendering graphics, which could possibly be overloaded.

Re:Lacks details

Hell, I think someone someone has even written TCP/IP stacks and http servers in postscript.

Re:Lacks details

[UKDave]

Yep, it could at least explain how you can hack into the PDFs!

Re:Lacks details

[LindaMack]

For Windows, I'd recommend Foxit reader. Opens instantly, and no pesky update whining every two days...

Re:Lacks details

[hyc]

I remember sending the Life game to an Apple LaserWriter back in college. It was almost as fun as watching it run on a DECwriter back in high school, but used a lot more paper... I don't remember getting to send it to a NEWS or DisplayPostscript server, that might have been amusing.

Re:Lacks details

[adah]

PDF is not Turing-complete, and that was an intelligent, intentional design decision. I think it had less to do with concerns about security than with not wanting to run a program on your printer without having any possible way to tell whether the program would ever terminate.

Interesting. However, there are printers that directly support PostScript, and I have not yet known of a printer that directly supports PDF.

It was going to happen

[saskboy]

And this kind of thing is also why I leave the preview pane off in Outlook whenever I use it.

Re:It was going to happen

And seeing as how Adobe doesn't have a preview pane filter for Outlook this affects you how? I know there are third-party filters you can load that will enable this, but they don't use Adobe code so wouldn't be affected.

The vulnerability is in Reader not the PDF format

[NevarMore]

It's still a big effing deal, because Reader is the most accessible and widely used PDF viewer out there.

So in the interest of the public, what alternative PDF readers can people use?

In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else. The last time I installed it under XP on my office workstation it wanted to shovel a bunch of crap into the tray and seemed to have a lot more cruft than it needed to. This is different from what I remember it being in High School where it was a simple viewer so the customers who paid for Acrobat had an easy way to tell their readers how to open the PDFs. It has since morphed into a product instead of just a utility.

FYI: Vista not affected

[sid0]

From the blog:

"The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected."

Re:FYI: Vista not affected

[Nimey]

Should one assume that the vuln is also in Acrobat Standard and Acrobat Professional? Got some users using those, and won't this be a joy for the pre-8 ones.

Re:FYI: Vista not affected

[nwbvt]

Well yeah, it can't affect an operating system if no one is running it.

Sorry, couldn't resist.

Re:FYI: Vista not affected

[CRCulver]

I travel most of the year, and usually stay with hosts from hospitality associations like Couchsurfing. As I visit home after home, I'm amazed at how much software is left un-updated on computers that are more than capable of running the newer versions. Ancient versions of Firefox, unregistered Windows installations that could be easily cracked so you could get the service packs and security updates, an old version of Acrobat. There's got to be some way of getting people to upgrade, yet in apps that notify "There's an update available", people usually complain that that's annoying and immediately close the notification window.

Re:FYI: Vista not affected

[Nimey]

"But Acrobat 5 does everything I need, and why should I pay a couple hundred to upgrade it?" x at least a couple dozen. Replace 5 with 6 or 7 as needed.

Re:FYI: Vista not affected

[CRCulver]

No one outside of the U.S. and Western Europe actually pays for software, so money's not an issue. But even upgrading to a cracked version requires a) awareness that upgrading is necessary, and b) effort to carry out the upgrade. Sadly, both are lacking among the non-geeky.

Re:FYI: Vista not affected

[kesuki]

well, i guess its time to downgrade adobe to version 5. before they had all these automatic updating and rediculous feature bloat features...

i know version 5 came on tons of various cd roms, including ones from motherboards and even anti virus installers... in fact even though i had a newer version i happend to pick version 5 when i reinstalled my parents computer because i was lazy and it came on their anti virus install cd.

Possible mitigation? Comments

Perhaps the following will help.

Change the *.api to *.ap0 in the plugins subdirectory. I kept "SearchFind.api" (ver. 7.0.3). Ergo, minimize Java/Javascript.
Also, change the Adobe directory owner and group to something other than root. For example:

# chown -R nobody:users /usr/local/Adobe

I assume there is some equivalent for Windows.
I tested the above changes on Linux (Slackware 12), to a degree. The owner/group change doesn't seem to harm any features that I tested.

Any Comments?

Re:Possible mitigation? Comments

[Simias]

I'm not sure how the plugin works, but if the binary isn't setuid, changing its owner will be useless, since it will run with the privileges of the browser (i.e. probably yours), not those of the owner.

Re:Possible mitigation? Comments

[sowth]

Your other suggestion sounded good, but...

# chown -R nobody:users /usr/local/Adobe

Why would you want to do that? That just allows the "nobody" user to mess with the Adobe directory. Considering "nobody" is often used for daemons, you just let anyone who cracks one of the said daemons to write files to that directory and potentially screw with the users who run Adobe's progams.

You want global stuff to be owned by root or an administrative user so that others can't mess with it. Generally speaking, only admins should own files in /usr, /bin, /etc and such. Having root own that directory and files is correct, unless you use a different user to install files, then that user should own them...

hmmm

[thatskinnyguy]

Sure, now that the vulnerability is known, the likelihood of it being exploited just went through the roof.

Re:hmmm

[Delkster]

Sure, now that the vulnerability is known, the likelihood of it being exploited just went through the roof. From TFA (the one that isn't slashdotted):

"The security researcher said he would not release code that shows how this attack works until Adobe provided a patch for the problem"

Foxit reader is a good substitute.

[Zaphod-AVA]

The Foxit PDF reader is pretty great, and I often recommend it to my clients. Not only will it be a good temporary fix for this exploit, but it opens PDF documents very quickly.

Windows:
http://www.download.com/Foxit-PDF-Reader/3000-2079_4-10634896.html?tag=lst-0-1

Linux:
http://www.foxitsoftware.com/pdf/desklinux/

Re:Foxit reader is a good substitute.

[Arkaic]

That may not be much better. According to a follow up comment by the discoverer of the exploit.

"Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

Re:Foxit reader is a good substitute.

[EvilIdler]

KPDF came with my Kubuntu installation. Never failed me.
It also pleases the raving hippies who want everything open source ;)

Re:Foxit reader is a good substitute.

Foxit crashes alot though.. just my experience.

Re:Foxit reader is a good substitute.

[a.d.trick]

Foxit is a great improvement from the Adobe Reader. I didn't know they had a linux version; however, I wonder if anyone actually uses it. In my experience, Evince and KPDF both beat Foxit hands down.

Re:Foxit reader is a good substitute.

[Mike89]

This may be slightly OT, but please don't mod it as such. I use FoxIt and I have a problem. Whenever I open the solutions file for a textbook I use for school, the text is barely readable. Yet in Adobe Reader, it's fine.

See screenshot

Any ideas? I like FoxIt, but I can't use it!
Note: The zoom is set to the same on both, zooming on FoxIt doesn't help the issue. Also sorry the screenshot is so small, I uploaded a larger one but BayImg didn't like it for some reason.

Re:Foxit reader is a good substitute.

[JohnnyBigodes]

Hope they have fixed it recently. About 6 months ago I tried it, and on the first PDF that I opened:

- Some fonts looked different from the original. "Different" as in "the same font but were slightly thinner/bolder". Not an AA issue, the actual drawing of the polygons seemed slightly off.
- Redrawing a vector part was slow even though everything else was blindingly fast.
- Hitting "Print" caused it to crash. Every time.

Kudos to FoxIt for tring, but with much sadness I immediately uninstalled it. At least Reader actually works, and version 8 is a lot lighter than the other ones.

Re:Foxit reader is a good substitute.

[Bearhouse]

"although the user is required to interact with the document in order to launch the exploit"

So, I'm better off sticking with Foxit for most uses.

I only use acrobat reader when forced to, (security, form filling...)

Re:Foxit reader is a good substitute.

[Mr_Perl]

KPDF is very good also and I don't think it interfaces with the adobe libs at all.

Re:Foxit reader is a good substitute.

[jambarama]

Even lighter and faster than foxit: Sumatra PDF Reader . It is Windows only but runs fine in Wine. Since TFA has no details, I can't say if Sumatra is also vulnerable, but for me it beats foxit.

Re:Foxit reader is a good substitute.

??

By 'interact' he meant _any_ interaction with the document! You don't scroll through the pages or zoom in/out or add comments or so any of the other forms of interaction with pdf documents?

Re:Foxit reader is a good substitute.

[Bearhouse]

Thanks for the comment - of course, did not RTFA

Re:Foxit reader is a good substitute.

[bizbuzz]

I recommend http://www.docu-track.com/home/prod_user/pdfx_viewer/ (PDF Xchange Viewer). It's also lean, but you can even edit pdfs with marks, textboxes and comments without any advert tagging for free. I have no connection to this corporation, I just use this product for myself and my clients.

Details Sorely Lacking

[SkiifGeek]

Yeah, the article is lacking in details, which is unfortunate. Here is a nice little summary of not only the article, but also the speculation and arguments that have formed around the claims on a number of mailing lists.

Re:The vulnerability is in Reader not the PDF form

[Nimey]

Foxit Reader is the canonical 3rd-party viewer for Windows: http://www.foxitsoftware.com/pdf/rd_intro.php

Macs have Preview, Linux has Evince and others.

I second this

[ArchieBunker]

The entire download is just over 1mb and it loads PDFs quicker than the 40+mb pile of shit known as "reader".

Re:I second this

[0xygen]

Sadly this not 100% true.. I *am* a FoxIt user, but recently came across an issue.

FoxIt does not seem to cache the page you are looking at, it appears to re-render the whole thing every time you move it.

So, when you have an engineering drawing with only a few thousand vector lines on a page, it slows down to about a tenth of the speed of Reader 8.1.

Now I have both installed, much to my annoyance - before seeing this, FoxIt was the one!

Isn't this a dupe?

[MULTICS_$MAN]

"[Insert filetype here] can be used to compromise your Windows box!"

Re:Isn't this a dupe?

[Nimey]

$SPYWARE is trying to own your machine. Cancel or allow?

NOT a zero day exploit !

[promiscuous-mode]

It's not a zero-day exploit until Petko releases code for the script kids to use without having a patch/update from Adobe.

Re:NOT a zero day exploit !

[Mascot]

Save your energy. It's like the cracker/hacker issue. Nobody seems to remember or care what the terms mean anymore.

I won't even point out the irony in that a Slashdot editor doesn't even know.

Re:NOT a zero day exploit !

[RAMMS+EIN]

Ah, so you seem to actually know what zero-day means. Would you explain it here for the public benefit?

Re:NOT a zero day exploit !

It's very simple - a 0-day exploit is one for which exploit code is known to be available, and against which there is no patch. The term is typically restricted to exploits that allow remote execution of code rather than those which merely crash or reboot the affected system.

The term comes from the idea that such an exploit that could hit your system TODAY, ie. you have 0 days in which to prepare.

Terminology Police!

The phrases "zero-day exploit" and "if this exploit goes wild" aren't really compatible. "Zero-day" is not just some random phrase you can throw in front of "exploit" to sound cool, it actually means something...

Re:Terminology Police!

Ok you're in charge of policing the expression "zero-day exploit", and I'll take care of "defective by design". Good hunt.

Re:Terminology Police!

What's Quicktime?

Re:Terminology Police!

[Bacon+Bits]

That's what I keep saying. A vulnerability is never zero day. An exploit is only zero-day if an in-the-wild exploit is discovered the same day that the software vendor and security communities become aware of it. Since this was posted as an undisclosed proof of concept three days ago, it is quite impossible for a zero day exploit to exist!

Re:Terminology Police!

[BitZtream]

Jeez, you guys haven't figured it out yet. Zero-day no longer means what it once did. 0-day now just means new stuff for the media to talk about, its the 31337 thing to say.

Get with the program!

Re:The vulnerability is in Reader not the PDF form

[Constantine+XVI]

And FYI, KPDF is the KDE pdf reader, and XPDF for the luddites :)

HTH

For firefox users...

[nwbvt]

"If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

If you are using firefox, there is a simple way around this. Just install the PDF download add-on, its also helps avoid the problems involving the embedded PDF plugin crashing your browser.

A job for SELinux?

It seems like this was the type of expoloit that SELinux was designed to handle automatically. Do any of the Linux distributions provide a default SELinux policy which actually did handle this particular case? I know there has been some success in the past with SELinux prventing zero-day exploits. What about Fedora's default policy?

Re:A job for SELinux?

It seems like this was the type of expoloit that SELinux was designed to handle automatically.

Not really... there isn't all that much that SELinux can do about vulnerabilities that only exist on Windows XP.

As an asside:

[T-Ranger]

Does anyone here think that embedding Acrobat into a browser is a good idea? Ignoring the plethora of stupid people who use PDF when HTML would work better, even.

Print function buggy though?

[SD-Arcadia]

I loved Foxit until I tried to print a range of pages, it didn't print, and the printer became unreachable from other programs as well until a restart. The printer was a Canon BJC940 connected to a USR router.

Re:Print function buggy though?

[thewils]

You got that far huh?

We got BSOD on multiple XP boxes when printing, so we had to revert back to the bloated Adobe Reader.

*WINDOWS* 0-day exploit

Let's be clear about it at least. It's not just a generic PDF sploit, it's a Windows issue.

there are many platforms, many implementations

[someone1234]

Somehow, I don't believe the same vulnerability will affect xpdf on linux and adobe reader on windows.
So, I still feel safe :)

Thirded

/agree

For information, read this PDF

[cpu_fusion]

For information, click here and read this PDF.

Re:For information, read this PDF

Bah. The link is already slashdotted. Click here for a mirror.

'Preview' and Mac OS X

[xirtam_work]

Does anyone have any news if this affects 'Preview' on OS X. I hate the Adobe Reader and never use it.

I understood that PDF is virtually native on the Mac. This is in part due to the design of Quartz and now NeXT used to use display Postscript , which PDF grew out of in a way.

Some applications now use scaled PDF icons for resolution indepenence, such as Coda for example. Should we be worrying about this at all?

Re:'Preview' and Mac OS X

The article is lacking in details and gnucitizen.org is being slashdotted. However, If I have to guess, Preview should not be affected since Preview turns PDFs into bitmap images. This is rendered by using an NSImage object in Cocoa which doesn't rely on Adobe's Acrobat Reader.

Re:'Preview' and Mac OS X

IIRC Apple uses their own implementation of the PDF specification for Quartz, so there shouldn't be any issues on Mac OS X (using Preview, or any other app that uses quartz PDF) unless your actually using Acrobat.

Re:'Preview' and Mac OS X

[p0tat03]

As a side note... Preview does an incredibly good job with PDFs that Adobe themselves can't even do. Back when I was a Windows user exclusively, I always complained that the "official" reader was dog slow even on the fastest machines, and could not ever scroll smoothly through any slightly complex document.

Now that I've switched to Mac and use Preview, I realize this isn't Windows, it's just Adobe's incompetence. Preview is fast as hell and NEVER lags in any way, while Adobe Reader for the Mac is as slow and bloated as its Windows brethren.

Re:'Preview' and Mac OS X

[BitZtream]

Isn't one of the lower levels of the OS X rendering API built around PDF? Would make sense for it to be fast if its something already done at a low level in a highly optimized fasion anyway.

Re:The vulnerability is in Reader not the PDF form

[AlphaPB]

Skim on OS X. Does forms, embedded notes, highlighting, the works. It's much more powerful than Preview and only takes a tiny bit longer to start up. It seems to be updated very frequently.

Enough!

[Valtor]

I am convinced that we will not escape sandboxing every process in the not too distant future. Enough is enough, I don't think we will ever feel secure about any software any time soon.

Re:Enough!

[krbvroc1]

Except I just read there is a security flaw in VMware could allow a process running within the VM machine to exploit the host OS. So even virtualization as a sandbox is not fully effective.

Re:Enough!

[Ilgaz]

Except I just read there is a security flaw in VMware could allow a process running within the VM machine to exploit the host OS. So even virtualization as a sandbox is not fully effective. In fact it happened (or theoretically possible) with MS Virtual PC (don't laugh) 7 running on OS X.

http://www.versiontracker.com/dyn/moreinfo/macosx/1006

"What's new in this version":
"This update fixes a vulnerability that an attacker can use to overwrite the contents of your computer's memory with malicious code."

Yes, the "Virtual PC" running there may overwrite memory from "there". I hate to pick on MS and VPC is some real cool code but... It is sounding damn funny.

If any Mac people reading this: Get it updated and also install a free antivirus. Viruses _run_ under emulation, slowly but they run.

Re:Enough!

[RAMMS+EIN]

The question is what sandboxing really solves. Supposedly, we already have processes in isolated address spaces. They interact with the rest of the system through interfaces exposed by the operating system. You can sandbox all you want, but, eventually, you are still going to have some interaction between the sandboxed process and the rest of the system.

I see much more value in writing software in languages where the now common types of exploits can't occur. If we can stop programs from wrongly referencing memory, i.e. going outside the bounds of allocated data structures, that will be a great step, eliminating many current vulnerabilities. And we can do that...we just have to not use the unsafe constructs from C (and not replace them by other unsafe constructs, obviously).

Landmines of the Internet

[JewGold]

PDFs have long been known as 'landmines of the Internet' for their long load times and the fact so many websites don't mark links as PDF so you never know when you're going to 'trip' over one.

It looks like Adobe is just kicking their reputation up a notch.

Re:Landmines of the Internet

Huh, that's interesting. I've never had that problem since I often keep an eye on the status bar, and since I disable the PDF browser plugin.

Now, Java applets, OTOH, sound exactly like your "landmines of the Internet" :P At least, until I learned to disable Java too.

Re:Landmines of the Internet

[pubwvj]

"PDFs have long been known as 'landmines of the Internet' for their long load times and the fact so many websites don't mark links as PDF so you never know when you're going to 'trip' over one." You could just look at the URL before you click. It's easy to see in most (all?) browsers.

So do what most concerned individuals do ...

[ScrewMaster]

and don't use Adobe's reader. Don't use Adobe's Acrobat either, if you don't have to. At least in the Windows world, there are plenty of alternatives out there, that often work better and more efficiently than Adobe's products, and are sometimes (get this) FREE! Are they as secure as Adobe's products? Who knows. For that matter, who knows how secure Adobe software is: big companies don't necessarily turn out more secure software than smaller ones. They can apply more programmers to a project and crank out more lines of code ... but that generally makes the product less secure because there's more room for error.

I mean if you just want a PDF viewer that works standalone and in Firefox, try Foxit Reader. Fast (very fast), lightweight and free for the download. You can upgrade to the Pro version if you need the extra capability, but for simple viewing the free version is great. I use PDF Creator to convert printer output to PDF files. Also free, and works very well.

I've long considered Adobe's PDF Reader to be inefficient bloatware and haven't used it in years. The fact that it's got security problems is one less reason to use it.

Re:So do what most concerned individuals do ...

[Antony.Muss]

I mean if you just want a PDF viewer that works standalone and in Firefox, try Foxit Reader. Fast (very fast), lightweight and free for the download.

In my experience Foxit is slower than Acrobat, because Acrobat can open a PDF that is only partially downloaded whereas Foxit needs to wait till the download finishes.

Re:So do what most concerned individuals do ...

[ScrewMaster]

I guess I've never download a PDF big enough to notice. I'll have to try that though. My biggest complaint about Adobe's reader is the time it takes to load the thing: Foxit comes up instantly, whereas Adobe has to load all kinds of extra modules. I know, I could turn most of that off but then you lose those extra features anyway.

Re:The vulnerability is in Reader not the PDF form

[Oswald]

I'm not sure in what sense you use "canonical" here, but I also (and for the third time on Slashdot) highly recommend Foxit Reader. It's so good it actually makes you angry at Adobe for their shitware.

Re:The vulnerability is in Reader not the PDF form

[konigstein]

I use foxit pdf reader. I'm not sure if it has all the functionality of adobe with forms and all, but it certainly opens much faster and does everything I need it to do.
http://www.foxitsoftware.com/pdf/rd_intro.php

Useful Features

[hdon]

Don't forget password-protection!

preview?

[Joseph_Daniel_Zukige]

Apple's preview, of course, has a PDF reader. I wonder if it is vulnerable to this one, whatever it is.

Mac OS affected or not? Linux? non-x86 object?

[Joseph_Daniel_Zukige]

Details! Details!

linux readers, and disabling JS on linux

[bcrowell]

So in the interest of the public, what alternative PDF readers can people use?

On Linux, I prefer to use xpdf as my Firefox plugin, simply because it loads extremely quickly. The UI is pretty primitive, however (think X Windows, 1985). For Gnome, the standard reader now seems to be evince. For KDE, it's kpdf.

I spent some time websurfing for instructions on how to disable javascript in Adobe Reader 7 on Linux. I found a lot of pages claiming that you could do it via Edit>Preferences>JavaScript, but there was no such item in my preferences menu. What apparently does work on linux is this:

cd ~/.adobe/Acrobat/7.0/JavaScripts
rm glob.settings.js
ln -s /dev/null glob.settings.js

(I didn't have a pdf file containing js available to test it on -- does anyone know of one?) Even if you're not worried about this particular stack overflow, there's also a privacy issue: javascript support can be used to track who's reading a particular document.

Re:The vulnerability is in Reader not the PDF form

[minvaren]

One warning : test Foxit before deploying in a corporate environment. Foxit presumes full access to HKLM to work properly with IE/Outlook/etc..

Other than that, Foxit is a very nice piece of software.

Extensions?

[SanityInAnarchy]

Just use some sort of Noscript-like Firefox addon. What you're suggesting is like the old trick to disable Flash by renaming the file, and then renaming it back on the few sites you want it -- it's retarded, when there are simple extensions (add-ons) out there which let you control your plug-ins easily.

It is amazing how much M$ owns the broken meme ...

[Zero__Kelvin]

""Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box."

The keyword, as is so often the case with security vulnerabilities, is Windows . The real summary is that there is a flaw in Adobe Reader that allows a cracker to exploit a security vulnerability in Windows . In other words it is same story, different day. When an application as simple as a reader can have a flaw in it that leads to a compromise of the OS, the security flaw is in the OS , not in the application.

cheer up firefox users:

If you're using FireFox, this can be mitigated quite nicely....I've been using the "NoScript" add-on for quite some time.

A side benefit of using it is that it can be setup not to allow .PDF files to automatically open until the user has either permitted the server/domain, or has clicked on the .PDF placeholder to temporarily allow just that one document to open.

Really nice tool once you've "trained" it on what sites and settings are required for your use.

0-day used incorrectly

The term "zero day" is used incorrectly in the announcement and in this article. Zero day means "existed in the wild" before it was discovered. It means that there are known victimizations. Thus far, there are no known exploits in the wild, so this is NOT a zero-day exploit.

Words mean something, and they should be used correctly, if we are to properly convey meaning.

Hint to editors...

[operagost]

If the story's a day old before you report it, it's no longer a "zero-day" exploit.

Re:Hint to editors...

Slashdot has editors?

Re:The vulnerability is in Reader not the PDF form

[AmiMoJo]

Have you looked at the rendering quality of Foxit? It's very poor compared to both Adobe Reader and open source readers. The Firefox plug-in is broken too.

Re:It is amazing how much M$ owns the broken meme

[ScrewMaster]

True enough. And I appreciate your use of the word cracker, not hacker. Nice to see someone that knows the difference.

Re:The vulnerability is in Reader not the PDF form

I agree. Foxit rendering is utter shite. If you don't mind your PDFs looking like something out of the early 90's printed on a dot matrix printer, go for foxit, but otherwise stick with the adobe reader. It's gotten a lot of bad rap in the past, but recently it's started to get decent again.

Re:The vulnerability is in Reader not the PDF form

This is different from what I remember it being in High School where it was a simple viewer...

There are people who went to high school when Acrobat existed?

Oh fuck, I'm old. It used to be "I remember back in High School when we found this cool RT-11 bug".

Pass the porn and Geritol, I'll just sit here and drool...

Re:It is amazing how much M$ owns the broken meme

[the_humeister]

As someone who is of European descent, I'm offended by your use of the term "cracker."

This was never a 0Day...

[JRHelgeson]

This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.

The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.

This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.

Mod parent up!

[mrraven]

Advertisers and corporations indeed turned Sir Berners Lee's original idea of the web as an open publishing medium into a rats nest of advertising and proprietary and security nightmare formats.

Re:It is amazing how much M$ owns the broken meme

As someone who is of African descent, I'm offended by your European descent.

Re:The vulnerability is in Reader not the PDF form

[dsinc]

Even better (i.e. MUCH faster): Sumatra PDF http://blog.kowalczyk.info/software/sumatrapdf/

Re:It is amazing how much M$ owns the broken meme

[ScrewMaster]

... and as someone of American descent, I'm just offended.

Hah.

Sumatra PDF

[Raintree]

"Sumatra PDF is a slim, free, open-source PDF viewer for Windows. It's small and starts up very fast. It's designed for portable use: it's just one file with no external dependencies so you can easily run it from external USB drive." http://blog.kowalczyk.info/software/sumatrapdf/

Re:The vulnerability is in Reader not the PDF form

I'm not sure in what sense you use "canonical" here He obviously wants to say that Foxit is all the rage with the clergy.

Re:The vulnerability is in Reader not the PDF form

[nwbvt]

Foxit is also vulnerable to this, if you RTFA (including the comments made down in the blog). Its apparently not as bad there since you have to interact some with the document (it won't automatically just run), but I wouldn't advertise it as an alternative to prevent this vulnerability.

Re:The vulnerability is in Reader not the PDF form

And FYI, KPDF is the KDE pdf reader

But KDE users might still like to consider Evince. I normally hate Gnome applications, but Evince is miles ahead of any other free PDF viewer. It's the only one that actually antialiases line art, for example. It renders faster, too.

Not a Zero-day

[stickystyle]

I agree with the replies on bugtraq when this was announced earlier in the week, it is not a Zero-day. A zero day requires that the exploit be released AT THE SAME TIME AS THE VENERABILITY. There was no exploit released, thus this is just a venerability, a big one, but not a zero-day.

No pressure to fix it

[Skapare]

From TFA:

The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

So if Adobe never releases a fix, he will never release the details? That's rather open-ended. He should have set a reasonable timeline which includes a reasonable amount of time to fix the bug in all versions for all platforms (variable depending the severity of the bug, but I cannot imagine this taking more than 60 days), plus time for people and IT departments to deploy the closed source changes (another 30 days at most). So a 90 day deadline, plus a couple more weeks to deal with the deployment during Christmas holidays, sounds about right. The details also need to be sequestered somewhere trustable that is beyond a US or UK court ordering some party to not release it, where it will be automatically released when the time comes.

If open source PDF viewers are also vulnerable, they, too, need to be given the details immediately so they can implement and deploy a fix. Yeah, that means someone who has the "diff -ur" command on BSD or Linux can figure out what was changed in the source, and gain a nice clue about the exploit.

Re:The vulnerability is in Reader not the PDF form

Ooh, do I detect a bitter Adobe employee? In my own experience (yeah, subjective, I know)
  Foxit's rendering quality is perfectly adequate...maybe if I squinted *really* closely I might notice that it doesn't have SubPixelPhongShaded Antialiasing or whatever the current state-of-the-art is, but to the casual eye it's certainly not "early 90's dot-matrix" quality. The VAST difference in speed more than makes up for any (theoretical) quality deficits. Face it, Adobe Reader has been a big, bloated resource hog since v.4, and nothing I've seen from Adobe suggests that'll change.

Re:The vulnerability is in Reader not the PDF form

[Nimey]

if you RTFA

You must be new here.

Re:It is amazing how much M$ owns the broken meme

[Nimey]

that allows a cracker

Fucking racist.

Re:The vulnerability is in Reader not the PDF form

KPDF has line art antialiasing too, if yours has not, you are using an old version.

Re:Your Sig has a typo

[justsomecomputerguy]

Shouldn't that say "of" instead of "if"?

Re:Your Sig has a typo

[JRHelgeson]

Yup, fixed
Not sure how that slipped past the editors.

Thanks
-joel

Re:It is amazing how much M$ owns the broken meme

Yes, because neither OSX nor Linux have any vulnerabilities.
Oh, don't pay attention to the dozens and dozens of security updates that OSX and Linux get each month (OSX has gotten way more security updates this year than Windows); as long as you ignore them you can pretend they don't exist and that only Windows has vulnerabilities.

Why don't you have the intellectual honesty to admit that your precious Linux and/or OSX have many many vulnerabilities, but the userbase is so small on those THAT NOBODY GIVES A DAMN.

BTW, Vist is unaffected by this issue; yet more evidence that MS is improving security as time goes on, something that slashdotters are too scared or too dishonest to admit.

who cares about turing complete

[pQueue]

If the program doesn't terminate just reset the printer after you get bored. Simple.

Re:who cares about turing complete

[bcrowell]

If the program doesn't terminate just reset the printer after you get bored. Simple.
A few problems with that:

• On a shared printer, the user who printed may be out having Chinese food. Other people shouldn't be left guessing whether there's any point in letting his job continue to run.
• You may be left wondering whether it ever would have printed anything.
• The insolvability of the halting problem for Turing machines is just one example of a broader fact, which is that programs written in a Turing-complete language typically can't be machine-analyzed by any reliable, surefire algorithm. A program written in a Turing-incomlete language typically can be machine-analyzed. That has significant implications for security, for example. That's one reason that I'm not wild about the idea of embedding a Turing-complete language like JS into a language like PDF that was made Turing-incomplete by design.

Re:The vulnerability is in Reader not the PDF form

[Cochonou]

In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else.

Although it is true that there could be the need of a light version of the PDF reader, do not underestimate the flexibility and power brought by Acrobat javascript engine. Have a look at this API. For example, you can invert the page ordering with just a one-liner...
Of course, not everyone needs this functionality. But not everyone needs the functionality of Excel, and it is still the dominant spreadsheet software.

There's vulnerabilities and vulnerabilities.

[argent]

Windows has a number of components with APIs that are impossible, even in theory, to use securely with untrusted content, and for which no alternative can be expected to be available to a Windows application. This is different from "any operating system can have a buffer overflow".

I've listed a few here and as I said in another message recently I'm absolutely appalled that people are still making up excuses for fundamental design flaws that should have been fixed a decade ago. And all these flaws are still in Vista, all the same components with the same APIs... and putting your easily exploited browser inside a leaky sandbox to "mitigate" the damage is like depending on the rhythm method to guard against AIDS. Not only is it unreliable, but if someone can compromise IE through the HTML control they don't *need* to get out of it to steal your credit card numbers and bank account passwords from a form sniffer.

Security is like sex, once you're penetrated you're ****ed.

As for the popularity argument... even in markets where Microsoft is in a minority they have still carried an inordinate percentage of the exploits. It's not because Windows is "popular", it's because Windows security is "badly designed".

* Security zones should be labelled "insecurity zones".
* No other OS *requires* a firewall simply to shut off access to essential internal services from the internet. NONE.
* Having to use the equivalent of 'system' to run applications from a browser? You gotta be kidding.

And that's just the high profile ones, the ones that have been exploited routinely. And what happens when someone finds a vulnerability? They blame the victim, arguing "yahoo instant messenger" should have "sanitized" third party HTML before passing it to the HTML control (for one recent example). Sanitized? Sanitizing a document you're passing to a turing-complete interpreter is equivalent to solving the halting problem. No, you idiots, they couldn't have "sanitized" it... Microsoft should have provided an API for calling the HTML control that didn't require "sanitization". No other bleeding HTML display engine out there defaults to granting documents full local user rights unless it guesses they're not in the "trusted zone".

HELLO, PEOPLE, LET'S HAVE SOME BLOODY SANITY HERE.

Security mechanism MUST 'fail closed'. Not 'half open' (like Vista's reduced permissions scheme) or 'full open' (like security zones).

I despair, really I do. What the HELL are people learning in college these days?

Adjective inflation

[AI0867]

It was a zero-day exploit until the moment he published it. The moment it becomes publicly known, it ceases to be a zero-day and turns into a simple unpatched vulnerability.

Of course, that wouldn't be sensational enough for current media...

Re:The vulnerability is in Reader not the PDF form

Hmm. I've written a post about this possibility/claim before. However, I was running the two programs under wine, which may, but isn't too likely to, have changed the results. Plus, I don't think I've emphasized the fact that SumatraPDF is currently extremely feature-deprived enough.

Re:The vulnerability is in Reader not the PDF form

[tehcyder]

I'm not sure in what sense you use "canonical" here, but I also (and for the third time on Slashdot) highly recommend Foxit Reader. It's so good it actually makes you angry at Adobe for their shitware.

I don't think you need any external reason to be angry at Adobe, their software includes it as standard.

Re:DO NOT CLICK LINK!!!

Link contains an inline PDF loaded in an IFRAME which attempts to exploit this vulnerability. No it doesn't.

(for the benefit of anyone viewing at -1 and not noticing that this bloke is entirely karma-free)