Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-day Exploit in PDF With Adobe Reader

Posted by CowboyNeal on from the be-on-alert dept.

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

14 of 188 comments (clear)

  1. The vulnerability is in Reader not the PDF format by NevarMore · · Score: 3, Insightful

    It's still a big effing deal, because Reader is the most accessible and widely used PDF viewer out there.

    So in the interest of the public, what alternative PDF readers can people use?

    In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else. The last time I installed it under XP on my office workstation it wanted to shovel a bunch of crap into the tray and seemed to have a lot more cruft than it needed to. This is different from what I remember it being in High School where it was a simple viewer so the customers who paid for Acrobat had an easy way to tell their readers how to open the PDFs. It has since morphed into a product instead of just a utility.

  2. Re:Foxit reader is a good substitute. by Arkaic · · Score: 5, Insightful

    That may not be much better. According to a follow up comment by the discoverer of the exploit.

    "Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

  3. Re:Possible mitigation? Comments by Simias · · Score: 2, Insightful

    I'm not sure how the plugin works, but if the binary isn't setuid, changing its owner will be useless, since it will run with the privileges of the browser (i.e. probably yours), not those of the owner.

  4. Re:xpdf etc by eneville · · Score: 2, Insightful

    You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago. what corporation actually makes use of forms? isn't that what html is ok for? if one wants to do a form, why not have a code hook that can validate the form data before printing. in most cases, i bet people send the whole pdf to print rather than just the page with the form, so it's probably better all round to keep forms on the web, where most people can get to it.
    --
    Why UNIX?
  5. Re:xpdf etc by kebes · · Score: 5, Insightful

    Lacking features can be a good thing.

    I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

    So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.

  6. Re:xpdf etc by Anonymous Coward · · Score: 1, Insightful

    Maybe someday when acroread stops consuming 100% cpu if left minimized for a few hours, I'll use it. Until then, xpdf is my reader of choice.

  7. Re:xpdf etc by cortana · · Score: 3, Insightful

    DRM, execution of JavaScript code and selective toggling of layers.

  8. It is amazing how much M$ owns the broken meme ... by Zero__Kelvin · · Score: 2, Insightful

    ""Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box."
    The keyword, as is so often the case with security vulnerabilities, is Windows . The real summary is that there is a flaw in Adobe Reader that allows a cracker to exploit a security vulnerability in Windows . In other words it is same story, different day. When an application as simple as a reader can have a flaw in it that leads to a compromise of the OS, the security flaw is in the OS , not in the application.
    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  9. Re:xpdf etc by p0tat03 · · Score: 2, Insightful

    Lacking features can be a good thing.

    Not accusing of anything, but this is altogether too often used by FOSS advocates to justify the lack of features or polish.

    use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features

    The security issues still remain - all an attacker has to do is disguise his PDF as a PDF form and shabam, your employees fall hook, line, sinker, and your network is now compromised. A pinhole in a submarine will still let water in, even if 99% of the rest of the surface is perfectly sealed.

  10. Re:xpdf etc by ogrizzo · · Score: 2, Insightful

    Comments!!!! Acrobat's ability to add comments to pdf files is one of the few things that make me ever think about using OSX (I cannot think of anything that would make me wish to run Windows, though :)

    It looks like it's a planned feature of evince.

  11. Re:xpdf etc by Planesdragon · · Score: 2, Insightful

    Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat). Yes, it does. If you don't have a monopoly, it means nothing. (Ever notice how Adobe doesn't care that OpenOffice has PDF output?)
  12. Re:xpdf etc by zCyl · · Score: 3, Insightful

    at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set.

    An intentional defect is not a feature.
  13. Not a Zero-day by stickystyle · · Score: 2, Insightful

    I agree with the replies on bugtraq when this was announced earlier in the week, it is not a Zero-day. A zero day requires that the exploit be released AT THE SAME TIME AS THE VENERABILITY. There was no exploit released, thus this is just a venerability, a big one, but not a zero-day.

    --
    Pluralitas non est ponenda sine neccesitate
  14. Re:xpdf etc by Yvan256 · · Score: 3, Insightful

    I was a sysop of my own BBS, back in 91. we didnt have pdf back then, but most people could understand how to reply to a text application just fine.
    And back then, people who used computers knew how computers work.

    This is 2007, where people don't even know the differences between .txt, .rtf, .doc, .pdf or .html