Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-day Exploit in PDF With Adobe Reader

Posted by CowboyNeal on from the be-on-alert dept.

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

48 of 188 comments (clear)

  1. xpdf etc by eneville · · Score: 5, Funny

    my xpdf brings all the boys to the yard and they're like, its better than yours

    --
    Why UNIX?
    1. Re:xpdf etc by CRCulver · · Score: 2, Informative

      You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.

    2. Re:xpdf etc by eneville · · Score: 2, Insightful

      You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago. what corporation actually makes use of forms? isn't that what html is ok for? if one wants to do a form, why not have a code hook that can validate the form data before printing. in most cases, i bet people send the whole pdf to print rather than just the page with the form, so it's probably better all round to keep forms on the web, where most people can get to it.
      --
      Why UNIX?
    3. Re:xpdf etc by shutdown+-p+now · · Score: 4, Informative

      You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.
      While this is mostly true, I would like to point out that the most recent version of Evince (the one that ships with Gnome 2.20) supports PDF forms. Does this leave any piece of PDF functionality not yet implemented by FOSS readers?
    4. Re:xpdf etc by kebes · · Score: 5, Insightful

      Lacking features can be a good thing.

      I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

      So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.

    5. Re:xpdf etc by eggnoglatte · · Score: 5, Informative

      what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.
    6. Re:xpdf etc by thrawn_aj · · Score: 2, Interesting

      I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc.

      People have different definitions of "bloat". Mine is when you have to clutter up your system with more than one application to d the same job. Besides, I'm of the opinion that it's alright to use the incredibly fast and high-RAM computers of today to run these application without being stingy about resources for every single thing (unless it actually does slow down your system). While I've pitied the users who have 16 things in their system tray that eat up resources (Acrobat does this too btw, with its quick load helper service), it is also true that today's systems are built for multi-tasking in a way that is frequently not taken full advantage of, especially by power users who pride themselves on choosing efficient programs (which is great!) and getting rid of bloat (while at the same time having several different programs that have overlapping functions).

      I also like how given ONE zero-day sploit from acrobat reader and we have the usual gurus predicting doom and calling on corporations to switch to xpdf (if it wasn't so ridiculous as to be funny, I'd be concerned :P) and "why do we need pdf forms anyway when you can have html forms?".

    7. Re:xpdf etc by cortana · · Score: 3, Insightful

      DRM, execution of JavaScript code and selective toggling of layers.

    8. Re:xpdf etc by eneville · · Score: 2

      what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF. perhaps there is a use for pdf forms, however, the world span perfectly ok before their existence, and i'm sure it will spin just fine without it. what i do think, however, is that there is little calll for them. if a consistent formatting is required, then i suggest sending out a plain text file and request that it is filled in, it's something that i seriously can't see much of a requirement for. sorry.
      --
      Why UNIX?
    9. Re:xpdf etc by p0tat03 · · Score: 2, Insightful

      Lacking features can be a good thing.

      Not accusing of anything, but this is altogether too often used by FOSS advocates to justify the lack of features or polish.

      use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features

      The security issues still remain - all an attacker has to do is disguise his PDF as a PDF form and shabam, your employees fall hook, line, sinker, and your network is now compromised. A pinhole in a submarine will still let water in, even if 99% of the rest of the surface is perfectly sealed.

    10. Re:xpdf etc by VGPowerlord · · Score: 2, Informative

      Adobe recently threatened to sue a company that wanted to include PDF output into their word processor.

      Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat).

      PDF isn't an open standard. If you want to implement it, Adobe apparently retains the right to sue you for it at any time.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    11. Re:xpdf etc by shutdown+-p+now · · Score: 3, Informative

      DRM, execution of JavaScript code and selective toggling of layers.
      No idea about the rest, but at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set. Of course, it being open source, it is easily disabled, and some distros disable it in their packages (I recall Gentoo was doing so).
    12. Re:xpdf etc by ogrizzo · · Score: 2, Insightful

      Comments!!!! Acrobat's ability to add comments to pdf files is one of the few things that make me ever think about using OSX (I cannot think of anything that would make me wish to run Windows, though :)

      It looks like it's a planned feature of evince.

    13. Re:xpdf etc by Planesdragon · · Score: 2, Insightful

      Yes, that company was Microsoft, but that doesn't change the fact that they threatened to sue them over its inclusion for "antitrust reasons" (read: It would hurt the sales of Acrobat). Yes, it does. If you don't have a monopoly, it means nothing. (Ever notice how Adobe doesn't care that OpenOffice has PDF output?)
    14. Re:xpdf etc by zCyl · · Score: 3, Insightful

      at least xpdf does respect the restriction flags in PDFs. For example, it won't let you print a PDF if the no-print flag is set.

      An intentional defect is not a feature.
    15. Re:xpdf etc by BillyBlaze · · Score: 3, Informative

      Heh, KPDF has a checkbox for whether you want it to respect that DRM. Um, no thanks. (There's also a compile-time option to make it mandatory, for the wussier binary distros.)

    16. Re:xpdf etc by Yvan256 · · Score: 3, Insightful

      I was a sysop of my own BBS, back in 91. we didnt have pdf back then, but most people could understand how to reply to a text application just fine.
      And back then, people who used computers knew how computers work.

      This is 2007, where people don't even know the differences between .txt, .rtf, .doc, .pdf or .html

  2. smug by ch0ad · · Score: 4, Funny

    i bet it doesnt work with ubuntu's pdf viewer :p
    /smug

    about time i got modded as a troll neway

    1. Re:smug by doombringerltx · · Score: 4, Funny

      If saying linux is more secure than windows is your idea of trolling slashdot, then you *really* must be new here

    2. Re:smug by astrosmash · · Score: 5, Funny

      A lot of things don't work with Ubuntu's pdf viewer.

      --
      ENDUT! HOCH HECH!
  3. The vulnerability is in Reader not the PDF format by NevarMore · · Score: 3, Insightful

    It's still a big effing deal, because Reader is the most accessible and widely used PDF viewer out there.

    So in the interest of the public, what alternative PDF readers can people use?

    In addition to that I hope Adobe clues in and realizes, Reader is there to READ AND DISPLAY PDFs and nothing else. The last time I installed it under XP on my office workstation it wanted to shovel a bunch of crap into the tray and seemed to have a lot more cruft than it needed to. This is different from what I remember it being in High School where it was a simple viewer so the customers who paid for Acrobat had an easy way to tell their readers how to open the PDFs. It has since morphed into a product instead of just a utility.

  4. FYI: Vista not affected by sid0 · · Score: 4, Informative

    From the blog:

    "The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected."

    1. Re:FYI: Vista not affected by nwbvt · · Score: 4, Funny

      Well yeah, it can't affect an operating system if no one is running it.

      Sorry, couldn't resist.

      --
      Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
  5. Foxit reader is a good substitute. by Zaphod-AVA · · Score: 3, Informative

    The Foxit PDF reader is pretty great, and I often recommend it to my clients. Not only will it be a good temporary fix for this exploit, but it opens PDF documents very quickly.

    Windows:
    http://www.download.com/Foxit-PDF-Reader/3000-2079_4-10634896.html?tag=lst-0-1

    Linux:
    http://www.foxitsoftware.com/pdf/desklinux/

    1. Re:Foxit reader is a good substitute. by Arkaic · · Score: 5, Insightful

      That may not be much better. According to a follow up comment by the discoverer of the exploit.

      "Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

    2. Re:Foxit reader is a good substitute. by jambarama · · Score: 2, Informative

      Even lighter and faster than foxit: Sumatra PDF Reader . It is Windows only but runs fine in Wine. Since TFA has no details, I can't say if Sumatra is also vulnerable, but for me it beats foxit.

  6. Details Sorely Lacking by SkiifGeek · · Score: 4, Interesting

    Yeah, the article is lacking in details, which is unfortunate. Here is a nice little summary of not only the article, but also the speculation and arguments that have formed around the claims on a number of mailing lists.

    --
    InfoSec that matters, when it counts.
  7. Re:The vulnerability is in Reader not the PDF form by Nimey · · Score: 5, Informative

    Foxit Reader is the canonical 3rd-party viewer for Windows: http://www.foxitsoftware.com/pdf/rd_intro.php

    Macs have Preview, Linux has Evince and others.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  8. NOT a zero day exploit ! by promiscuous-mode · · Score: 4, Informative

    It's not a zero-day exploit until Petko releases code for the script kids to use without having a patch/update from Adobe.

  9. For firefox users... by nwbvt · · Score: 3, Informative

    "If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

    If you are using firefox, there is a simple way around this. Just install the PDF download add-on, its also helps avoid the problems involving the embedded PDF plugin crashing your browser.

    --
    Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
  10. As an asside: by T-Ranger · · Score: 3, Interesting

    Does anyone here think that embedding Acrobat into a browser is a good idea? Ignoring the plethora of stupid people who use PDF when HTML would work better, even.

  11. Re:Possible mitigation? Comments by Simias · · Score: 2, Insightful

    I'm not sure how the plugin works, but if the binary isn't setuid, changing its owner will be useless, since it will run with the privileges of the browser (i.e. probably yours), not those of the owner.

  12. Re:Terminology Police! by Anonymous Coward · · Score: 2, Funny

    Ok you're in charge of policing the expression "zero-day exploit", and I'll take care of "defective by design". Good hunt.

  13. Re:Lacks details by RAMMS+EIN · · Score: 3, Informative

    The summary makes me think it is some kind of stack smashing attack; probably an integer overflow. These can occur in the PDF parsing code, before you even have to look at features like scripting. On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.

    Also, an integer overflow was recently found and fixed in xpdf. This could be the same bug.

    --
    Please correct me if I got my facts wrong.
  14. Enough! by Valtor · · Score: 2, Interesting

    I am convinced that we will not escape sandboxing every process in the not too distant future. Enough is enough, I don't think we will ever feel secure about any software any time soon.

    --
    "Sockets are the standard networking API, also useful for stopping your eyes from falling onto your cheeks" zeromq.org
  15. Re:Lacks details by bcrowell · · Score: 4, Informative

    On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.
    No. Postscript is a Turing-complete language. People have, e.g., written calculator programs in postscript, and implemented Conway's game of life in it. PDF is not Turing-complete, and that was an intelligent, intentional design decision. I think it had less to do with concerns about security than with not wanting to run a program on your printer without having any possible way to tell whether the program would ever terminate.

    --
    Find free books.
  16. Landmines of the Internet by JewGold · · Score: 2, Informative

    PDFs have long been known as 'landmines of the Internet' for their long load times and the fact so many websites don't mark links as PDF so you never know when you're going to 'trip' over one.

    It looks like Adobe is just kicking their reputation up a notch.

    --
    Is this a news report or a trailer for a motion picture?
  17. Re:I second this by 0xygen · · Score: 2, Informative

    Sadly this not 100% true.. I *am* a FoxIt user, but recently came across an issue.

    FoxIt does not seem to cache the page you are looking at, it appears to re-render the whole thing every time you move it.

    So, when you have an engineering drawing with only a few thousand vector lines on a page, it slows down to about a tenth of the speed of Reader 8.1.

    Now I have both installed, much to my annoyance - before seeing this, FoxIt was the one!

  18. Re:The vulnerability is in Reader not the PDF form by Oswald · · Score: 2, Informative

    I'm not sure in what sense you use "canonical" here, but I also (and for the third time on Slashdot) highly recommend Foxit Reader. It's so good it actually makes you angry at Adobe for their shitware.

  19. Re:Terminology Police! by Bacon+Bits · · Score: 4, Informative

    That's what I keep saying. A vulnerability is never zero day. An exploit is only zero-day if an in-the-wild exploit is discovered the same day that the software vendor and security communities become aware of it. Since this was posted as an undisclosed proof of concept three days ago, it is quite impossible for a zero day exploit to exist!

    --
    The road to tyranny has always been paved with claims of necessity.
  20. Re:The vulnerability is in Reader not the PDF form by minvaren · · Score: 2, Informative

    One warning : test Foxit before deploying in a corporate environment. Foxit presumes full access to HKLM to work properly with IE/Outlook/etc..

    Other than that, Foxit is a very nice piece of software.

    --
    Big! Strong! Wow! Tada-O!
  21. It is amazing how much M$ owns the broken meme ... by Zero__Kelvin · · Score: 2, Insightful

    ""Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box."
    The keyword, as is so often the case with security vulnerabilities, is Windows . The real summary is that there is a flaw in Adobe Reader that allows a cracker to exploit a security vulnerability in Windows . In other words it is same story, different day. When an application as simple as a reader can have a flaw in it that leads to a compromise of the OS, the security flaw is in the OS , not in the application.
    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  22. Hint to editors... by operagost · · Score: 4, Funny

    If the story's a day old before you report it, it's no longer a "zero-day" exploit.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  23. Re:'Preview' and Mac OS X by p0tat03 · · Score: 4, Informative

    As a side note... Preview does an incredibly good job with PDFs that Adobe themselves can't even do. Back when I was a Windows user exclusively, I always complained that the "official" reader was dog slow even on the fastest machines, and could not ever scroll smoothly through any slightly complex document.

    Now that I've switched to Mac and use Preview, I realize this isn't Windows, it's just Adobe's incompetence. Preview is fast as hell and NEVER lags in any way, while Adobe Reader for the Mac is as slow and bloated as its Windows brethren.

  24. This was never a 0Day... by JRHelgeson · · Score: 5, Informative

    This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.

    The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.

    This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  25. Re:The vulnerability is in Reader not the PDF form by dsinc · · Score: 3, Informative

    Even better (i.e. MUCH faster): Sumatra PDF http://blog.kowalczyk.info/software/sumatrapdf/

  26. Re:The vulnerability is in Reader not the PDF form by nwbvt · · Score: 4, Informative

    Foxit is also vulnerable to this, if you RTFA (including the comments made down in the blog). Its apparently not as bad there since you have to interact some with the document (it won't automatically just run), but I wouldn't advertise it as an alternative to prevent this vulnerability.

    --
    Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
  27. Not a Zero-day by stickystyle · · Score: 2, Insightful

    I agree with the replies on bugtraq when this was announced earlier in the week, it is not a Zero-day. A zero day requires that the exploit be released AT THE SAME TIME AS THE VENERABILITY. There was no exploit released, thus this is just a venerability, a big one, but not a zero-day.

    --
    Pluralitas non est ponenda sine neccesitate