Zero-day Exploit in PDF With Adobe Reader

hankwang writes "Security researcher Petko Petkov, who is known for his recent discovery of a vulnerability with Quicktime in Firefox, claims to have discovered an exploit that allows arbitrary code execution when a maliciously crafted PDF document is opened in any version of Adobe Reader. Petkov did not disclose any technical details other than a video, but claims on his blog that Adobe has acknowledged the vulnerability. If this exploit goes wild, it could cause some serious problems, as PDFs are usually automatically opened from web browsers and widely used and trusted by corporate users."

xpdf etc

[eneville]

my xpdf brings all the boys to the yard and they're like, its better than yours

Re:xpdf etc

[shutdown+-p+now]

You are joking, right? Xpdf lacks all kinds of features useful in the corporate world. Forms that can be filled out is one. PDF is an open format, and Adobe publishes the standard for your convenience, but even after years of work Xpdf and offshoots like libpoppler still can't support much more than they did years ago.

While this is mostly true, I would like to point out that the most recent version of Evince (the one that ships with Gnome 2.20) supports PDF forms. Does this leave any piece of PDF functionality not yet implemented by FOSS readers?

Re:xpdf etc

[kebes]

Lacking features can be a good thing.

I think the sensible strategy, in terms of performance and security, is to use a lightweight minimalist PDF reader for 99% of your PDF needs, and then to only open up Adobe Acrobat when you absolutely need its extra features. Acrobat is a rather large program (some might say "bloated") and it supports a wide variety of features, plugins, etc. It's a fact of life that supporting all those additional features (which are rarely used in a document) increases the program's resource requirements, and make security vulnerabilities "more likely" (for every feature you add, there's another chance for a bug, and another attack vector).

So, again, I think the sensible strategy is to use a fast, minimalist PDF reader (which, hopefully, is simple enough that it fairly secure: that is, no plugins that can run arbitrary code). Then, when you encounter those PDFs that need those extra features, you load them using a Acrobat, assuming you trust them. In my experience, PDFs that use anything beyond the basic features are rare enough that this isn't much of a burden. It's a fallacy to think that every program that supports a given filetype needs to "do it all"--different programs have different uses.

Re:xpdf etc

[eggnoglatte]

what corporation actually makes use of forms? Only every single one I've ever worked for. Some government offices here in Canada also provide PDF forms for situations where you have to submit a printed version of the form in the end. You could achieve something similar with web forms, except the printed version would look different depending on browser. Sometimes a consistent formatting is a real advantage. So it is either PDF forms or Word, and given a choice between the two, I definitely vote for PDF.

smug

[ch0ad]

i bet it doesnt work with ubuntu's pdf viewer :p
/smug

about time i got modded as a troll neway

Re:smug

[doombringerltx]

If saying linux is more secure than windows is your idea of trolling slashdot, then you *really* must be new here

Re:smug

[astrosmash]

A lot of things don't work with Ubuntu's pdf viewer.

FYI: Vista not affected

[sid0]

From the blog:

"The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected."

Re:FYI: Vista not affected

[nwbvt]

Well yeah, it can't affect an operating system if no one is running it.

Sorry, couldn't resist.

Details Sorely Lacking

[SkiifGeek]

Yeah, the article is lacking in details, which is unfortunate. Here is a nice little summary of not only the article, but also the speculation and arguments that have formed around the claims on a number of mailing lists.

Re:The vulnerability is in Reader not the PDF form

[Nimey]

Foxit Reader is the canonical 3rd-party viewer for Windows: http://www.foxitsoftware.com/pdf/rd_intro.php

Macs have Preview, Linux has Evince and others.

Re:Foxit reader is a good substitute.

[Arkaic]

That may not be much better. According to a follow up comment by the discoverer of the exploit.

"Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit."

NOT a zero day exploit !

[promiscuous-mode]

It's not a zero-day exploit until Petko releases code for the script kids to use without having a patch/update from Adobe.

Re:Lacks details

[bcrowell]

On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.
No. Postscript is a Turing-complete language. People have, e.g., written calculator programs in postscript, and implemented Conway's game of life in it. PDF is not Turing-complete, and that was an intelligent, intentional design decision. I think it had less to do with concerns about security than with not wanting to run a program on your printer without having any possible way to tell whether the program would ever terminate.

Re:Terminology Police!

[Bacon+Bits]

That's what I keep saying. A vulnerability is never zero day. An exploit is only zero-day if an in-the-wild exploit is discovered the same day that the software vendor and security communities become aware of it. Since this was posted as an undisclosed proof of concept three days ago, it is quite impossible for a zero day exploit to exist!

Hint to editors...

[operagost]

If the story's a day old before you report it, it's no longer a "zero-day" exploit.

Re:'Preview' and Mac OS X

[p0tat03]

As a side note... Preview does an incredibly good job with PDFs that Adobe themselves can't even do. Back when I was a Windows user exclusively, I always complained that the "official" reader was dog slow even on the fastest machines, and could not ever scroll smoothly through any slightly complex document.

Now that I've switched to Mac and use Preview, I realize this isn't Windows, it's just Adobe's incompetence. Preview is fast as hell and NEVER lags in any way, while Adobe Reader for the Mac is as slow and bloated as its Windows brethren.

This was never a 0Day...

[JRHelgeson]

This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.

The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.

This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.

Re:The vulnerability is in Reader not the PDF form

[nwbvt]

Foxit is also vulnerable to this, if you RTFA (including the comments made down in the blog). Its apparently not as bad there since you have to interact some with the document (it won't automatically just run), but I wouldn't advertise it as an alternative to prevent this vulnerability.