Adobe Confirms Unpatched PDF Backdoor

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

Re:browser or plugin issue

[JcMorin]

The browser should be secure by itself but when a plug-in is installed by the user (like Adobe Acrobat Reader) that plug-in can execute code and do pretty much what it what... so I would not blame IE7 for that. But I'm still happy to never have upgrade to IE7... yet.

plus about running into this on Vista

[dioscaido]

If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.

Not a backdoor

From the information available, this is just yet another security vulnerability.

A backdoor is an intentional feature that one puts so that they can take over you computer.

Re:solution

[nine-times]

Cheaper? Foxit Reader for Windows is listed as $39.00.

Adobe Acrobat Reader is free. How is that cheaper? Am I missing something?

Re:solution

[Victor+Antolini]

Oh, I missed to point out what you missed. From http://www.foxitsoftware.com/pdf/rd_intro.php

Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:

* View or print PDF document
* Basic PDF form operations i.e. filling out PDF forms and printing them out
* Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
* View PDF as text
* Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc

The followings are several examples of non-free, advanced add-ons:

* Foxit Reader Pro Pack is not free. It includes the following functions:
o Annotation
o Text viewer and text converter
o Form filler
o Spell checker
o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more

Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.

Re:Please recommend a good non-adobe reader

[Lisandro]

The only one i've heard of (for Windows) is Foxit PDF reader, which is about 2mb - never tried it myself though. On linux, Evince works great, and had no issues with everything i've thrown at it.

Re:Foxit

[nurb432]

That also isnt 100% compliant.

While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.

Have they fixed the weblink bug yet?

Re:What About Foxit?

[darkmeridian]

Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.

Re:If it's only a problem on XP

[ozmanjusri]

Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else?

Other security sites do call it a Vista issue. It looks like Vista is only OK if IE7 is running in protected mode.

Re:solution

[X0563511]

There are GPL versions of ghostscript. They are not as up-to-date though.

The non-commercial licenced one gets new code first it seems.

See here.

Re:What About Foxit?

[JackRazz]

Acrobat isn't bloated if you remove the plug-ins you don't use from 'C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins.' I just put a ~ in front of each plug-in filename to turn them off. I only use the eBook, EWH32, ImageViewer, Multimedia, PDDom, reflow Search, Search5 and weblink plug-ins. Acrobat loads up plenty fast on my older Athlon64 2Mhz PC.

Pretty wide defintion of 'interaction'

[Bearhouse]

As someone kindly pointed out to me in an earlier, related post, "interaction" includes just opening the pdf in Foxit, (which I use, and works very well for simple pdf viewing & printing). Don't even have to fill in a form field. So, just as bad as an executable, then. BTW, use CutePDF Writer to make 'em, although many options exist, including Open Office..

Alternatives?

http://en.wikipedia.org/wiki/DjVu

A great open source, (except under Windows, see Lizardtech), format for scanned files.

Not for Mac users, tho', see:
http://slashdot.org/article.pl?sid=06/02/20/1449226
For a discussion of this and other pdf 'alternatives'. Still, 'security by obscurity'?

Finally, no /. post complete without oblig. Wiki karma-whore:
http://en.wikipedia.org/wiki/List_of_PDF_software

Re:What About Foxit?

It almost certainly is the printer driver, and yeah you can't really blame MS for this. The NT kernel architecture is basically monolithic and kernel-space driver code is largely trusted, because that gives you good performance; Linux takes the same approach. (Microkernels with well-isolated subsystems e.g. Minix cope rather better in this sort of situation, but the performance cost is significant.)

Actually this might also be an exploitable bug ...