Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms Unpatched PDF Backdoor

Posted by CmdrTaco on from the machines-wide-open dept.

50Mat writes "Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines. The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed. It affects Adobe Reader, Adobe Acrobat Standard, Professional and Elements and Adobe Acrobat 3D."

28 of 170 comments (clear)

  1. Unsupported workaround? by techpawn · · Score: 2, Interesting

    In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers
    So they want me to do what with my what? Isn't that like your mechanic telling you to do something but "if they ask, [they] didn't tell you"
    --
    Ask not what you can do for your country. Ask what your country did to you
  2. Re:browser or plugin issue by JcMorin · · Score: 3, Informative

    The browser should be secure by itself but when a plug-in is installed by the user (like Adobe Acrobat Reader) that plug-in can execute code and do pretty much what it what... so I would not blame IE7 for that. But I'm still happy to never have upgrade to IE7... yet.

  3. What About Foxit? by Lagged2Death · · Score: 4, Interesting

    I found Adobe Reader so slow, bloated, and annoying that I switched to Foxit Reader, which is much smaller and faster. Can anyone say if the vulnerability applies to Foxit as well?

    1. Re:What About Foxit? by Hatta · · Score: 2, Interesting

      I did too. But I found a pdf that when printed from foxit to my hp deskjet 1300 crashes XP hard. No blue screen, just a reboot without warning. Change the pdf reader, no crash. Change the printer, no crash. Odd. I'm wondering who I should report it to? HP or foxit?

      --
      Give me Classic Slashdot or give me death!
    2. Re:What About Foxit? by darkmeridian · · Score: 4, Informative

      Foxit has a related vulnerability that requires user interaction to run the arbitrary code. The Adobe version, of course, runs the arbitrary code without the vulnerability. You could say that Foxit doesn't have the same vulnerability but it comes from the same flaw.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    3. Re:What About Foxit? by msuarezalvarez · · Score: 4, Insightful

      I'm wondering who I should report it to? HP or foxit?

      To Microsoft. If a PDF reader can crash the OS, it's their bug.

    4. Re:What About Foxit? by JackRazz · · Score: 2, Informative

      Acrobat isn't bloated if you remove the plug-ins you don't use from 'C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins.' I just put a ~ in front of each plug-in filename to turn them off. I only use the eBook, EWH32, ImageViewer, Multimedia, PDDom, reflow Search, Search5 and weblink plug-ins. Acrobat loads up plenty fast on my older Athlon64 2Mhz PC.

  4. plus about running into this on Vista by dioscaido · · Score: 4, Informative

    If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.

    1. Re:plus about running into this on Vista by wizardforce · · Score: 2, Funny

      If it's also vulnerable on IE7 + Vista, luckily IE7 runs with such limited privileges that the code execution won't be able to do anything other than writing to the internet temp folder. That is, if you haven't turned off UAC.
      get your free ringtones/[other garbage appealing to the less technically inclined] here!!!! and if you see a UAC window, just click ok to download!
      --
      Sigs are too short to say anything truly profound so read the above post instead.
    2. Re:plus about running into this on Vista by AeroIllini · · Score: 2, Insightful

      First Rule of Internet Security:

      People will install anything if it promises naked pictures.

      --
      For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
  5. Not a backdoor by Anonymous Coward · · Score: 5, Informative

    From the information available, this is just yet another security vulnerability.

    A backdoor is an intentional feature that one puts so that they can take over you computer.

  6. Microsoft shares the blame, Apple blindly copies. by argent · · Score: 3, Insightful

    URI and MIME type handling in both Windows and OSX is profoundly broken. It's second only to ActiveX in the opportunity for exploits... the basic problem is that when apps register handlers for local use (eg, 'help:' or '.chm') they are available to untrusted content by default. The fix is to have separate registries or separate flags that allow applications to explicitly register as handlers for internal use, or for use on untrusted documents.

  7. High RAM usage = human progress by CRCulver · · Score: 2, Funny

    Why do you hate civilization, you luddite?

  8. Sklyarov? by Speare · · Score: 4, Funny

    The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

    Did Adobe ask the feds to lock up the person who publicly disclose this flaw? Or do they just save that treatment for the publication of flaws in eBook products that blind people can't use in Russia?

    --
    [ .sig file not found ]
  9. Re:If it's only a problem on XP by JoelKatz · · Score: 5, Insightful

    From what I understand, and there isn't much in the way of technical details available, this is not an IE flaw. IE, correctly, doesn't assume that a URI is invalid just because it looks odd. This is correct, because there is no way IE can know if an URI for another protocol is valid or invalid. It is the responsibility of the target program to sanitize its input, knowing full well that it comes from an untrusted source.

  10. Re:solution by Victor+Antolini · · Score: 5, Informative

    Oh, I missed to point out what you missed. From http://www.foxitsoftware.com/pdf/rd_intro.php

    Foxit Reader itself is free. As to add-ons, the critical add-ons are free while advanced add-ons are non-free. For example, you can use the following functions for free:

    * View or print PDF document
    * Basic PDF form operations i.e. filling out PDF forms and printing them out
    * Advanced PDF form operations, such as saving filled-out forms and import/export forms, free for personal usage only
    * View PDF as text
    * Critical add-ons, such as UI language package, JPEG2000/JBIG decoder, CJK package, GDI+ for early Windows version, etc

    The followings are several examples of non-free, advanced add-ons:

    * Foxit Reader Pro Pack is not free. It includes the following functions:
    o Annotation
    o Text viewer and text converter
    o Form filler
    o Spell checker
    o Advanced editing tools, including loupe tool, measure tools, image tool, file attachment tool, link tools, annotation selection tool, and more

    Actually without Pro Pack, you are still able to annotate a PDF document and print it out. However when you save the annotated document, it will be stamped with an evaluation mark on the top-right corner of the annotated pages. If you purchase a Pro Pack add-on, then there will be no evaluation mark.

  11. Welcome... by sakdoctor · · Score: 5, Funny

    ...to hyphen hell! The rules - of style that apply to dashes - and hyphens - have evolved to support ease of reading in complex constructions; editors - often accept deviations - from them that will support, rather than --- hinder, ease of reading.

  12. Re:Please recommend a good non-adobe reader by Lisandro · · Score: 3, Informative

    The only one i've heard of (for Windows) is Foxit PDF reader, which is about 2mb - never tried it myself though. On linux, Evince works great, and had no issues with everything i've thrown at it.

  13. Re:Microsoft shares the blame, Apple blindly copie by jonwil · · Score: 3, Interesting

    Something else that IE (as of last time I looked anyway) and possibly other browsers get wrong is that they try to "guess" the content of the file instead of trusting that what the web server says the file is, the file actually is. If the web server says it is text/plain, it should be rendered as plain text even if it may happen to look like HTML. If the web server says it is image/gif, it should be fed to the gif image decoder.
    RFC 2161 (HTTP 1.1) section 7.2.1 clearly says that it is ok for a client to use the filename or content of a file to identify what file type it is (and therefore what to do with it) if and ONLY IF the server does not provide a Content-Type header.
    There have actually been security flaws in the past (and may still be even now) caused because different parts of IE have a different idea of what type the file is (in particular whether the file is executable or not)

    Then again, considering how many other standards Intercrap Exploder doesn't correctly follow (RFCs and otherwise), its hardly surprising that IE doesn't get this right.

    I do wonder if Gecko gets it right (and treats the Content-Type header as gospel) or if violates the RFC too.

  14. Re:Foxit by nurb432 · · Score: 2, Informative

    That also isnt 100% compliant.

    While i use it all the time since it is smaller and ligher ( acrobat reader is free too btw, so that isnt a good selling point ), i have noticed that somethings do NOT render properly.

    Have they fixed the weblink bug yet?

    --
    ---- Booth was a patriot ----
  15. Aaaaand... by dfdashh · · Score: 2, Funny

    the site is slashdotted. Here is the PDF'ed version of the article.

    --
    df -h /my/head
  16. Re:Interesting by Anonymous Coward · · Score: 2, Funny

    That's because no ones figured out how to install Acrobat on Vista yet.

  17. Re:If it's only a problem on XP by ozmanjusri · · Score: 2, Informative
    Well, I wonder why it's not a Vista issue. Is it because you get a UAC prompt before opening the stuff, or something else?

    Other security sites do call it a Vista issue. It looks like Vista is only OK if IE7 is running in protected mode.

    --
    "I've got more toys than Teruhisa Kitahara."
  18. Re:Microsoft shares the blame, Apple blindly copie by Fweeky · · Score: 2, Interesting

    Grr, that link should be opera:config#Trust%20Server%20Types -- Slashdot ate my #

  19. Re:solution by X0563511 · · Score: 2, Informative

    There are GPL versions of ghostscript. They are not as up-to-date though.

    The non-commercial licenced one gets new code first it seems.

    See here.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  20. Control me by suv4x4 · · Score: 3, Funny

    The irony of this page (click for 100% scale) is astounding.

    I had to snap a shot before Adobe pulls their ad.

  21. Re:Welcome... by Anonymous Coward · · Score: 4, Funny

    Shatner? Is that you?

  22. Pretty wide defintion of 'interaction' by Bearhouse · · Score: 3, Informative

    As someone kindly pointed out to me in an earlier, related post, "interaction" includes just opening the pdf in Foxit, (which I use, and works very well for simple pdf viewing & printing). Don't even have to fill in a form field. So, just as bad as an executable, then. BTW, use CutePDF Writer to make 'em, although many options exist, including Open Office..

    Alternatives?

    http://en.wikipedia.org/wiki/DjVu

    A great open source, (except under Windows, see Lizardtech), format for scanned files.

    Not for Mac users, tho', see:
    http://slashdot.org/article.pl?sid=06/02/20/1449226
    For a discussion of this and other pdf 'alternatives'. Still, 'security by obscurity'?

    Finally, no /. post complete without oblig. Wiki karma-whore:
    http://en.wikipedia.org/wiki/List_of_PDF_software