Slashdot Mirror
Adobe PDF Exploits In the Wild
mambosauce writes "Brian Krebs, via the security fix blog is reporting that the recent PDF vulnerabilities which were patched only for Adobe Reader 8 and not 7 are being exploited via banner ads. As if there haven't been enough banner ad attacks this year now we have another one targeting one of the most popular applications in the world this weekend. At this rate there won't be many safe applications left to use."
That's what foxit and kpdf are for.
Don't use Adobe Reader.
And IE isn't already in this category?
[Windows User] WUZZAT?
You have a multitude of applications, varying versions of operating systems, and scores of browser versions out there.
Is it REALLY any surprise that there are security holes like this? The miracle is that there aren't MORE.
Note: I'm NOT saying that these holes aren't a bad thing and shouldn't be patched. But this idiotic notion of a "safe" app just irks the shit outta me.
The only "safe" app is one that has absoloutely no interaction with other programs or the user whatsoever. (IOW it don't exist.)
Chas - The one, the only.
THANK GOD!!!
I recently received an email spam with a PDF (not the file.xxx.exe I normally see in such emails), I figured that was one of the exploit files.
Some vague "Your Account" message from "Bank Trust" from some a 3rd party email with the Manual_Invoice.pdf attachment. 134k
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
This is just another addition to the mounting list of reasons I block most banner ads. Why should I download something that could be dangerous, and adds no value to my browsing experience? I manually un-block certain sites I know to have decent levels of quality assurance in their ads (Penny Arcade, Slashdot, for example). I'd much rather directly micropay for content than be served completely worthless ads anyhow.
Whack a Catgirl: You know you want to!
-- http://thegirlorthecar.com funny dating game for guys
that I got from Acrobat 8 today and it downloaded really slow. Still it is good to know that it is being patched fairly quickly.
...there were web browsers that allowed you to block certain types of code, or had extensions that would perform a similar function...
This is NOT "Adobe PDF Exploits In the Wild" but rather "Adobe Acrobat Reader Exploits In the Wild". The problem in is Reader, not in PDF. That's like calling Outlook scripting worms "email viruses". Oh, wait, blame the technology, not the software. Sorry, I forgot.
It is dangerous to be right when the government is wrong.
Whatever some companies might want to imply, the solution will not be anything called Silverlight. It would be like replacing Photoshop, because of some vulnerability, with Excel...
There are plenty of free software programs to use. The issue here has to do with proprietary software restrictions on user's freedoms to inspect, share, and modify programs. Just because Adobe is unwilling to modify older versions of their PDF reader doesn't mean their users should be restricted from doing so.
Digital Citizen
I bought and paid for a license for Adobe Acrobat v6. Where's my update? I have no plans whatsoever to pay for an upgrade that consists of bloatware just to get a security fix. The manufacturer, Adobe in this case, should be liable for this flaw since it has now been pointed out to them. For all vulnerable versions.
Seriously, Adobe Reader has gotten huge in terms of file size, when compared to xpdf/kpdf/foxit/etc. I'm wondering if someone can explain to me what all this extra code is for? Obviously it must be doing something, but personally I've never seen the difference.
Nemilar http://www.techthrob.com - Visit Me!
It would be a much better world if software engineering would grow up and would be kept to the same standards as "proper" engineering though.
Foxit is so much faster and less of a resource hog then adobe reader.
It also doesn't work. For example, two-page documents generally start with page 1 on the right, yet in two-page mode Foxit insists on displaying pages 1 and 2 together, 3 and 4 together, etc. I discovered this when I tried it after seeing comments like the parent and GP posts, and also discovered that there have been bugs logged on this for eons but no-one seems to care about fixing it. The software was uninstalled from my PC within two minutes of installing it and filed under "beyond hope".
One of these days, people on Slashdot will realise that something that is free/or more secure is still worthless if it doesn't actually do the job it's supposed to do.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I don't know what the exra code is doing, but the fact that only one of those alternatives you offered works in Windows, (ordinary) people's options are severely limited.
The article doesn't say explicitly, but I'm assuming this is related to the fact that the default configuration of AR will execute javascript that's embedded in pdf files. This is both a privacy issue (people can track readers) and a security issue (more than one stack overflow bug has been discovered that's related to js). To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
There have been a lot of posts along the lines of "why the hell even use AR?" Well on Linux, I actually have Firefox set to open pdf files in xpdf, because it's faster, and I also habitually use xpdf to view pdf files when I'm not in a browser. (Evince is a little slower, but a little more full-featured and modern.) But I also have a copy of AR 8 installed on my Linux box, because it has some features that I find really useful once in a while, and also I want to be able to test my pdf files sometimes and make sure they'll look right for AR users. It's one of only two proprietary apps I have on my machine, the other being Flash. It would be great if the OSS community could produce a pdf viewer that was just a little more full-featured than Evince. (Flash is a whole different issue -- many of the things Gnash can't do, it can't do because of patents.)
Find free books.
Rather, both kpdf and acroread.
The main reason I have acroread is because I can -- it's one less program people can whine about not having on Linux, and you never know when I'll run into something kpdf can't handle.
But I also have it because it has one feature I dearly wish kpdf did: the ability to rotate the rendered PDF. Take a widescreen, clamshell laptop/notebook, turn it on its side, and let a page of a book fill the screen, and you have a pretty nice eBook reader.
Don't thank God, thank a doctor!
Your options will always be extremely limited if you restrict yourself to only one OS.
Maybe I misunderstood... but who the hell uses .pdf for banner ads anyway?
I, for one, would also recommend other readers. The most recent incarnation of Adobe Reader is even slower than before, and they took a perfectly usable interface and messed it up.
Whatever happend to, "If it ain't broke, don't fix it!" ??
So the banner serves a pdf which runs some javascript that uses a hole to install a trojan? Surely the user will be prompted by the browser to ask whether they want to open the pdf to begin with? Unless it was a pdf that the user was actually after that was tampered with, why would anyone open an unknown pdf accidently? I suppose, there are always the click happy that will open anything...
Visit ssjx.co.uk
Adobe appears to be moving away from PDF as "electronic paper" to "all singing all dancing Internet Document". You can now embed movies, audio, and javascript in PDF to make some sort of "active document". Personally, I think PDF has jumped the shark.
True. I usually run at least 6 boxes at a time, just to cover all the major operating systems. I'd never want to be without the software clones I need!
People have been doing this with Flash (another now-Adobe product) for ages. One flash ad redirects you to a second flash widget on a malicious website to get around Adobe's lame attempts at cross-site protection, and that second flash ad gives you the business.
Malware, that is. Intarweb gold. Russian tea.
"At this rate there won't be many safe applications left to use."
One can only hope this comes to pass. Perhaps if mostly everything on the planet is compromised people will actually care enough to do something about it.
---- Booth was a patriot ----
> Take a Project Gutenberg text file (or any text file), throw it into your favorite word
> processor/page layout program, choose a nice body font, give it some reasonable margins,
> stick page # footers in, then export it all out to a PDF. Fire up Acrobat Reader, set the
> background color to a nice cream color, rotate the page 90 degrees, hit fullscreen...
Seems like a lot of wasted effort. Why not just use xrandr to rotate the display?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
DRM, most likely.
Funny that I should read this headline RIGHT NEXT to an Adobe Acrobat ad being run on /.
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
the page layout (right vs left) is hardly a major issue when it concerns Foxit, a PDF -reader-. I can fully understand if you want it to work correctly for a PDF authoring app, so that it comes out the printer the way you see it on screen, but geeze.
It's like calling ThunderBird "beyond hope" because the thunderbird team appear to be unwilling to fix the folder rename issue on the Windows platform (renaming "Test" to "test" will tell you that it already exists. durrr. https://bugzilla.mozilla.org/show_bug.cgi?id=92165 - July 2001. )
That said, next version (there's always a next version) of Foxit should have this implemented a la Adobe's Reader. If it is, then that's implemented a whole lot quicker than the aforementioned asinine TB bug ( http://www.foxitsoftware.com/bbs/archive/index.php/t-192.html - September 2005 ), although I agree that it should have been implemented in an afternoon's work (even done dirtily so by inserting a blank invisible page in the page array).
Their various forms of DRM come to mind
Damn kids.
I had to upgrade from Acrobat Reader 6 to 7 at work, more than a year ago. My memory is hazy and repressed but this is what I seem to remember.
First you downloaded the upgrade installer for 7.0. It rebooted the computer. Then 7.0 started up, and downloaded the upgrade installer for 7.0.1. Then it rebooted the computer. Then 7.0.1 started up, and downloaded the upgrade installer for 7.0.2. Then it rebooted the computer. Then 7.0.2 started up, and downloaded the upgrade installer for 7.0.3. Then it rebooted the computer. Then 7.0.3 started up, and downloaded the upgrade installer for 7.0.4. Then it rebooted the computer.
My current laptop has 7.0.4. Before I attempt to upgrade to 8.1.2, maybe one of you can let me know if my prediction is right:
First you download the upgrade installer for 8.0. Then it reboots the computer. Then 8.0 starts up, and downloads the upgrade installer for 8.1. Then it reboots the computer. Then 8.1 starts up, and downloads the upgrade installer for 8.1.1. Then it reboots the computer. Then 8.1.1 starts up, and downloads the upgrade installer for 8.1.2. Then it reboots the computer and congratulations, you can safely surf the web without someone turning off your antivirus using a hole in Adobe Acrobat Reader!
I can barely wait to get started.
Interesting that people still use it that much. It is so much bloat now that it's kind of a bust.
While Touretzky prefaces his page on the subject with "Computer professionals who have examined these mechanisms have found them easy to defeat", I miss something able to decrypt or print the latest crop -- where APDFPR says
Yet I see some nicely decrypted ones floating around. E.g. (one of many for purely instructional purposes): ISBN 0387954775 here.Having the eBook and the etx.etd file I guess that should in principle be possible, but how's that done in practice?
A long time ago, I learned that Acrobat Reader is so damn slow to launch because of all the crap plugins that are loaded with it. I couldn't remember exactly which of the various modules I removed, but a quick Google gave me this: http://dwtips.com/2006/06/17/how-to-speed-up-pdf-loading-with-adobe-acrobat/ It looks like the same type of instructions that I followed way back when.
John
Or, do like a lot of people, and have a dual boot setup. I run Linux the vast majority of the time (over 98%), but for that 2% of the time I need something that I can't run in Wine, I have a small XP install to use.
For Joe and Jane Sixpack, PDF=Acrobat, www=IE. Saying that other readers/browsers are safe is irrelevant for the majority of people.
Engineering is the art of compromise.
Anyway, if you remove any of those files from your Reader/plug_ins folder, Acrobat Reader won't load them at launch time. It speeds up loading time of ordinary PDFs tremendously.
What I really really don't understand is why Acrobat Reader doesn't dynamically load those plug-ins only upon demand? Seriously, why does it need to bring in any of that extra code just to display a catalog page from a web site? Digital signatures? If the PDF doesn't have one, I don't need to load the code to verify it. Accessibility? I'm not handicapped, I don't need or use a screen reader, ever. eBooks? I've never bought one, and probably won't for many years to come. And I never, ever, ever want to let a PDF send an email. That's just WRONG.
It's a tremendous load of crap, made worse by their "always load, just in case" philosophy.
John
SumatraPDF is a free, open source PDF reader for Windows.
It is light-weight, ~1 megabyte.
http://blog.kowalczyk.info/software/sumatrapdf/
hmm, is also had acrobat 7.09 on my system. but since i killed all the upgrade/patch stuff it never upgraded to 8. i download verion 8 from adobe and it replace version 7 for me. ut now it tells me i have to reboot my system. having to have to close my firefox is bad enoug, and now i got to reboot... they got to be kidding.
Comment removed based on user account deletion
Flash isn't an Adobe *developed* product. It was originally created by Macromedia.
Were that I say, pancakes?
Cue all the mac fan boys;
- Dan
I use it because the model manuals I use have embedded 3d graphics:
http://www.youtube.com/watch?v=F2dKBYRQj68
It's nice when you can grab a part and spin it virtually to see exactly how the assembly should look.
I'd rather you do it wrong, than for me to have to do it at all.
It just doesn't have some features you would like.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Where did I say that Flash was an Adobe developed product?
Reader seems to be able to overwrite the current version, but if you have damaged version of older reader installed(5,6,7) you have serious issues trying to get rid of those things.
Does anyone have good resources for removing old versions of adobe reader manually?
Adobe website comes pretty much empty when looking for cleanup tools.
There are no atheists when recovering from tape backup.
Acrobat/Reader actually has a huge amount of customer requirements. For example it can display and render forms, interact with web services/databases, display 2d/3d annots, display flash/wmv/quicktime movies, play sounds etc, and sign/create digital signatures. It also has a javascript engine.
Funny thing is - if you remove all those extra plugins so that it has as much functionality as kpdf and foxit reader it has a smaller memory footprint and loads faster than either.
Unfortunately, popular e-Book software requires Reader 7 instead of a newer version (or other PDF readers), preventing many people from upgrading, which is part of why this horribly outdated and vulnerable software is still in use.
It does have a two-page side-by-side display, which is what I need.
However, that feature does not work like the corresponding features of other software products, or indeed the accepted standard for centuries in real world publishing. You can call that a missing feature all you like, but it's still a bug to anyone who wants to use the feature that's already there, and as the Foxit forums demonstrate, there are a lot of such people.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.