Critical Vulnerability In Adobe Reader

← Back to Stories (view on slashdot.org)

Critical Vulnerability In Adobe Reader

Posted by timothy on Wednesday November 5, 2008 @09:32AM from the see-attachment dept.

An anonymous reader writes "Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

45 of 160 comments (clear)

Min score:

Reason:

Sort:

For the uninformed: by Joe+Snipe · 2008-11-05 09:33 · Score: 5, Informative

Foxit FTW

--
Sometimes, life itself is sarcasm...
1. Re:For the uninformed: by Ethanol-fueled · 2008-11-05 09:36 · Score: 4, Informative
  
  Hey, that's my line. By the way,
  
  While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader (CVE-2008-1104), a CoreLabs researcher found that Adobe Reader was affected by the same bug.
  Foxit users: don't panic. Though Foxit Reader v2.3 build 2825 is vulnerable, 2.3 builds 2912 and later are patched. Build 3309 is the current version available for download.
  
  ...with the privileges of a user running the Adobe Reader application.
  Which strongly implies that those affected will be Windows users with Administrator access.
2. Re:For the uninformed: by JustinOpinion · 2008-11-05 09:38 · Score: 5, Informative
  
  Another option for PDF reading on Windows is Sumatra PDF (if you prefer open-source).
3. Re:For the uninformed: by nine-times · 2008-11-05 09:42 · Score: 4, Insightful
  
  ...with the privileges of a user running the Adobe Reader application.
  Which strongly implies that those affected will be Windows users with Administrator access.
  It seems fair to worry even if you aren't running as admin. If a trojan PDF can run arbitrary code with privileges of the user running Adobe Reader, that's still enough to screw with that user's documents even if the user isn't an admin.
4. Re:For the uninformed: by Zonk+(troll) · 2008-11-05 09:43 · Score: 5, Informative
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  True, but we're getting closer. OpenOffice 3 now has a PDF Import extension, and of course for Windows there's PDFCreator (Gnome/KDE and OS X natively support printing to PDF).
  
  --
  "The Federal Reserve is a fraudulent system."--Lew Rockwell
  End The FED. -
5. Re:For the uninformed: by JustinOpinion · 2008-11-05 09:45 · Score: 5, Insightful
  
  Perhaps, but you can have multiple PDF readers installed. And in terms of security, it's usually best to use the simplest application that will work.
  So basically you could use FoxIt or Sumatra PDF to open most PDFs. And then for the rare one that uses some advanced stuff, you can fire up Acrobat. The fact is that most of the stuff that Acrobat supports that other PDF readers don't involves some kind of scripting. And really you shouldn't be running any scripts (even those that are, in principle, sandboxed) unless you have reason to trust them.
  So a sensible strategy would seem to be that you open 99% of PDFs with a simpler reader, and only use Acrobat on the few that really need it, and only if the source of the PDF is trustworthy in your estimation.
  (Yeah, I know... it's a bit of a pain to have multiple programs that do the same thing. In principle you "shouldn't have to" in the sense that your PDF reader should be secure. But in reality it seems like a reasonable precaution.)
6. Re:For the uninformed: by IngeniousCognomen · 2008-11-05 09:48 · Score: 2, Informative
  
  Sure, Foxit is fine as far as it goes, but it runs slower than Adobe Reader on my PC. Plus Adobe lets me save as text, where Foxit expects me to pay for that functionality.
7. Re:For the uninformed: by Anonymous Coward · 2008-11-05 09:51 · Score: 3, Informative
  
  I knew some guy would chime in recommending Foxit, but I'm surprised and glad to see a recommendation for Sumatra.
  Foxit is suffering from its own feature-creep and bloat-up issues (on a much smaller scale than Adobe's software, but still), so Sumatra is really what I _think_ everyone who chimes in with "Foxit" really means to recommend. It accurately renders PDFs. THAT'S IT.
8. Re:For the uninformed: by internerdj · 2008-11-05 09:51 · Score: 5, Funny
  
  Slower than Adobe Reader? What does it do, steal all the cycles from neighboring computers as well?
9. Re:For the uninformed: by bcrowell · 2008-11-05 09:55 · Score: 3, Informative
  
  That might work on some or most files, but there still is no replacement for Acrobat.
  
  Huh? I create PDFs all the time, and don't own a copy of Acrobat. I use pdftex and inkscape, but there's scads of other software that can do it, e.g., Scribus if you want GUI desktop publishing. This is all on linux, but there's tons of PDF-creating software on Windows as well.
  
  --
  Find free books.
10. Re:For the uninformed: by Anonymous Coward · 2008-11-05 10:06 · Score: 5, Funny
  
  I know you're trying to look smart but export and import aren't the same thing.
11. Re:For the uninformed: by spud603 · 2008-11-05 10:07 · Score: 3, Insightful
  
  This is exactly what I do in Mac OS X. Virtually always, I just open the PDF with Preview.app (part of the basic OS distribution). On the rare occasion that it won't open or is a form or something, I'll right-click>open with>Acrobat.app. Not much of a pain.
  I think it makes good sense to have a different app depending on what you need done. For instance, reading articles in PDF in Preview or Acrobat is a pain, and I'll use Skim.app for those.
12. Re:For the uninformed: by Beardo+the+Bearded · 2008-11-05 10:12 · Score: 4, Informative
  
  there's tons of PDF-creating software on Windows as well.
  PDFCreator from sourceforge:
  http://sourceforge.net/projects/pdfcreator/
  It's a Windows printer that prints out your documents as PDFs.
  It's that easy.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
13. Re:For the uninformed: by initdeep · 2008-11-05 10:13 · Score: 3, Informative
  
  if you rtfa, you would note that the current build of adobe reader isn't vulnerable either.
14. Re:For the uninformed: by SleepingWaterBear · 2008-11-05 10:19 · Score: 3, Insightful
  
  The real solution is to open 100% of PDFs in a simpler reader, and refuse to tolerate PDFs that require scripting.
  Really, there's no good reason for a document viewer to have the bloat of Acrobat, and we shouldn't encourage Adobe by doing what they want.
15. Re:For the uninformed: by c0p0n · 2008-11-05 11:34 · Score: 2, Informative
  
  Actually, well before that. But the parent said import.
  
  --
  
  Your head a splode
16. Re:For the uninformed: by access.name · 2008-11-05 14:09 · Score: 2, Interesting
  
  Paradoxically, this vulnerability was found in Foxit first :) http://secunia.com/advisories/29941/
Structural Issues by Anonymous Coward · 2008-11-05 09:35 · Score: 2, Funny

Critical Vulnerability In Adobe
You see, if you mix too much water into the mixture before it hardens, it is brittle and your dwelling will collapse on you ...
Symptoms you've been attacked by Anonymous Coward · 2008-11-05 09:36 · Score: 3, Insightful

Adobe Reader is very slow to load and freezes your browser. Yes, it's very difficult to tell.
Single-purpose tools are good by davidwr · 2008-11-05 09:37 · Score: 5, Insightful

Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
If not, it should.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Single-purpose tools are good by Roland+Piquepaille · 2008-11-05 09:45 · Score: 5, Insightful
  
  Your remark leads to the general question: what business does a document viewer have trying to execute embedded Javascript scripts? a PDF file is essentially a PostScript file, so its content is supposed to be interpreted as a page description and nothing more.
  This is reminiscent of Microsoft's "executable" .DOC files that was used to spread viruses around years ago. This is what you get when you try to make a tool too clever for its own good.
2. Re:Single-purpose tools are good by zalas · 2008-11-05 09:48 · Score: 2, Interesting
  
  They've already developed a lite version of their PDF renderer for their Digital Editions product, so they really should just distribute the renderer in that as a standalone product or something.
3. Re:Single-purpose tools are good by bcrowell · 2008-11-05 09:50 · Score: 5, Informative
  
  Does Adobe Reader come with a "safe mode" with just plain old PDF enabled?
  
  To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
  Even if the js-related security bugs are fixed, it's still a privacy issue, because js in a pdf file can be used to track who's reading a particular document.
  Personally, when I see that a piece of software has a long history of security problems, I take that as my cue to remove it from my system. I don't really care that they keep fixing the bugs. The fact that it has this history demonstrates that the software wasn't written with the correct attention to security, and it's likely to have more such problems in the future.
  If you're running Linux, xpdf starts up extremely fast, and that's why I use it as my pdf plugin in Firefox. If you want something a little more modern, try evince.
  People have posted saying that on Windows, you should switch to Foxit, but the article says that the security flaw was found first in Foxit, and only later in Adobe Reader. I actually tried to get the science division at the community college where I teach to switch to putting Foxit on machines in the student labs as the default pdf plugin. However, when the faculty were testing it, they found that it was not correctly displaying some of the pdfs they were using.
  
  --
  Find free books.
4. Re:Single-purpose tools are good by Randle_Revar · 2008-11-05 10:52 · Score: 2, Informative
  
  JS in PDFs is silly IMO, but I have to point out that PS (but not PDF) is a Turing-complete language.
  http://www.tinaja.com/post01.asp
  
  --
  Climate Progress - Hell and High Water
5. Re:Single-purpose tools are good by Thundersnatch · 2008-11-05 11:04 · Score: 4, Interesting
  
  Sure, JavaScript is pointless in a PDF viewer and should be disabled, but it is worth noting that PostScript itself is a programming language. It has conditionals, functions, loops, etc. I myslef once hand-coded a PostScript program to draw a high-res graph of a particular function for a class back in college. This 1K file basically owned the imagesetter in the print lab for about 45 minutes while it rendered at 1200 dpi.
  If I recall correctly, there were even a couple of postscript exploits back in the 1990s that could "brick" Apple LaserWrtiers.
6. Re:Single-purpose tools are good by erikdalen · 2008-11-05 11:26 · Score: 2, Informative
  
  Postscript is a stack based programming language. PDF was afaik originally designed to be a simpler format for just describing page layout. But then they've extended it to be able to include javascript for programming and embedding videos, flash and all sorts of stuff (sounds like HTML...).
  http://en.wikipedia.org/wiki/PostScript
  
  --
  Erik Dalén
Which again... by slapout · 2008-11-05 09:49 · Score: 4, Insightful

...begs the question "Why Does Adobe Reader Need Javascript"??

--
Coder's Stone: The programming language quick ref for iPad
1. Re:Which again... by andrewd18 · 2008-11-05 09:55 · Score: 4, Informative
  
  I create PDF order forms for my company that our salesmen e-mail to customers; these javascript-enabled PDF order forms dynamically enable or disable options as the user customizes an order. For example, if the user picks option A, sub-options A1 -> A5 are automatically enabled, while B1 -> B5 are disabled. And that's why you might want javascript in a PDF.
2. Re:Which again... by TimeTraveler1884 · 2008-11-05 09:58 · Score: 2, Interesting
  
  "Why Does Adobe Reader Need Javascript"??
  I've written scripts for Adobe Acrobat Professional to interleave PDFs of scans from my single-duplex, automatic document feeder scanner. Can you believe that there are companies out there that charge $100 or so to do the same task with a plugin? Took me 15 min to write it in JavaScript myself.
  
  As far as Reader though, I've seen some web-fill state tax forms that use Javascript for field validation.
3. Re:Which again... by Anonymous Coward · 2008-11-05 10:22 · Score: 5, Insightful
  
  You are part of the problem.
4. Re:Which again... by Nimey · 2008-11-05 10:26 · Score: 5, Informative
  
  It raises the question, godsdamnit. Here's what "begging the question" actually means:
  http://en.wikipedia.org/wiki/Begging_the_question
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
5. Re:Which again... by ZERO1ZERO · 2008-11-05 11:25 · Score: 2, Interesting
  
  Yeah. I noticed that. I understand when not to use 'begging/begs the question' when meaning 'raises the question' . But I have read that wiki page before, and I just read it again, but it still makes no sense to me. Can someone please explain in plain english when one *would* use the phrase begging the question?
  "That begs the question" is an appropriate reply when a circular argument is used within one syllogism. That is, when the deduction contains a proposition that assumes the very thing the argument aims to prove; in essence, the proposition is used to prove itself, a tactic which in its simplest form is not very persuasive.
  I mean, what the fuck?
6. Re:Which again... by syousef · 2008-11-05 13:25 · Score: 2, Insightful
  
  It raises the question, godsdamnit. Here's what "begging the question" actually means:
  Originally you're correct. The common idiom has changed to reflect a more intuitive meaning. Language changes over time. YOU are the one failing to deal with it.
  
  --
  These posts express my own personal views, not those of my employer
7. Re:Which again... by MyLongNickName · 2008-11-06 01:23 · Score: 2, Insightful
  
  From your link:
  "More recently, to beg the question has been used by some to mean "to raise the question", or "the question really ought to be addressed". [7] An example of such a use would be, "This year's budget deficit is half a trillion dollars. This begs the question: how are we ever going to balance the budget?" Although proponents of the traditional meaning will criticize this formally incorrect usage, it has nonetheless come into widespread use and in informal contexts may actually be the more common use of the term. The phrases circular reasoning, circular logic, and circular arguments have come to be used in places where logicians would tend to use "beg the question"."
  So, it would appear that language changes over time.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
You can have it, hackers by Sneftel · 2008-11-05 09:49 · Score: 4, Funny

Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader.

The main privileges being the privilege of waiting thirty seconds to view text, followed closely by the privilege of a crashed web browser.

--
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
How soon we forget best practices by richrumble · 2008-11-05 10:30 · Score: 3, Informative

98% of virii/malware etc need ADMIN to succeed... and very few application on windows, save a very small percentage actually need admin. The User Group is good enough for the wife/kids and my sales staff, lowers TCO even for M$. We don't use installed AV clients, we scan remotely nightly, run proxy+av along with snort, no issues. Users can use runas http://xinn.org/RunasVBS.html if need be, but they probably won't need to. Anti-Admin VS Anti-Virus, and AA wins! http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html -rich
HATE Adobe by Forty+Two+Tenfold · 2008-11-05 10:38 · Score: 2, Interesting

What I hate about them most is their labeling the file types in windows: "Adobe PDF, Adobe SVG, Adobe PNG". WHAT THE FUCK! This should be prosecuted.

--
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Is this hole cross platform compatible? by Biff+Stu · 2008-11-05 10:38 · Score: 2, Insightful

Adobe is one of the best when it comes to cross-platform compatibility and the hole is based on Javascript...
And yes, I did RTFA.
Comment removed by account_deleted · 2008-11-05 10:40 · Score: 3, Informative

Comment removed based on user account deletion
Re:Out of curiosity... by Randle_Revar · 2008-11-05 10:57 · Score: 2

I guess after they took Turing-completeness out of PS to make PDF, they wished they hadn't, and somehow thought JS was better than PS.

--
Climate Progress - Hell and High Water
Re:An alternative? by cparker15 · 2008-11-05 11:17 · Score: 3, Informative

Web page?

--
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Scripting is useful, but.... by Anonymous Coward · 2008-11-05 12:17 · Score: 2, Informative

Scripting is great, as it allows you to generate dynamic content, perform validation, etc. It enables better PDF presentations and forms and cute little tools. In short, javascript benefits PDF in the same ways it benefits (X)HTML.
However, like macro languages in word processors & like javascript in webbrowsers, scripting in PDF viewers needs to be hardened against unintended consequences.
"No javascript in PDF" is a very poor solution. Few people disable javascript in their browsers. Even the fairly paranoid will just run "noscript" & will then decide (for themselves and on a case-by-case basis) when scripting is desired and trustworthy.
1. Re:Scripting is useful, but.... by Obfuscant · 2008-11-05 14:30 · Score: 3, Insightful
  
  "No javascript in PDF" is a very poor solution.
  No javascript in pdf is an excellent solution. It's a DOCUMENT, not a video game or word processor or anything else. You don't get javascript on a paper printout; you don't need javascript in the electronic version of a paper printout.
  Few people disable javascript in their browsers.
  I do. Most javascript in web pages is useless and needless and a waste of computer cycles. If you want to calculate something, do it on YOUR SEVER and send me the result.
  It's a crutch used by poor web designers to add glitz to content-less pages.
  I caught a major cell-phone company using javascript to provide log-in security for their account access web pages. Since I had javascript turned off, I had access to anyone's account I wanted. I told them what I was doing and they didn't believe it, until I started telling the account manager I was talking to what his minute balance and last payment was. THEN he got interested.
  ... scripting in PDF viewers needs to be hardened against unintended consequences.
  Much better that pdf authors spend the time properly identifying their documents with title and author information. I have US Government produced pdfs where the "title" of the document is "Microsoft preview -- C:\some\file\name\that\is\meaningless.doc" and the author is even stupider. Leave out the fancy crap until you can properly identify your documents, ok?
  You need evidence that javascript on web pages is useless? Try Yahoo. I go to my Yahoo mail page and a big, time-wasting page tells me that I have javascript turned off, click here for the OLD version of mail -- which is exactly where I was trying to get to in the first place, damn it!
  And get off my lawn...
Miserable Retards by ewhac · 2008-11-05 18:15 · Score: 4, Insightful

Frankly, this should be actionable. There is no excuse for this stupidity any longer.
When I install a new piece of software, the first place I go is to the preferences panel to see if there are any stupid/broken settings that need to be fixed (or, too often, fixed again after an upgrade). I can't remember which version it originally showed up in, but when I saw the checkbox for JavaScript in Acrobat Reader, my jaw hit the floor.
"Are you people fscking morons? Did you learn nothing from the exploits and problems caused by JavaScript in Web browsers? Hell, forget Web browsers; Microsoft Word became a virus/trojan platform because the Special-Needs Children who apparently design all their software thought it would be tEh k00l to embed macros in what is fundamentally a static document."
Every time some would-be clever person adds a macro language or other executable logic to a document format, the result is "unexpected" worms, viruses, and security breaches. Every God-damned time.
This is not an honest mistake. This is negligent engineering, and someone needs to lose a lot of money over it before the lesson sinks in.
Schwab

--
Editor, A1-AAA AmeriCaptions
Re:For the uninformed: there is an "off" switch by lpq · 2008-11-05 21:06 · Score: 2, Interesting

Why complicate your life with multiple readers....sure, if you really want to -- especially if you _like_ their interface better, but for the supposed sake of security? On a feature that should be off most of the time anyway? With more readers on your system, you have more 'active code' that your computer is regularly exposed to -- isn't there a risk with an increased code base? Sure, Adobe Reader would be more likely to be attacked than other pdf readers, but it's probably 'tested' by a few more users every day.
But um,..."portable documents"...they are like books -- why would you turn "on" scripting in the 1st
place in adobe reader? I've never found a need for it. Ever. Then again maybe I'm not downloading gyrating pdf's either....? *shrug*...dunno.