Adobe Flaw Heightens Risk of Malicious PDFs

snydeq writes "Security companies warn of a new flaw in version 9 of Adobe Reader and Acrobat that could compromise PCs merely by the opening of a malicious PDF. Although attacks are not yet widespread, hackers are exploiting the flaw in the wild, gaining control of computers via buffer overflow conditions triggered by the opening of specially crafted PDFs." Adobe is calling the flaw "critical" and says a patch for Reader 9 and Acrobat 9 will be released by March 11.

What about Foxit?

[PotatoFarmer]

TFA doesn't mention whether or not Foxit is affected. If not, it's just one more reason to avoid the bloatware that is Reader.

Re:What about Foxit?

[jetsci]

This is Slashdot. Right so far. We are mostly alternative OS users, i.e., Linux, *BSD, OSX, etc(sorry OS2 users). Right again. These articles are annoying in that they are so very broad. Its like the typical American-slashdotter who assumes the "Government" refers to the U.S. only in any context. This article presumes the user base is that of Windows users. Why not specify this is a ****OS NAME HERE***** issue? The article says this is a Windows XP SP3 issue. Great, that's nice to know, but I shouldn't be presented with an article that makes me think I need to go and update/remove Adobe from my Debian machine. Pure FUD. FUD' beyond belief! /rant

Re:What about Foxit?

[InsertWittyNameHere]

Foxit has compatibility problems because it doesn't have all of the features of Adobe Reader 9.

For example it doesn't open the specially crafted PDFs our clients send us at work, which are thoughtfully secured with AntivirusXP2009

Re:What about Foxit?

[pipatron]

I use AmigaOS, you insensitive clod.

Re:What about Foxit?

The problem is a buffer overflow + using javascript to fill the overflow with shell code (which is OS/CPU specific). I just did a test on x86 linux and acrobat reader for linux is affected as well.

Re:What about Foxit?

[jetsci]

I left you guys out on purpose...

Re:What about Foxit?

[A.+B3ttik]

Sumatra PDF Reader is Open Source, less than half the size of Foxit (1/15th the size of Acrobat) and has search, text-read, copy-paste, and plenty of keyboard shortcuts. It's very quick and streamlined and makes Foxit look bloated in comparison.

Right now it's windows only, unfortunately.

http://blog.kowalczyk.info/software/sumatrapdf/index.html

Re:What about Foxit?

[horza]

Where in the article does it say this is a WindowsXP SP3 issue? The Adobe official site clearly states "Platform: All platforms". The shadowserver site says they tested it works with WindowsXP SP3, not that it's restricted to this.

Phillip.

Re:What about Foxit?

[staryc]

Since we're obviously over-generalizing a typical slashdot reader's reading/interpreting habits, isn't it safe to assume that most of us skip ahead and read the article ourselves anyway?

Re:What about Foxit?

[PotatoFarmer]

On the other hand, the actual advisory from Adobe states that the issue affects all platforms. You'd think they'd be the ones to know best, right?

Re:What about Foxit?

[stonewallred]

the "nice" feature on this is that you can copy and paste protected documents.

Re:What about Foxit?

Strange, I saw a pretty good review of this AV software on PCMag...

Re:What about Foxit?

[terrahertz]

Except that breaks the ability to use chapter-like bookmark links from one PDF to another, which are frequently used in business contexts. So another reminder: Lock your corporate user accounts down as far as you can, because they are going to need every stupid little feature in the world, even if it kills them (and you).

Well..

[phrackwulf]

Guess I'm going back to Adobe 5.1 again. And yes, I still have the install.

Re:Well..

[andymadigan]

It comes up faster because it's always running.

Sigh... still no basic sandboxing

[Ed+Avis]

And why exactly does Adobe Reader run with full permissions to all the user's files? Surely by now Adobe would have learned to run it in a sandbox. For example, the code that reads and renders the PDF could run in a separate process (a la IE8 or Google Chrome) and just send image data back to the main window.

More generally, the OS needs to make it completely easy to sandbox applications, so even the stupidest application developer can do it with little effort. Indeed, the default should be that it has no access to write files anywhere except those chosen by the user with the Save As box. I'm not holding my breath though...

Re:Sigh... still no basic sandboxing

[billcopc]

You seem to blindly believe that Adobe is even remotely competent at writing code. If you've ever used Acrobat, you would realize it is a barely-usable resource-thrashing mess.

Does Ghostview need 150mb of libraries to render a PDF ? No.

Just because a company is a market leader, does not necessarily mean they know what they're doing. They just know how to sell.

Re:Sigh... still no basic sandboxing

[bcrowell]

And why exactly does Adobe Reader run with full permissions to all the user's files? Surely by now Adobe would have learned to run it in a sandbox. For example, the code that reads and renders the PDF could run in a separate process (a la IE8 or Google Chrome) and just send image data back to the main window.

You're proposing to attack the problem in the least efficient possible way. This is yet another in a long series of exploits in AR that use the fact that in its default configuration it executes JavaScript embedded in PDFs. The right way to approach this, as a matter of design, would be not to embed a Turing-complete language in a file format that doesn't need it. Once you embed a Turing-complete language in the format, you're giving the bad guy the ability to run any code he wants on the user's machine. The moral of Turing's theorem is that it's essentially impossible to have any automated check that determines what a piece of code will actually do when you execute it. So yeah, you can try to sandbox it, but that's a last resort.

You're comparing with a web browser. A web browser is qualitatively different. In a web browser, the user (a) wants to be able to run javascript code, and (b) expects that such a thing will happen. In a PDF reader, there is typically no reason for the reader to want it to run JS, and the reader has no sane reason to expect it to run JS. Actually, the reason Adobe made AR execute JS by default was that it wanted to be able to do things that are inherently inimical to the user's interest. JS allows the creator of the PDF to determine who's reading the document, and also provides a mechanism for DRM. Lots of people who create PDFs want to believe in the DRM fable that they can give a document to other people, but then control the use of the document after that. As with all DRM, it's inherently impossible to make it work right as long as the user has hardware that they're really allowed to use as a general-purpose PC. E.g., to remove the DRM from a PDF on a linux box, you can do this: gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=b.pdf a.pdf -c '.setpdfwrite'

As a user, there are basically two sane things you can do. (1) Don't install AR on your machine. Use something else, such as evince on linux, or foxit on windows. They're faster anyway. (2) If there really is extra functionality in AR that you need, turn off JS. To disable js, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".

Re:Sigh... still no basic sandboxing

[ratboy666]

In fact, Adobe Reader is really not the issue -- the issue is that the OS doesn't impose MAC (mandatory access controls). MACs should control exactly which resources an application can use, and this can be as restrictive as desired.

Of course, it is difficult to come up with the necessary rules, and to "retrain" the user base, which is why (for example) SELinux MAC was phased in gradually on Fedora.

It took Fedora quite a few releases to fully implement MAC - Fedora Core 2 introduced SELinux (with strict policy as default), Fedora Core 5 was the first version to use modular policies, but was not running in strict mode, Fedora Core 6 introduced the Policy Editor, Fedora 7 a GUI admin tool, Fedora 8 a GUI Policy Creation tool and user lock-down (and, some Adobe plugins would no longer run), and Fedora 9 and 10 offer fine-tuning.

"When SELinux was initially introduced in Fedora Core, it enforced the NSA strict policy. For testing purposes, this effectively exposed hundreds of problems in the strict policy. In addition, it demonstrated that applying a single strict policy to the many environments of Fedora users was not feasible. To manage a single strict policy for anything other than default installation would require local expertise.

At this point, the SELinux developers reviewed their choices, and decided to try a different strategy. They decided to create a targeted policy that locks down specific daemons, especially those vulnerable to attack or which could devastate a system if broken or compromised. The rest of the system runs exactly as it would under standard Linux DAC security."

So, it took version 2 through 8 (or 9, arguably) for Fedora to introduce MAC to a largely technical community. This was done over 4 years.

It will take much longer than 4 years to get equivalent security provisions in Windows, given the user base. Given the convenience of "plug-in" architectures, it is very difficult to tell if a program is actually misbehaving! MAC is really the only way that I am aware that behavior can be monitored. For example, code can be introduced as a plug-in (or, via exploit), but that code isn't dangerous until it tries doing something bad. The definition of "bad" is what is in question -- it could mean sending email, or sending LOTS of email, or modifying files it didn't create. If none of THAT is happening, it may simply have been an automatic installation of some "fun cursors" desired by the user.

JavaScript...

Remind me why my digital document format needs JavaScript again?

Re:JavaScript...

[vtcodger]

Because Javascript is the greatest thing since sliced bread and ... and ... and ... well you just need it damn it. Never mind that running stupid little programs that you download from unknowable sources is possibly the dumbest idea ever from a security and reliability point of view ... YOU NEED JAVASCRIPT!!! Got it?

Re:JavaScript...

[FrostDust]

While that may be useful for some situations (I came across an RPG character sheet that did that, you plug in stats and it populated the appropriate fields that derived from those stats), it is really outside the scope of what a PDF is supposed to be.

A PDF is what you use when you want to disseminate information, and it's important that you can guarantee the recipient is seeing the exact same document you are. A .doc, for instance, can look different from computer to computer, based on what program (or even version of the program) they're using, what formatting rules they have applied (margin spacing, preferred fonts etc.), and the user might accidentally hit "delete" and erase a good part of the document without realizing something went missing.

Re:JavaScript...

[PeeAitchPee]

Because you need some way to describe the logic used in PDF-encapsulated forms. We are not talking about multi-tiered apps which adhere to MVC, mind you -- we're talking about forms which are completely self-contained in a PDF file, such as those created with Adobe's LiveCycle Designer. In LiveCycle Designer's case, you can either use Adobe's proprietary scripting language (which relatively few people already know), or you can use JavaScript (which lots of people already know). I've written a PDF order form, for example, which automatically recalculates the order's total on-the-fly for the customer filling it out in the browser, right on the form and without requiring an Internet connection. Among other things, this cuts down significantly on the volume of sales support calls and increases order accuracy. So, yes, there's really a use case for having a way to express logic in a PDF.

I've experienced this

[tygerstripes]

I just tried to open a .pdf in Reader 9, and it's completely locked up - I've been stuck on the splash screen for 20 minu--

Oh wait, it's opened now. False alarm, sorry.

uninstall.exe

[jbeaupre]

Does that count as a patch?

Patch by March something?

[rjune]

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.

Re:Patch by March something?

[oldspewey]

Well, first they have to form a Selection Committee ...

Re:Patch by March something?

[BarryJacobsen]

Today is February 20. This is listed as a critical flaw and they are taking 18 days to release a patch. I'm glad they're getting right on this.

Much work remains to be done before we can announce our total failure to make any progress!

Adobe should separate pdf and acrobat more

[goombah99]

PDF has become what it set out to be, the de facto truly portable document format.

The problem is acrobat keeps larding in new features all the time to the point where in a corprorate environment you get more and more pdfs that require acrobat to even see.

it's an embrace and extend approach.

the problem here is the problem microsoft occasionally runs into-- if you monocrop then their is huge exposure to the possibility that viruses can spread like wild fire.

But with microsoft we were always in that boat from the first day they introduced it. microsoft docs always went hand in hand with the application software environment creating a stable ecosystem for any potential virus. (I use the term virus liberally)

with pdf this was not the case. Pdf is a format. there are many readers.

but adobe's constant racheting of add ons is threatening this.

Re:Adobe should separate pdf and acrobat more

[fuzzyfuzzyfungus]

There are, already, standardized subsets of PDF( PDF/A, PDF/X, PDF/E) which fulfill your request.

Trouble is, while Adobe does have an incentive to support those, they have no incentive to encourage them as defaults. There are two basic problems: Adobe has an incentive to spread PDF as widely as possible(which creates a strong pressure to tack on additional functions to address expanded use cases) and Adobe only makes money on PDF if you use their software. If, in practice, you can only be confident of being able to manipulate a given PDF with Acrobat, Adobe cashes in. Otherwise, not so much.

Re:Adobe should separate pdf and acrobat more

[Permutation+Citizen]

- If you want a format ISO standardized.
- If you need long term archiving, being sure that after several years your document will be the same even if your computer and your printer have changed.
- If you don't need fancy new stuff, video, sounds.
- But you still want wide support PDF has for reading and printing everywhere.

Then use PDF/A.

This is a subset of PDF. It can be produced by Acrobat, but also a wide range of other vendors applications and scanners, including OpenOffice.

Who uses Adobe Reader anyway?

[mcvos]

Nowadays I read my PDFs with Preview.

Re:Who uses Adobe Reader anyway?

[Rokewaju]

FoxIt does have a Firefox plugin. I don't use it myself as I prefer to read PDFs in a external application and not bloat my Firefox install.

No Opera, Safari, or Chrome plugin however.

March 11?

[Culture20]

That's three weeks away! One week from now, pdfs are going to be on every questionable web page and email attachment. Step up the cycle, Adobe.

try a non-Adobe PDF reader

[macraig]

I'm using a non-Adobe PDF reader: Foxit Reader. It's commercial and not open source, but the non-Pro version is free to use; it's functionally far superior to the open source ones that were mentioned at Slashdot recently. I really hope the OSS projects can reach the level of sophistication of Foxit, because it's really my baseline of minimum PDF-reader functionality. The first OSS reader that can duplicate Foxit's sophistication will get a new convert.

Patched by March 11th... unless you're using v8

[myxiplx]

Great, I've got to wait 2-3 weeks for this to be patched.

Oh wait, Adobe have a 4 MONTH OLD bug that means we can't even run Acrobat 9 within our company:
http://www.adobe.com/go/kb404597

*seethes*

What's worse is that Autodesk hit this exact same bug with their beta of Design Review, and fixed it within a couple of weeks, so I know there's a fix for this.

Do not allow pdf to follow links

[140Mandak262Jamuna]

There are settings available to prevent pdf readers from executing javascript or following hypertext links. But when you do that the acrobat reader bitches and moans and gives you a head ache.

Acrobat reader is precisely in the same position as IE4. Widely used and insecure. Users who are security conscious, vendor lock conscious, portability issues aware are the minority. Precisely the conditions that allowed Firefox to come, but the users in control once again, and take a healthy bite out of the market share of the dominant browser. Impact of Firefox is more than its marketshare. It forced web site developers to be aware of portability issues and become standards compliant. I am very sure other readers like FoxIt or something would take a big bite out of Adobe.

Does Data Execution Prevention stop the attack?

[Myria]

Does hardware Data Execution Prevention stop it from happening, in that this exploit would crash Reader instead of cause an exploit if DEP is enabled? I wish companies would suggest that as a possible mitigation, even if not all computers support it.

I did dumpbin /headers and saw that the EXE header for AcroRd32.exe has the "NX compatible" bit set. This means that DEP will be automatically enabled for Reader on Vista.

However, that doesn't cover XP. XP 32 SP3 has an API call named SetProcessDEPPolicy to request enabling DEP for your process. Adobe should modify Reader to call this function if it exists. (It exists on Vista SP1 as well, but Vista SP1 will already enable it due to /NXCOMPAT.)

XP 32 SP2 and XP 64 SP2, even though they have DEP, don't have a way to enable it if the system-wide DEP setting is "opt in" - the default. And there's no way to opt in that these support. (Google Chrome has code to use an undocumented system call to enable it, but it actually has no effect.)

Re:Can we fucking dump "C"???

[contra_mundi]

It's not a bug, it's a feature!

Re:Can we fucking dump "C"???

There's a saying about C: "We don't prvent you from doing stupid things because that would also prevent you from doing clever things."

There's also a saying about you: "A poor workman blames his tools."

Actually Vista does comes with sandboxing support

[benjymouse]

Google Chrome leverages this Vista feature. http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ The sandboxing feature in Vista is implemented with process integrity levels. A process with "low integrity" is severely restricted in what it can do on the system. Adobe could use this feature for Acrobat. They actually do use it (they have to) for Flash, as the Flash plugin in IE runs inside the sandbox. The crux is that a sandbox is often so severely restricted that you need a helper (called "broker") process to do the privileged stuff such as downloading/uploading files etc. Flash actually made their own broker process for Flash and left a stupid bug in there. That was the flaw which allowed Vista to be compromised in last years' pwn2own contest.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Static file reader - Pwnage - WTF?!?

[blueg3]

It's all quite possible under Linux. Realistically, a number of protection mechanisms (many of which started being routinely used in Vista) should prevent buffer overflow attacks. Certainly they should prevent arbitrary code from making OS-level hacks -- which is probably why it only works on XP. While Linux also can use these mechanisms, the only sandboxing it does by default is user/administrator separation (like Vista does, and like XP doesn't generally do). To get OS-level access, you'd need a privilege-escalation attack, which are reasonably hard to come by for both Vista and Linux (and can be very hard to make reliable under Linux). Alternately, the attacker could just steal your data from the one running Acrobat Reader process he gets, which Linux won't do anything about.

Proper application sandboxing is certainly possible, but not easy. (Your PDF viewer, for example, should have read-only access to its own code, read-only access to a single PDF file, write-only access to screen space for drawing, and read-write access to scratch memory space. That's it.)

Irony and opportunity...

[TheNetAvenger]

Disclaimer, this is an observation, but may seem a bit of a troll...

Once again we see market dominance and poor attention to security collide.

What makes this story interesting is the 'features' Adobe leaves enabled in PDF document features that even Microsoft knows better than to allow.

This creates the interesting aspect of Adobe losing touch and Microsoft actually getting it for once.

If you look at the MS XAML (XPS) document/display formats that compete directly with PDF, Microsoft got it right.

1) Less vulnerbilities - the lack of internal to external scripting of XAML and the sandbox nature of the XAML display and print formats dual sandbox the content inside a managed code environment.

2) XPS is void of scripting which more closely compares to PDF documents.

3) For print industry and press people, XPS/XAML is still turning heads even as new as it is compared to Postscript/PDF. This is not only in consistent print abilities, but speed as well.

4) Add all these together and then realize XAML/XPS can inherently draw and reproduce graphics that are outside the abilities of PDF and Adobe begins to have a reputation problem with companies like agfa, xerox, vari, etc.

(Yes PDF can display anything, but most advanced drawn graphics have to be rasterized because the language cannot inherently draw them. - This also increases the storage sizes and the processing times of high speed printers and presses.)

*A side note, because of OS X's dependence on Display PDF, it also has the same inherent drawing limitations when dealing with advanced graphics. Forcing applications to hack through the native drawing abilities of OS X, and in contrast developers on the Vista Windows side of the market are finding they no longer have to deal with limitations of GDI+ which is comparative to Display PDF on OS X.

Critical?

[PontifexMaximus]

And a patch will be available on March 11? Boy, they sure are devoting all their resources toward getting a patch out.

Idiots.

Skim for Mac OS X

[MisterSquid]

Here's a plug (from a satisfied user) for the open source but Mac-only Skim.

Skim is lightweight, fast, and scriptable. It allows for easy markup of PDFs either to the original file or separately. With Skim, one can convert annotations between its open format (written into the extended attributes) and Adobe's PDF standard. Combined with Apple's Preview.app, Skim can provides much of the functionality Adobe Acrobat.

Simple solution:

[Doug52392]

Uninstall Acrobat, the most bloated software product I've ever used.