Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homemade PDF Patch Beats Adobe By Two Weeks

Posted by kdawson on from the p-d-q dept.

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

21 of 238 comments (clear)

  1. Feature Request by ewhac · · Score: 5, Insightful
    Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea, how about adding this feature:

    When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

    This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:Feature Request by tkdrg · · Score: 5, Insightful

      When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

      Do you think that the average user will read anything before clicking "Yes"?

    2. Re:Feature Request by Mr.+Roadkill · · Score: 4, Insightful

      Do you think that the average user will read anything before clicking "Yes"?

      ...of course they won't, which is why you turn it around to "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to block execution of this code? [Yes][No, I like to live dangerously]".

    3. Re:Feature Request by barzok · · Score: 2, Insightful

      Unless you opt not to play.

  2. JavaScript?! by Anonymous Coward · · Score: 5, Insightful

    Seriously, JavaScript? In a PDF file? Why would you do that?

    1. Re:JavaScript?! by TheRealMindChild · · Score: 5, Insightful

      PDF seems to be the poster child for "How to abuse a format in a way that is contrary to its nature". Clients send us PDF's FORMS now... that they want us TO EDIT! Not print out, hand write on, and perhaps fax back... but EDIT IT, like it is a Word Processor document. Explaining to these people why this is an abomination is like telling a hooker not to sleep with the guy with sores all over his body... it falls on deaf ears, and makes baby Jesus cry.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  3. JavaScript in PDF a Bad Idea by Anonymous Coward · · Score: 2, Insightful

    JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.

    Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever, but perhaps that particular job isn't one that a PDF should be doing.

    PDFs started out as a portable means to deliver any arbitrary document to someone else with fair assurance that it would look pretty much identical to both parties. Now Adobe seems to be trying to turn it in to some kind of interactive content delivery platform (substitute your own buzzwords) or something. That's not a path I'd like to trod.

  4. Here's how you turn out a patch *real* fast. by fm6 · · Score: 5, Insightful

    You skip all testing. Just the sort of thing I want to install in my system.

    1. Re:Here's how you turn out a patch *real* fast. by AngryNick · · Score: 5, Insightful

      Here's another way to do it... dump Adobe's bloated reader (if you can get it uninstalled) and pick up Foxit. I find it much more useful and a lot faster to load.

    2. Re:Here's how you turn out a patch *real* fast. by Kaboom13 · · Score: 3, Insightful

      Just make sure you don't let it install that obnoxious ask.com browser bar (in IE and Firefox). I made the mistake of including it in a slipstreamed xp disk and the silent installer took all defaults (browser bar and all).

  5. Re:Offensive by TriezGamer · · Score: 2, Insightful

    Your grandchildren are not likely to be browsing Slashdot. Furthermore, taking offense to something that is very clearly tongue-in-cheek is not befitting of someone of your age.

  6. There's a simple reason for that. by thePowerOfGrayskull · · Score: 5, Insightful

    As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.

    Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

  7. A better patch... by Kazoo+the+Clown · · Score: 3, Insightful

    My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.

    Good riddance.

  8. Re:Offensive by Anonymous Coward · · Score: 0, Insightful

    Look, I've been a programmer for a lot of years and I'm sick and tired of this sexist crap. I could probably program most slashdot readers under the table, and yet at work I get treated like an idiot. IT articles treat women, especially older ones, like idiots. Enough already. People should be willing to step back and recognize the contributions that women in computer science have made.

    F.M.

  9. Re:Why doesn't anyone think javascript is useful? by Tikkun · · Score: 3, Insightful

    I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.

    Please read the 10 immutable laws of security. The one you're looking for is the first one on the list:

    "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

  10. Re:There's a simple reason for that. by AngryNick · · Score: 3, Insightful

    - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

    Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

  11. Re:paper is calm by Anonymous Coward · · Score: 1, Insightful

    In terms of, as this essay calls it, calmness, I think the most important thing isn't whether there is interactive and moving qualities but whether they exist in such a way that someone who doesn't want to use them doesn't have to and isn't effected. For example, it isn't problematic if a diagram moves to illustrate a point when clicked on, just that it wasn't distracting (or illustrated as best it could with out moving) beforehand. Similarly, it wouldn't be a problem if a quiz in a textbook could check/show answer as long as it didn't do anything obnoxious that bothers a reader who doesn't want to use that feature.

    IMHO, of course.

  12. what's wrong with forms? by Main+Gauche · · Score: 4, Insightful

    Pardon my ignorance, but exactly what other format should one use if one wants to use forms?

    In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.

    For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?

    1. Re:what's wrong with forms? by Korin43 · · Score: 3, Insightful

      HTML? Just point them to a page on the corporate intranet, they put in their login, profit?

  13. Re:Offensive by Anonymous Coward · · Score: 2, Insightful

    Ada Lovelace, the first programmer.
    http://en.wikipedia.org/wiki/Ada_Lovelace

  14. Re:Why doesn't anyone think javascript is useful? by xiox · · Score: 2, Insightful

    "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

    Is that referring to Bill Gates?