Slashdot Mirror
Homemade PDF Patch Beats Adobe By Two Weeks
CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."
We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.
Thank you for letting the Slashdot community know what you find offensive... is this because you think it's interesting, or because you have no friends to talk with?
When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"
This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.
Schwab
Editor, A1-AAA AmeriCaptions
Lurene Grenier to Adobe: Pay up! We solved your issue.
nobody remains virgin, life fscks everyone...
Seriously, JavaScript? In a PDF file? Why would you do that?
Adobe to Lurene Grenier: You decompiled Acrobat in some way to create this fix, in violation of click-through license and DMCA (not to mention making us look incompetent.) We're suing you and we're going to make sure your government put you away in a pound-you-in-the-ass prison for a long long time.
ELOI, ELOI, LAMA SABACHTHANI!?
JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.
Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever, but perhaps that particular job isn't one that a PDF should be doing.
PDFs started out as a portable means to deliver any arbitrary document to someone else with fair assurance that it would look pretty much identical to both parties. Now Adobe seems to be trying to turn it in to some kind of interactive content delivery platform (substitute your own buzzwords) or something. That's not a path I'd like to trod.
You skip all testing. Just the sort of thing I want to install in my system.
You mean an individual who doesn't have a business to protect or any customers is able to come up with an un-QA'd version faster than the company that produced the product. Amazing!
I'll go for the secret third option, "because she's a feminist". Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country. And by God, I wish they did.
Your grandchildren are not likely to be browsing Slashdot. Furthermore, taking offense to something that is very clearly tongue-in-cheek is not befitting of someone of your age.
So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!
What i find more interesting is how slashdot is now able to tell the future!
The article boldly claims that something released yesterday has arrived two weeks before the official patch. Now, i know it's possible that the two weeks was taken from Adobe's projected patch fix date, but projections and fact are still different, and journalistic integrity requires a writer in this situation to indicate directly that this two weeks is not actually fact, as we couldn't know that yet. The headline is an outright lie, as far as i can tell, as it relies on future events being a certain way.
Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?
-Taylor
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.
Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.
Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability ... beating Adobe Systems Inc. to the punch by more than two weeks.
What the fuck Adobe? What did you do for those extra two weeks?
it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.
Oh ... I guess you were trying to make it work on all systems, and checking to make sure that it didn't royally fuck up the user's computer, or introduce another, potentially more serious vulnerability.
So, you're saying your grandmother couldn't install the patch? Or are you trying to imply that your 13 year old or younger grandchildren are nerdy enough to read slashdot?
"caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees."
My boss will be pleased. I can push all my releases up at LEAST two weeks earlier now by adding this caveat on to all of my code. Thanks, Geritol.
Yeah, you're right. It's terrible when people use an apostrophe when they mean "your".
In large companies there is a tendency to ignore the departure of the real experts in a product and have no one left who knows it well enough to respond quickly & correctly to bugs. In this case it seems more like a different bad corporate decison though(letting a pdf embed another language). Wait. Maybe I really do want to embed my C code in a pdf? Adobe! Feature! Profit!
Q: How many feminists does it take to change a lightbulb?
A: That is NOT funny.
I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.
I've also seen lots of forms that do some math or validation. How do people think that happens?
Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.
And to prove the point, you have a mistake in your two line comment!
Yes, because we should all get our security patches from unknown 3rd-Party sources. Sounds like a plan for success to me.
BTW, I've got this great IE patch, it makes the Internet 10x faster!
infested with jello like fishes no melotron wishes
My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.
Good riddance.
According to this Symantec blog turning on DEP for Acrobat Reader prevents this type of attack.
If you run Windows, I would recommend you run with "DEP for all programs and services" with no exceptions.
Why not use 3rd party viewers like CutePDF or Preview? Again these patches only fix part of the issue so you are still vulnerable to more dangerous part of the bug.
Q: How many male chauvinists does it take to change the lightbulb in the kitchen?
A: None, let the bitch wash the dishes in the dark.
- the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.
Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.
In terms of, as this essay calls it, calmness, I think the most important thing isn't whether there is interactive and moving qualities but whether they exist in such a way that someone who doesn't want to use them doesn't have to and isn't effected. For example, it isn't problematic if a diagram moves to illustrate a point when clicked on, just that it wasn't distracting (or illustrated as best it could with out moving) beforehand. Similarly, it wouldn't be a problem if a quiz in a textbook could check/show answer as long as it didn't do anything obnoxious that bothers a reader who doesn't want to use that feature.
IMHO, of course.
Pardon my ignorance, but exactly what other format should one use if one wants to use forms?
In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.
For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?
Q: How many feminists does it take to change a lightbulb?
A: Trick question, feminists can't change anything.
Dude, you should really be careful. I don't think you realize who you're talking to.
Posting AC is only going to keep you safe for so long.
That also goes for everyone who modded her down.
Q: How many feminists does it take to change a lightbulb?
A: Four. One to change the lightbulb, three to form a support group.
But really, it's a trick question because feminists can't change anything.
Figures...whenever there's something I want to mod up, I never have the points for it.
Unrelated to the feminist jokes, but related to lightbulbs:
Q: How many psychiatrists does it take to change a lightbulb?
A: Only one, but the lightbulb has to want to change.
"to de-fang the hack by disabling JavaScript"
I began to wonder if it will become the new defangto or new-fangled way of disable features and bugs of software...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Does anyone have a clue if the reg fix will work on Foxit? Or is Foxit vulnerable? Because myself and most of my customers have been avoiding the bloat that is Adobe PDF reader for awhile now and while Foxit is great usually anything that can infect Adobe works on Foxit too. So anybody know?
ACs don't waste your time replying, your posts are never seen by me.
So is this "user supplied" PDF fix an example of how Open Source is More Secure than Closed Source?
OSS users supplied a fix in less than a day, whereas a closed source programmer in some cubicle somewhere will take weeks to do the same. Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
So to paraphrase....That is NOT funny!
Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country.
I'm a feminist, and am offended by this claim
(I am a feminist, but am going for funny with this...)
I think the feeling of entitlement that often leads to the bitching comes from something besides the ism/ist in question... at least I attribute it to a sense of entitlement. and by that I don't mean that anyone is not particularly entitled t... ah what's the use
"It's the Law of the Universe, and I'm the sheriff." Slash-cott 2/10-2/17
I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.
Oh? Well, when Adobe/Microsoft/whoever next put out a patch that breaks something critical to your companies usage of the product, causing hundrds/thousands of complaints to you, pissed off superiors, and potentially a loss of revenue, however, small, I'll be sure to point you to your former comment.
Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.
Q: How many Vietnam vets does it take to change a lightbulb?
A: You don't know because you weren't there man!
To do something right, you often have to roll up your sleeves and get busy.
[snip]Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.
And then the lobbying starts
$ make available
Yes, but you certainly do not represent the majority of that demographic, so the analogy still stands.
http://www.zombieapocalypse.tv/
[snip] Is it only windows that has the "Average User?"
no. What's eating the mod (singular)?
$ make available
why would anyone want to use Acrobat Reader when there is a free alternative that is way smaller, faster and better. http://www.foxitsoftware.com/
sometimes you got to be lucky to fix some kind of bugs. sigh.
Ada Lovelace, the first programmer.
http://en.wikipedia.org/wiki/Ada_Lovelace
As for how forgiving you'd be: we'll see if that's still true when tens of thousands of your users suddenly can't open a critical document without crashing or other instability.
It's ultimately a judgment call: they need to decide if getting an urgent patch out is worth the risk that an urgent patch introduces. In the case of a product with this large an installed userbase, and given the fact that this hole has been out there for quite a while already, I think that they took the only responsible course of action available. Though I'm not going to get into the stupidity of allowing embedded script in the first place...
The advantage is security through obscurity. Assuming the patch fixes this problem, even if it creates others so few people will have applied it, it is hardy worth developing malware for. This is a very nice stopgap until Adobe gets the real thing out the door.
Yes but how many people will actually install this "fix"? Is that worth creating malware for between now and the official patch? I would venture it is a no. Security through obscurity at its best.
Whilst Foxit is an improvement over Adobe's bloatware on Windows, if you want to really go light and lean try an open source alternative.
Sumatra
Oh, I believe it. My patch was clean on a large project, but some numbskull didn't have his changes in the source control system and compiled the new version for installation from what was on his desktop, without any of the other previously source control submitted updates. The results.... well, the results weren't pretty because my patch didn't get the full QA procedure as a "minor patch", and because they trusted _my_ code. I continued to get the blame for the situation at meetings with staff for other departments, including the department with the fool who ignored source control, and who was directly ignoring orders from his boss and mine to build only from clean source control software trees.
That was difficult to live down, and it led to a serious and harsh meeting with the QA and software developers about their development and testing environments.
Don't cha just love the way the idiots rally round to say nothing can be done.
Just because the Yes then No questions only protects lazy idiots doesn't mean it's worthless. You know I think the marketing department must write all the Microsoft 'Confirmation dialogs' because they read like marketing copy ... always positive, never mention anything in a negative way, never let the mark even think of the 'N' word.
Then again here's a nice way of saying it ...
Do you really want to delete everything (y/N)?
Do you want to keep it just in case (Y/n)?
Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.
I agree with your response to PP.
Microsoft once put out a patch that accidentally disabled the dial-up terminal window, IIRC. Because of this, the PC could not connect properly, the company could not register car parts with the transport authority, and we were potentially facing losses due to non-delivery of cars.
The symptons were misleading because it seemed as though the remote modem was dropping carrier.
This little accident is such a tiny thing, isn't it?
Wow is there anyone on this thread who is claiming to be a feminist actually female???
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Exactly. And yet all the little kneejerk-anti-software-company idiots on this site tag the story "humiliation". Yeah, real humiliating to make a patch cross-platform and tested. Imagine if Adobe had rushed out a windows patch but nothing for OSX and Linux, we'd have a whole different set of basement dwelling crybaby shit. Slashdot gets continually more pathetic.
Except that it might not be paper. One can display LaTeX output as .dvi or .pdf (and Flying Spaghetti Monster knows what else).
I'll still rather do the active content in forms using MathML.
Just point them to a page on the corporate intranet, they put in their login, profit?
You're doing it wrong! It's:
You can if you're Apple.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
so why doesn't he stand up his own giant graphic design software company and pay thousands of employees across the world if he's so much beter than Adobe? Oh, that's right, because any single person can act much more quickly (and cheaply) than any large organization. Next story please.
Its slow and bulky - use a freeware alternative.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Or not, it's pretty obvious you aren't actually responsible for a network of any size that people actually have to use and have reliability expectations of.
You're right. I'm not responsible for a network, and my portfolio of applications run on just 8,000 machines. But the data on those machines cannot -- under any circumstances -- be compromised. I'm not talking about the inconvenience of a system-wide outage or a day or two of lost revenue, I'm talking about the inconvenience of the $20B company those 8,000 people work for appearing on the front page of the Wall Street Journal due to a breach. The former might get me fired, but the latter will get them all fired too.
Here is my point: Make a workaround, "pre-patch", or apology available as quickly as possible so that _I_ can make the decision about the risk. We will test your patch in our environment, determine the best course of action for our company, and keep paying you for your product. If I don't test it in my environment and it hobbles my 8,000 machines, then it's my own damn fault for deploying it.
Sorry if I wasn't clear in my previous comment.
Q: How many Freudians does it take to change a lightbulb?
A: Two. One to change the bulb, the other to hold the penis. Cock. Ladder. LADDER! I mean ladder.
Why would someone go out and help these proprietary-peddling companies?!? Don't people understand, they NEED to let users crash and burn for using software that is proprietary and created by vendors with a mysteriously slow ability to patch their own products. Adobe has proven itself to be evil on more than one occasion, and now people are bailing them out! I just don't get the logic...
Personally, I prefer Evince/ghostscript anyway...it's always way faster than the garbage Adobe Reader, and not susceptible to such vulnerabilities.
How many Marxists does it take to change a lightbulb?
None. The lightbulb contains the seeds of its own revolution.
Nostalgia's not what it used to be.
One to change the light bulb and to post that the light bulb has been changed.
Fourteen to share similar experiences of changing light bulbs and how the light bulb could have been changed differently.
Seven to caution about the dangers of changing light bulbs.
Seven more to point out spelling/grammatical errors in posts about changing light bulbs.
Five to flame the spell checkers.
Three to correct spelling/grammar flames.
Six to argue over whether it's "lightbulb" or "light bulb" ... another six to condemn those six as stupid.
Fifteen to claim experience in the lighting industry and give the correct spelling.
Nineteen to post that this group is not about light bulbs and to please take this discussion to a lightbulb (or light bulb) forum.
Eleven to defend the posting to the group saying that we all use light bulbs and therefore the posts are relevant to this group.
Thirty six to debate which method of changing light bulbs is superior, where to buy the best light bulbs, what brand of light bulbs work best for this technique and what brands are faulty
Seven to post URLs where one can see examples of different light bulbs.
Four to post that the URLs were posted incorrectly and then post the corrected URL.
Three to post about links they found from the URLs that are relevant to this group which makes light bulbs relevant to this group.
Thirteen to link all posts to date, quote them in their entirety including all headers and signatures, and add "Me too"
Five to post to the group that they will no longer post because they cannot handle the light bulb controversy.
Four to say "didn't we go through this already a short time ago?"
Thirteen to say "do a Google search on light bulbs before posting questions about light bulbs"
Three to tell a funny story about their show dog and a light bulb.
One to reply almost immediately saying "First Post !!!!!!"
One to post an ASCII image of the lightbulb.
Three to ask "Wtf is that" because their clients didn't display it as fixed-width.
Seventeen to reply saying that their e-mail client is inadequate and suggest they get Mutt.
One to reply with a perfectly labelled scale diagram of how to change a light bulb correctly.
Thirty-three to reply telling them not to send HTML e-mails or attachments, and why don't they just use Mutt and ASCII art anyway.
Two to ask "but does it run Linux ?".
One to make a comment about the upcoming Microsoft Digital Lightbulb Management 2007 SP2 RGE.
Two to suggest that Apple lightbulbs are superior.
Seventy-five to start a massive off-topic Apple vs Microsoft flamewar.
Forty-two to continue it into a Python vs Perl flamewar.
One lonely poster to unsuccessfully try to start a HP-UX vs IRIX flamewar
One hundred and seventy-eight to respond at various times saying
"Troll!!"
"OMG WTF TROLL !!!!!!one
LOL" "Don't Feed Da Troll!!1", etc...
AND
One group lurker to respond to the original post 6 months from now and start it all over again
Don't fight for your country, if your country does not fight for you.
Q: How many Vietnam vets does it take to change a lightbulb?
A: You don't know because you weren't there man!
There was a huge stink on the php list a few years back because of some guy using this in his sig. I think that a few vets actually left the list.
It is dangerous to be right when the government is wrong.
You never played Age Of Conan, did you?
Cress, cress, lovely lovely cress
Because Adobe's patch wont be to just disable JS, so in other words, it won't be simply a registry hack to fix.
They'll have to figure out how to close the security hole WITHOUT disabling javascript functionality. That tends to take a bit more work.
I'm out of my mind right now, but feel free to leave a message.....
Here is the version I had given to me back in the 80's (still have it on my shelf, too!): http://wiretap.area.com/Gopher/Library/Humor/Jokes/litebulb.jok
Not really, because these people are still fixing a closed source software.
It's more an example of "Big Software Companies don't care (as much as they should) about security." Adobe could have a fix out just as quickly, but they won't accept a fix that works by disabling the (mis)feature entirely. If they really cared about security, they wouldn't have added a scripting language in the first place - you'd think maybe they would have paid attention and learned their lesson from the whole Word Macro Virus mess. Apparently the only thing they learned was that poorly thought out features sell better then security.
I think the best argument that you could use this to justify is that "Companies care more about money than about their customers," which is still a useful in favor of Open Source when talking about public institutions, but not necessarily for the same reasons.
If I don't put anything here, will anyone recognize me anymore?
Unlike the consequences of executing code provided in a format that's supposed to be non-executable...
Even "smart" users don't read. Don't even attempt to put text in a dialog in front of them. Just put a pair of graphics illustrating the choice. I'm sure my fellow Slashdot readers can come up with ideas for suitable graphics. Some might even be safe for work!
I need to fill out a form from a local government office to get some information from them. They email me a PDF of the official form.
The form is a pure document, so I have to print it out, scribble answers on it (or feed it into a typewriter; remember those?), then either scan and email it back to them or jam it in a paper envelope, stick a stamp on it, and drop it in the snail mail.
How much nicer it would be if I could fill in what I needed using my computer keyboard and email it back.
I don't want to do this with Word, as that's a proprietary format, and the resulting document may not image in a way that makes it legally valid. (This is where we start pushing the Open Office formats.)
No, the patch fixes the overrun in JBIG2 decompression. The workaround if you don't apply the patch is to disable JavaScript, either with a registry hack or through the Reader Preferences dialog.
In case you failed to read the article, here's the blog entry with the patch , not the workaround.
I think it's funny that Adobe is taking so long to build this patch, since it seems like every freaking time I load up Adobe Reader, it wants to update itself.
Do I want to update Reader? Well, the current version reads PDFs, right? Why do I need a new version every week?
That's the funniest and most accurate characterization of the /. community I've seen. Too bad I don't have mod points.
In the land of the blind, the one-eyed man is usually crucified.
And why was that modded down? I was hoping people would see I meant it seriously; nobody using linux uses Acrobat.
Here is my point: Make a workaround, "pre-patch", or apology available as quickly as possible so that _I_ can make the decision about the risk. We will test your patch in our environment, determine the best course of action for our company, and keep paying you for your product. If I don't test it in my environment and it hobbles my 8,000 machines, then it's my own damn fault for deploying it.
Where are the moderator points when you need them. Great post and you should be modded up!
Too many system administrators just accept as gospel that this patch today and that patch yesterday and the patch tomorrow will not cause problems and blindly accept them. No wonder the company will never give them time to test the patches, updates, etc... for potential problems in their specific IT environment and infrastructure. Especially when a company throws out crap to make money and continually patches it; instead of getting it right to begin with.
A good Systems Administrator checks the patch for problems on a system prior to rolling it out to the rest of the company. Of course watching for rootkits, viruses, injection schemes, etc...
A great Systems Administrator subnets the test environment, isolates it from the corporate intranet and monitors the packets to/from this test environment looking for more than just Trojan horses.
Guess which one of those has the experience, authority and respect of their supervisor to push back and state No we will not just randomly roll out updates as they come to us from company X and assume that they work without problems. Yes we will take time to test the update or patch before rolling it out.
Guess which one makes over 6 figures per year and which one is paid less than $50,000 per year.
Most of the others are somewhere in between $50K and 100K working for companies that know that they need System Admins, but not really giving them the time and/or the authority to do things right.
Just take a look at the typical duties of a System Administrator. Most Systems Administrator do NOT have enough time to do all those tasks as carefully as they need to be performed in order to secure the companies network and servers.
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
Some mod got hit on a sore spot, huh?
I know tobacco is bad for you, so I smoke weed with crack.