Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homemade PDF Patch Beats Adobe By Two Weeks

Posted by kdawson on from the p-d-q dept.

CWmike writes "Sourcefire security researcher Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks. Grenier posted the patch on Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees. Also, PhishLabs has created a batch file that resets a Windows registry key to de-fang the hack by disabling JavaScript in Adobe Reader 9.0, giving administrators a way to automate the process."

50 of 238 comments (clear)

  1. Registry hack by coulbc · · Score: 5, Interesting

    We figured that one out in about five minutes. Wrote a quick group policy file and moved on to the next problem.

    1. Re:Registry hack by initialE · · Score: 4, Informative

      For myself I just used the REG.exe located inside the %system32% folder. in your logon script (assuming you have one), just add in the lines

      REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bConsoleOpen /t REG_DWORD /d 0 /f

      REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableGlobalSecurity /t REG_DWORD /d 1 /f

      REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableJS /t REG_DWORD /d 0 /f

      REG add "HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v bEnableMenuItems /t REG_DWORD /d 0 /f

      YMMV. REG.exe is not included on Windows 2000. Because this applies to the current user registry there should be no permissions issue. And make sure your path does include the system32 directory as by default.

      --
      Starbucks, Harbuckle of Breath.
  2. Re:Offensive by Anonymous Coward · · Score: 2, Funny

    Thank you for letting the Slashdot community know what you find offensive... is this because you think it's interesting, or because you have no friends to talk with?

  3. Feature Request by ewhac · · Score: 5, Insightful
    Since Adobe seems to (incorrectly) think JavaScript inside PDFs is a great idea, how about adding this feature:

    When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

    This is the cheesy but mostly effective stopgap solution Microsoft adopted when Word became an infection vector for macro viruses. Unless Microsoft got a patent on it, I don't see any reason why Adobe couldn't also use the same approach.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:Feature Request by tkdrg · · Score: 5, Insightful

      When loading a PDF, if Reader sees there's JavaScript that wants to run, Reader pops up a dialog along the lines of, "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to allow the code to run? [Yes] [[Hell, No]]"

      Do you think that the average user will read anything before clicking "Yes"?

    2. Re:Feature Request by klossner · · Score: 2, Informative

      PDF is not PostScript. It shares some concepts (such as the imaging model and a good many keywords), but it is not a programming language. It has no control constructs, for example.

    3. Re:Feature Request by Anonymous Coward · · Score: 3, Interesting

      I'm going to have to disagree...

      Allowing some scripting in a document is great. For example, I'm writing a math textbook. If PDF-javascript had a FOSS implementation, I'd use it to make interactive quizzes and questions in it. Sadly, while LaTeX has a package to do this, there is no support.

      Before someone goes and says that I shouldn't be using a PDF in this case, please think. I'm writing a large textbook with lots of graphics. I want it to be in a single file so that its easily available to the technically illiterate. For that matter, my working draft (not the one on the website) uses PDF attach to include the TeX source and the GFDL.

      In conclusion, it's my opinion that that having a PDF scripting language as long as it can't, you know, do anything but modify that one file. The problem is that Adobe seems to be trying to include the kitchen sink...

    4. Re:Feature Request by klossner · · Score: 4, Informative

      Adobe did add this dialog -- but it only appears if you have disabled Javascript! (Which you can do with Edit / Preferences, no need for the registry hack.)

      Here's the exact dialog:

      ? This document contains JavaScripts. Do you want to enable JavaScripts from now on? The document may not behave correctly if they're disabled.

      [ ] Don't show this message again until this document is reopened

      [[Yes]] [[No]]

    5. Re:Feature Request by MMC+Monster · · Score: 3, Funny

      How about: "Do you want to prevent the execution of possibly malicious code in this .PDF file?" [Yes][No].

      If they select No, the next dialog is: "Fine. I've just opened all the ports on the computer, deleted the last 10 documents you opened up, and loaded up a couple trojans. Are you sure you want to run the executable code in this PDF file now?" [Yes][No].

      This way, the user won't be taught to always select the same confirmation box all the time.

      --
      Help! I'm a slashdot refugee.
    6. Re:Feature Request by Mr.+Roadkill · · Score: 4, Insightful

      Do you think that the average user will read anything before clicking "Yes"?

      ...of course they won't, which is why you turn it around to "Hey, this file contains executable code which is, y'know, kind of contrary to the whole concept of a 'document'. Do you want to block execution of this code? [Yes][No, I like to live dangerously]".

    7. Re:Feature Request by barzok · · Score: 2, Insightful

      Unless you opt not to play.

    8. Re:Feature Request by Ihmhi · · Score: 2, Interesting

      Feature request: a NoScript equivalent for Acrobat Reader.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    9. Re:Feature Request by Aragorn+DeLunar · · Score: 3, Interesting

      And this is why we need to get away from labeling dialog box buttons "Yes", "No", "Cancel", etc. We can label them anything we want, so why not be descriptive? Try "Safe", "Unsafe", "Really Stupid", "Don't click this -- ever!"

      The same applies to the save dialogs. I like how OO.org 3.0 handles the "Do you want to save?" dialog when closing the program: The buttons are labeled "Save", "Discard", and "Cancel". Of course, "Cancel" could be better described as "Return to Program."

      --
      Cynicism, like dogmatism, can be an excuse for intellectual laziness. - Susan Shirk
    10. Re:Feature Request by Idiomatick · · Score: 2, Interesting

      http://www.foxitsoftware.com/pdf/reader_2/reader-interstitial.html

      Or just make google open all your pdfs so that you aren't forced too even if its ugly its fast and secure.

    11. Re:Feature Request by Ravon+Rodriguez · · Score: 4, Funny

      An old saying goes "Programming is a race between programmers building better idiot-proof software, and the Universe building better idiots. So far, the Universe is winning."

      --
      Jesus loves me, he loves me a bunch, because he always puts Jiffy in my lunch.
  4. JavaScript?! by Anonymous Coward · · Score: 5, Insightful

    Seriously, JavaScript? In a PDF file? Why would you do that?

    1. Re:JavaScript?! by IceCreamGuy · · Score: 4, Funny

      Uh, duh, to get on the front page of /.

    2. Re:JavaScript?! by TheRealMindChild · · Score: 5, Insightful

      PDF seems to be the poster child for "How to abuse a format in a way that is contrary to its nature". Clients send us PDF's FORMS now... that they want us TO EDIT! Not print out, hand write on, and perhaps fax back... but EDIT IT, like it is a Word Processor document. Explaining to these people why this is an abomination is like telling a hooker not to sleep with the guy with sores all over his body... it falls on deaf ears, and makes baby Jesus cry.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    3. Re:JavaScript?! by Penguinshit · · Score: 4, Funny

      I actually used JavaScript in PDF to create interactive forms for the corporate intranet. It was pretty because I could use Photoshop to create the underlying image.

      Then I quit drinking and realized Excel with tweaked permissions was far better suited to the task. It wasn't as smooth looking but it was easier for my staff to update.

      --

      I have something in common with Stephen Hawking...

  5. Reply: Adobe to Lurene Grenier by Lead+Butthead · · Score: 4, Funny

    Lurene Grenier to Adobe: Pay up! We solved your issue.

    Adobe to Lurene Grenier: You decompiled Acrobat in some way to create this fix, in violation of click-through license and DMCA (not to mention making us look incompetent.) We're suing you and we're going to make sure your government put you away in a pound-you-in-the-ass prison for a long long time.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  6. JavaScript in PDF a Bad Idea by Anonymous Coward · · Score: 2, Insightful

    JavaScript in PDFs is, and always has been, a bad idea. I started disabling it years ago when it first showed up, and am continually frustrated that it is present, let alone enabled by default. How many PDF exploits have relied on JavaScript? I haven't been counting, but it sure seems like most of the vulnerabilities are either through JavaScript or made much easier to exploit by its presence.

    Someone is doubtless going to say that JavaScript is critical to PDFs as a helper for filling in forms. OK, whatever, but perhaps that particular job isn't one that a PDF should be doing.

    PDFs started out as a portable means to deliver any arbitrary document to someone else with fair assurance that it would look pretty much identical to both parties. Now Adobe seems to be trying to turn it in to some kind of interactive content delivery platform (substitute your own buzzwords) or something. That's not a path I'd like to trod.

  7. Here's how you turn out a patch *real* fast. by fm6 · · Score: 5, Insightful

    You skip all testing. Just the sort of thing I want to install in my system.

    1. Re:Here's how you turn out a patch *real* fast. by AngryNick · · Score: 5, Insightful

      Here's another way to do it... dump Adobe's bloated reader (if you can get it uninstalled) and pick up Foxit. I find it much more useful and a lot faster to load.

    2. Re:Here's how you turn out a patch *real* fast. by Kaboom13 · · Score: 3, Insightful

      Just make sure you don't let it install that obnoxious ask.com browser bar (in IE and Firefox). I made the mistake of including it in a slipstreamed xp disk and the silent installer took all defaults (browser bar and all).

  8. Wow by ClosedSource · · Score: 5, Funny

    You mean an individual who doesn't have a business to protect or any customers is able to come up with an un-QA'd version faster than the company that produced the product. Amazing!

  9. Re:Offensive by Anonymous Coward · · Score: 5, Funny

    I'll go for the secret third option, "because she's a feminist". Letting the world know what they find offensive is practically the feminists' national sport. Rather, it would be if they had their own country. And by God, I wish they did.

  10. Re:Offensive by TriezGamer · · Score: 2, Insightful

    Your grandchildren are not likely to be browsing Slashdot. Furthermore, taking offense to something that is very clearly tongue-in-cheek is not befitting of someone of your age.

  11. Patch? by noidentity · · Score: 2, Interesting

    So this patch basically does the equivalent of a user going into the program's settings and disabling the JavaScript execution checkbox? Hmmm, I don't want to post this anonymously, so I'll apply one of my homebrew patches to uncheck the "Post Anonymously" checkbox. Wow, I'm l33t!

  12. Articles reading the future? by Facegarden · · Score: 4, Funny

    What i find more interesting is how slashdot is now able to tell the future!
    The article boldly claims that something released yesterday has arrived two weeks before the official patch. Now, i know it's possible that the two weeks was taken from Adobe's projected patch fix date, but projections and fact are still different, and journalistic integrity requires a writer in this situation to indicate directly that this two weeks is not actually fact, as we couldn't know that yet. The headline is an outright lie, as far as i can tell, as it relies on future events being a certain way.

    Can we not have articles started with lies on slashdot from now on? Maybe keep the lies towards the end?
    -Taylor

    --
    Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
  13. There's a simple reason for that. by thePowerOfGrayskull · · Score: 5, Insightful

    As anyone who has developed complex software with a large installed userbase can attest to, you /cannot/ simply slap together a fix and push it out to millions of people.

    Even the simplest one line code change change requires extensive (if targeted) testing when you operate on that scale - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

  14. It's been Two Weeks since you made the patch ... by Anonymous Coward · · Score: 5, Funny

    Lurene Grenier has published a home-brewed patch for the critical Adobe Reader vulnerability ... beating Adobe Systems Inc. to the punch by more than two weeks.

    What the fuck Adobe? What did you do for those extra two weeks?

    it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

    Oh ... I guess you were trying to make it work on all systems, and checking to make sure that it didn't royally fuck up the user's computer, or introduce another, potentially more serious vulnerability.

  15. Re:Offensive by bane2571 · · Score: 2, Funny

    So, you're saying your grandmother couldn't install the patch? Or are you trying to imply that your 13 year old or younger grandchildren are nerdy enough to read slashdot?

  16. Really? by tool462 · · Score: 4, Funny

    "caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees."

    My boss will be pleased. I can push all my releases up at LEAST two weeks earlier now by adding this caveat on to all of my code. Thanks, Geritol.

  17. Re:Offensive by Anonymous Coward · · Score: 5, Funny

    Yeah, you're right. It's terrible when people use an apostrophe when they mean "your".

  18. Re:Offensive by Anonymous Coward · · Score: 5, Funny

    Q: How many feminists does it take to change a lightbulb?
    A: That is NOT funny.

  19. Why doesn't anyone think javascript is useful? by UtucXul · · Score: 4, Interesting
    I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files. I realize that there is a danger in allowing executable content in files (and it is arguable whether or not the danger is worth it) but I do not understand why so many people don't seem to understand that there are at least possible benefits to it.

    I used to make slides for talks using LaTeX. There are great ways to include animations directly in the pdf that use javascript. I always had far less trouble getting my animations to play than other people at conferences I went to because acrobat reader was all I needed and it is nearly always there. And for the record, the animations were things I really needed since they showed output from simulations.

    I've also seen lots of forms that do some math or validation. How do people think that happens?

    Again, I think we need to be very careful about executable code but that doesn't mean there are no possible good uses for it.

    1. Re:Why doesn't anyone think javascript is useful? by Tikkun · · Score: 3, Insightful

      I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.

      Please read the 10 immutable laws of security. The one you're looking for is the first one on the list:

      "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

    2. Re:Why doesn't anyone think javascript is useful? by XnavxeMiyyep · · Score: 4, Funny

      I'm not sure I understand the overwhelmingly negative reaction to javascript in pdf files.
      ...
      There are great ways to include animations directly in the pdf that use javascript.

      Hmm.... I think I see a connection here.

      --
      I put the 't' in electrical engineering.
    3. Re:Why doesn't anyone think javascript is useful? by guruevi · · Score: 2, Informative

      I like the way Apple approaches that problem in their Quartz Composer tool. Basically you have JavaScript for all types of funky validations, requests and calculations you would like to do but the 'vulnerable' classes that would allow reading/writing local files, networking or creating annoying popups have been removed.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:Why doesn't anyone think javascript is useful? by xiox · · Score: 2, Insightful

      "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

      Is that referring to Bill Gates?

  20. A better patch... by Kazoo+the+Clown · · Score: 3, Insightful

    My patch for Adobe is to uninstall reader and use Foxit instead. I thank those on Slashdot who alerted me of its existence as I have longed for a viable alternative from Adobe crapware for ages. It constantly was popping up windows where I would click "don't show me this again" about issues that were relevant to Adobe but not to me, and it never seemed to remember the setting once I checked on it. Worst designed junk I've ever seen. I've since found that Foxit is considerably faster as well.

    Good riddance.

  21. Re:There's a simple reason for that. by AngryNick · · Score: 3, Insightful

    - the consequences of an "oops" that could result from a hasty fix could easily get far worse than the original issue.

    Do you really believe that? I appreciate the need for caution and measured risk taking before releasing new code, but taking _weeks_ to test a reg hack/kill switch just tells me that a company isn't taking their defects very seriously. I'd be much more forgiving of a company that screwed up a patch than one that sat on it until it was too late.

  22. what's wrong with forms? by Main+Gauche · · Score: 4, Insightful

    Pardon my ignorance, but exactly what other format should one use if one wants to use forms?

    In my place of work, a large group of individuals each needs to fill out an annual form. It contains some short-answer questions, and a few that requires a few paragraphs to answer. In the past, they have used... wait for it... Word. Yes, I was forced to boot up Word once a year, to fill out this form. You should see the completely disastrous document that results.

    For that reason, I always wished our administrators would have figured out pdf forms. You don't "edit" them, as you say; you fill them in. While there are many complaints to make about Adobe, I don't see the problem with pdf forms. Am I missing something?

    1. Re:what's wrong with forms? by Korin43 · · Score: 3, Insightful

      HTML? Just point them to a page on the corporate intranet, they put in their login, profit?

  23. Re:Offensive by FlyingBishop · · Score: 3, Funny

    Dude, you should really be careful. I don't think you realize who you're talking to.

    Posting AC is only going to keep you safe for so long.

    That also goes for everyone who modded her down.

  24. Re:Offensive by JorDan+Clock · · Score: 5, Funny

    Q: How many feminists does it take to change a lightbulb?

    A: Four. One to change the lightbulb, three to form a support group.

    But really, it's a trick question because feminists can't change anything.

  25. Re:Offensive by electrosoccertux · · Score: 2, Funny

    Unrelated to the feminist jokes, but related to lightbulbs:

    Q: How many psychiatrists does it take to change a lightbulb?
    A: Only one, but the lightbulb has to want to change.

  26. Open source "more secure" than closed source? by commodore64_love · · Score: 2

    So is this "user supplied" PDF fix an example of how Open Source is More Secure than Closed Source?

    OSS users supplied a fix in less than a day, whereas a closed source programmer in some cubicle somewhere will take weeks to do the same. Maybe this would be a fine example to present to the UK Parliament and U.S. Congress, in order to convince them that open source is the best path to follow.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  27. Re:Offensive by Anonymous Coward · · Score: 2, Insightful

    Ada Lovelace, the first programmer.
    http://en.wikipedia.org/wiki/Ada_Lovelace

  28. Re:Offensive by houghi · · Score: 2, Funny

    One to change the light bulb and to post that the light bulb has been changed.

    Fourteen to share similar experiences of changing light bulbs and how the light bulb could have been changed differently.

    Seven to caution about the dangers of changing light bulbs.

    Seven more to point out spelling/grammatical errors in posts about changing light bulbs.

    Five to flame the spell checkers.

    Three to correct spelling/grammar flames.

    Six to argue over whether it's "lightbulb" or "light bulb" ... another six to condemn those six as stupid.

    Fifteen to claim experience in the lighting industry and give the correct spelling.

    Nineteen to post that this group is not about light bulbs and to please take this discussion to a lightbulb (or light bulb) forum.

    Eleven to defend the posting to the group saying that we all use light bulbs and therefore the posts are relevant to this group.

    Thirty six to debate which method of changing light bulbs is superior, where to buy the best light bulbs, what brand of light bulbs work best for this technique and what brands are faulty

    Seven to post URLs where one can see examples of different light bulbs.

    Four to post that the URLs were posted incorrectly and then post the corrected URL.

    Three to post about links they found from the URLs that are relevant to this group which makes light bulbs relevant to this group.

    Thirteen to link all posts to date, quote them in their entirety including all headers and signatures, and add "Me too"

    Five to post to the group that they will no longer post because they cannot handle the light bulb controversy.

    Four to say "didn't we go through this already a short time ago?"

    Thirteen to say "do a Google search on light bulbs before posting questions about light bulbs"

    Three to tell a funny story about their show dog and a light bulb.
    One to reply almost immediately saying "First Post !!!!!!"

    One to post an ASCII image of the lightbulb.

    Three to ask "Wtf is that" because their clients didn't display it as fixed-width.

    Seventeen to reply saying that their e-mail client is inadequate and suggest they get Mutt.

    One to reply with a perfectly labelled scale diagram of how to change a light bulb correctly.

    Thirty-three to reply telling them not to send HTML e-mails or attachments, and why don't they just use Mutt and ASCII art anyway.

    Two to ask "but does it run Linux ?".

    One to make a comment about the upcoming Microsoft Digital Lightbulb Management 2007 SP2 RGE.

    Two to suggest that Apple lightbulbs are superior.

    Seventy-five to start a massive off-topic Apple vs Microsoft flamewar.

    Forty-two to continue it into a Python vs Perl flamewar.

    One lonely poster to unsuccessfully try to start a HP-UX vs IRIX flamewar

    One hundred and seventy-eight to respond at various times saying
    "Troll!!"
    "OMG WTF TROLL !!!!!!one
    LOL" "Don't Feed Da Troll!!1", etc...

    AND

    One group lurker to respond to the original post 6 months from now and start it all over again

    --
    Don't fight for your country, if your country does not fight for you.