Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

← Back to Stories (view on slashdot.org)

Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

Posted by timothy on Wednesday March 11, 2009 @06:48AM from the big-boat-turns-slowly dept.

SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."

87 comments

Min score:

Reason:

Sort:

Do people even still use Acrobat Reader? by koro666 · 2009-03-11 06:50 · Score: 3, Insightful

I've been using Foxit Reader for almost 2 years now.
1. Re:Do people even still use Acrobat Reader? by Ninnle+Labs,+LLC · 2009-03-11 06:52 · Score: 4, Informative
  
  Do people even still use Acrobat Reader?
  Yes.
2. Re:Do people even still use Acrobat Reader? by sakdoctor · 2009-03-11 07:02 · Score: 1
  
  Why isn't there a decent open source PDF reader? Not Sumatra, it's just a little too basic.
  I'm not volunteering though, I just don't care enough about PDF as a format, but it seems odd that nobody does. In theory the PDF format isn't that bad, but people mostly experience it though Adobe's reader which causes most of the problems.
  Also, stop fucking advertising for foxit.
3. Re:Do people even still use Acrobat Reader? by icebike · 2009-03-11 07:10 · Score: 1
  
  There are several.
  Unless your definition of "decent" means bit-for-bit identical to Acrobat, in which case there are none.
  See any competent linux distro.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:Do people even still use Acrobat Reader? by Anonymous Coward · 2009-03-11 07:22 · Score: 1, Informative
  
  Why isn't there a decent open source PDF reader? Not Sumatra, it's just a little too basic.
  I'm not volunteering though, I just don't care enough about PDF as a format, but it seems odd that nobody does. In theory the PDF format isn't that bad, but people mostly experience it though Adobe's reader which causes most of the problems.
  http://en.wikipedia.org/wiki/List_of_PDF_software
  Has the most common viewers.
5. Re:Do people even still use Acrobat Reader? by blhack · 2009-03-11 07:25 · Score: 1
  
  The worst are software vendors that require it, then force you "upgrade" to the latest version.
  Yes, this happened to me. Yes, the "upgrade" that they are forcing me to use crashes when you run it on a roaming profile.
  AWESOME!
  
  --
  NewslilySocial News. No lolcats allowed.
6. Re:Do people even still use Acrobat Reader? by koro666 · 2009-03-11 07:42 · Score: 1
  
  Also, stop fucking advertising for foxit.
  What's so bad about getting the world to know about a good alternative?
7. Re:Do people even still use Acrobat Reader? by larry+bagina · 2009-03-11 08:16 · Score: 3, Insightful
  
  by definition, bit-for-bit identical to Acrobat is not decent.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
8. Re:Do people even still use Acrobat Reader? by GregNorc · 2009-03-11 10:23 · Score: 0, Troll
  
  That's quaint.
  I use a mac.
9. Re:Do people even still use Acrobat Reader? by innocent_white_lamb · 2009-03-11 18:11 · Score: 1
  
  Acrobat Reader is the only PDF reader that works with all PDF files. I don't like that fact either.
  Here is an example that renders properly only with acroread:
  https://bugzilla.redhat.com/show_bug.cgi?id=220983
  
  --
  If you're a zombie and you know it, bite your friend!
10. Re:Do people even still use Acrobat Reader? by Fred_A · 2009-03-11 23:49 · Score: 1
  
  Do people even still use Acrobat Reader?
  Yes.
  Indeed, because there are a still few reasons to use Arcoread, mostly when you use colour proofed PDF formats (X-3) for professional printing. Apparently only Adobe's reader fully supports those parts.
  Apart from that I typically stick with Okular (Version 0.8.1 Using KDE 4.2.1) which is now quite complete enough for my needs. Although I haven't had to use documents with forms for a while so I'm not sure what the level of support is on that front. If it doesn't work it might be a problem for some (on top of the fact that it's a KDE app and therefore less simple to use outside of Unix land).
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
11. Re:Do people even still use Acrobat Reader? by jbn-o · 2009-03-12 03:06 · Score: 1
  
  Foxit recently had a stack based buffer overflow that could lead to account exploitation. But the worst problem is that Foxit is proprietary software; uninspectable, unfixable by even the most technical user, and Foxit is unsharable to users "on mobile devices or embedded devices including cellular phones, PDA's, and all other handheld devices". Just like with Adobe's proprietary PDF reader, the secrecy means that there's no telling how many other security problems are waiting to be exploited with Foxit. As more problems are found you must wait for the proprietor to decide to fix the problem and distribute that fix. If the program spies on you (or allows others to do so) you can only turn that off if the proprietor decides to allow you to turn that off. Foxit is not a secure program because of the restrictions it imposes on the user regardless of its current or future implementation. Sumatra PDF overcomes all of these limitations and if you don't think something in it is secure, you are allowed to fix it yourself, hire someone to fix it for you, or ask someone for a fix and then share the improved version with anyone even commercially. Sumatra PDF is licensed under the GNU General Public License version 2.
  
  --
  Digital Citizen
12. Re:Do people even still use Acrobat Reader? by Anonymous Coward · 2009-03-12 04:47 · Score: 0
  
  Excuse me, im not usually posting here (gussing 6 years or longer since last time)
  But Im so sick of adobe... So many security flaws reported, i thought that they would atleast fix the major flaws in flashplayer by version 9 and im still with version 10 able to use the same exploits i used in flash 7. I consider IE8 to be fairly safe, but i can stil use the old code i wrote for flash7 to exploit the system. Is that progress??
  I think they need a better CSO or maybe an entire security team over at adobe.
  Just my c. //Dan
13. Re:Do people even still use Acrobat Reader? by John+Dowdell · 2009-03-12 07:10 · Score: 1
  
  "... i thought that they would atleast fix the major flaws in flashplayer by version 9 and im still with version 10 able to use the same exploits i used in flash 7."
  Hi, if you think you know of an old flaw that no one has noticed, could you drop a note to the security team, please?
  http://www.adobe.com/support/security/alertus.html
  tx, jd/adobe
And? by jgtg32a · 2009-03-11 06:52 · Score: 4, Informative

It was vulnerable also, they got the patch out quicker.

http://www.networkworld.com/news/2009/030909-foxit-pdf-viewer-also-open.html
1. Re:And? by Rary · 2009-03-11 07:05 · Score: 5, Informative
  
  It was vulnerable also, they got the patch out quicker.
  Well, technically it was a different problem that just happened to be found in similar code. So, yes, it was also vulerable, just not vulnerable to the same problem.
  "The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail Monday."
  
  --
  "You cannot simultaneously prevent and prepare for war." -- Albert Einstein
2. Re:And? by v1 · 2009-03-11 07:11 · Score: 2, Informative
  
  That just indicates that foxit decided to audit that bit of code closely to see if the problem was present in their implementation, and stumbled upon that other problem which they then fixed.
  
  --
  I work for the Department of Redundancy Department.
3. Re:And? by CannonballHead · 2009-03-11 07:14 · Score: 3, Informative
  
  The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images
  I fail to see how that is "unrelated." Yeah, it wasn't the "same code" but it was the same code section - the code that parses the images. I'm guessing Foxit uses different code, so obviously it's not going to be the same code and thus not the exact same vulnerability...
  "unrelated" and "completely different" seem rather strong words to use. Oh well. :)
4. Re:And? by Ninnle+Labs,+LLC · 2009-03-11 07:19 · Score: 4, Informative
  
  No, Secunia reported the bug to Foxit after they discovered it.
  
  The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit.
  
  So, no, Foxit didn't do anything like you claimed and in fact may not have even noticed the bug until a later point had Secunia not pointed it out.
5. Re:And? by koro666 · 2009-03-11 07:45 · Score: 3, Informative
  
  It was vulnerable also, they got the patch out quicker.
  Thanks for mentioning it, I just updated it as well.
  At least though, Foxit does not install itself as a stupid browser plugin, so PDF files aren't automatically opened with it... (although they now have an optional plugin to do that, let's just hope it stays optional)
Uninstalling doesn't help?? by erroneus · 2009-03-11 07:01 · Score: 5, Insightful

There is a big problem I have with a number of software vendors. Their uninstalls don't do a complete uninstall! According to the article, uninstalling the reader leaves exploitable DLLs behind and remain hooked into Windows Explorer. That is just bad behavior by this software vendor. Uninstall should mean "get rid of it and all parts completely" and that should include registry entries, obscured or otherwise.
Software vendors at large have a pretty disrespectful view of end-user computers. They feel it is right and correct for them to effectively take control of the machines their software inhabits. They are very bad house guests indeed. It might be pushing a point, but all of this sort of behavior would seem to constitute some sort of criminal trespass into computer systems. I know that was certainly the case with Sony rootkits being installed.
It seems to me the only effective way to be sure of what is on your Windows computer is to do a fresh reinstallation of the OS and all applications any time a software change is made... that would be an add/remove or delete of an application. Don't want Adobe leaving crap behind? Reformat your system and install from scratch. I know that seems extreme, but it is likely the only way a user can have any reasonable hope of maintaining control over his computer systems.
1. Re:Uninstalling doesn't help?? by Bearhouse · 2009-03-11 07:17 · Score: 2, Informative
  
  Indeed. Just lazy design & programming.
  As most good Windows admin know, it's helpful to keep a 'clean' PC or image around, with a 'base' install of the OS and required apps on it. When a nuked PC comes in, just backup user data and reimage from your base. I do a complete reinstall every year on my own machines. Amazing how much faster they are afterwards.
2. Re:Uninstalling doesn't help?? by nate_in_ME · 2009-03-11 07:36 · Score: 3, Informative
  
  Unfortunately, the practice of leaving DLLs behind is not an easy one to solve. The problem lies in the fact that there are many installers that don't play nicely, either installing a DLL without properly registering its use with Windows, or making use of an existing DLL without doing the same. A "proper" Windows installer is supposed to update the registry(at least the last time I checked, haven't really taken the time to read the most recent guidelines) with a list of shared DLLs that it uses, so that Windows essentially has a count of the number of programs that use each DLL. The uninstaller is only supposed to remove a DLL if that count is at zero after removing the program being uninstalled from the count. But because of the many simple install/uninstall programs that don't properly handle this, you get either an uninstaller that leaves anything that is not in the app directory itself(i.e. anything in %windir%\system32), or one that asks you for what to do about each DLL that may be shared.
3. Re:Uninstalling doesn't help?? by mea37 · 2009-03-11 07:39 · Score: 1
  
  Well, if everyone were playing nice, wouldn't the Windows Indexing Service (and other services that can be used in this attack) count as ( / have registered themselves as) "users" of the DLL? So then leaving behind the DLL would be the "correct" behavior anyway?
4. Re:Uninstalling doesn't help?? by Culture20 · 2009-03-11 07:39 · Score: 3, Insightful
  
  I'd rather have an installer that breaks another app, so that I reinstall the first program just to get the shared DLLs. That way, no unnecessary cruft is left behind.
5. Re:Uninstalling doesn't help?? by cerberusss · 2009-03-11 07:42 · Score: 1
  
  Problem is, I can't find the procedure for completely uninstalling Adobe Acrobat or Acrobat Reader. Anyone found this?
  
  --
  8 of 13 people found this answer helpful. Did you?
6. Re:Uninstalling doesn't help?? by nate_in_ME · 2009-03-11 07:43 · Score: 2, Informative
  
  I believe it depends on the order of the install...since the modifications are made by the installer of the "new" program, it's my understanding that Acrobat Reader would have registered itself with Windows Indexing Service, not the other way around. So, the uninstall of Acrobat should have fixed the issue.
7. Re:Uninstalling doesn't help?? by mcgrew · 2009-03-11 07:45 · Score: 1
  
  Software vendors at large have a pretty disrespectful view of end-user computers.
  The question is, why do we put up with it? I blame (partly) the Windows regsitry. Before that ill-concieved monstrosity it was easy to uninstall a program -- just open the two plain English files (I've forgotten what they were called), find references to the software, and delete those references and deltree the app's subdirectory.
  With DOS it was even easier, just deltree the directory (later versions of DOS, before that you'd DEL *.* while in that directory, then go up a directory and RD.
  It's been said that "computers make hard things easy, and easy things hard". I think Microsoft has made this their motto.
  
  --
  Free Martian Whores!
8. Re:Uninstalling doesn't help?? by erroneus · 2009-03-11 07:46 · Score: 1
  
  The Apple approach to applications installation is by far the best for users. Everything is in a *.app folder so if you want to remove the app, just move it to trash and empty trash.
  Of course not every application/utility that is made for Mac OS X behaves itself properly. The "log me in" client is nearly uninstallable, for example. And would it surprise anyone to learn that uninstalling Microsoft Office from a Mac is also rather painful and non-trivial?
  There are lots of negative things I have to say about Apple and Mac OS X, but in this area, they are definitely using a very good approach. And rule-breakers are unwelcome in Apple-world... but they exist and Microsoft is a pretty nasty rule-breaker. And yes, of course it is in the name of protecting their software. So it isn't hard to see how the operating system's culture doesn't fall far from the operating system itself.
9. Re:Uninstalling doesn't help?? by D+Ninja · 2009-03-11 07:50 · Score: 1
  
  I second that - haven't been able to find anything on completely removing the Reader. Anybody have this information?
10. Re:Uninstalling doesn't help?? by erroneus · 2009-03-11 07:51 · Score: 1
  
  DLLs shouldn't be shared at all. There is no technical reason for it. In the past, hard drive space was an issue, but these days, space is measured in gigabytes rather than kilobytes. I have fixed many programs stuck in "DLL Hell" by acquiring an old version of a DLL and placing it in the same folder as the application's EXE. If software publishers did what Apple already does, which is putting everything associated with a program into the same folder, then those problems would certainly go away.
11. Re:Uninstalling doesn't help?? by erroneus · 2009-03-11 07:54 · Score: 1
  
  win.ini and system.ini aren't they?
  Yes, I remember those days fondly. Those files still exist today but I doubt they are still being used. You could try it out by adding some "run =" lines or whatever it was we used to do when we didn't want to see LNK files in the startup group..?
12. Re:Uninstalling doesn't help?? by nate_in_ME · 2009-03-11 08:07 · Score: 2, Interesting
  
  I don't believe that DLL sharing was ever really a space issue, but rather a situation where developers did not want to reinvent the wheel. For example, look at Firefox's "IE Tab" extension. This is possible because the MSHTML rendering engine that IE uses is also available for other programs to connect into as well. Without DLL sharing, there would be no real way to create something like this...
13. Re:Uninstalling doesn't help?? by khellendros1984 · 2009-03-11 08:12 · Score: 1
  
  How about when a patch for an exploit comes out? Copy that patched file into each of the 50 programs you have installed that use it? I actually hate it when I do a search for a dll and find 20 copies of the same thing, strewn around the drive.
  
  --
  It is pitch black. You are likely to be eaten by a grue.
14. Re:Uninstalling doesn't help?? by erroneus · 2009-03-11 08:20 · Score: 3, Interesting
  
  Unfortunately it would still be for the best. Very often software is written to link to misbehaving functions and system calls quite often. Updating a single DLL can break as much or more than it fixes. Truly there are arguments for either side of that position. But ultimately when it comes to a "software product" it should be as self-contained as possible. One vendor should not be capable of rendering another program useless by updating a single DLL. Applications should be compartmentalized and self contained and especially not linked into the operating system.
15. Re:Uninstalling doesn't help?? by byner · 2009-03-11 08:22 · Score: 1
  
  You may have plenty of hard drive space, but I doubt you actually want the performance and memory hit of loading reusable components several times over.
  I'd rather have the Windows UI components and libraries shared and loaded in memory once than bloat memory space by requiring programs to have their own copy many times over.
  Shared libraries are important. A problem maybe, related to your concern, is that some software shouldn't be making everything shared and in the core system especially when they don't clean up after themselves. Basic UI and runtime libraries? Definitely want them shared. PDF reader routines? How often are those required by anything other than the reader itself? I don't see why browser plugins can't just use libraries installed in the program's directory instead of the system directory. They have to put their hooks into the browser either way.
16. Re:Uninstalling doesn't help?? by mcgrew · 2009-03-11 08:26 · Score: 1
  
  Yep, those were the files. I never thought I'd miss them, but then I never thought I'd run across a dumb monstrosity like the Windows registry either.
  
  --
  Free Martian Whores!
17. Re:Uninstalling doesn't help?? by denis-The-menace · 2009-03-11 08:31 · Score: 1
  
  FYI: They are only used by Windows 3.1 apps running on XP/Vista/Windows7
  and by virus/Trojan writers.
  
  --
  Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
18. Re:Uninstalling doesn't help?? by cerberusss · 2009-03-11 08:45 · Score: 1
  
  After reading the articles, a fix seems to be to uninstall Adobe Acrobat Reader, and disable the Windows Search service (because Adobe's IFilter DLL is not removed when uninstalling).
  Next step is to install another PDF reader like Foxit. I did download Adobe Acrobat Reader again, but didn't install it. In case of emergency, I can always temporarily install it.
  
  --
  8 of 13 people found this answer helpful. Did you?
19. Re:Uninstalling doesn't help?? by Jamie's+Nightmare · 2009-03-11 09:09 · Score: 1, Funny
  
  DLLs shouldn't be shared at all. There is no technical reason for it.
  Congrats. I think that one will win the coveted "Asinine Statement of the Week" award. You've got my vote.
  
  --
  "When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
20. Re:Uninstalling doesn't help?? by Mozk · 2009-03-11 09:43 · Score: 1
  
  What about the user preferences? Those aren't stored in the .app folder.
  
  --
  No existe.
21. Re:Uninstalling doesn't help?? by Anonymous Coward · 2009-03-11 10:49 · Score: 0
  
  If you don't want to wait an hour for Windows to reinstall, use PC Armor (http://www.datadrivethru.com/pcarmor_product.asp). It will show you exactly what gets left behind and remove it.
22. Re:Uninstalling doesn't help?? by lgw · 2009-03-11 14:05 · Score: 1
  
  I have many gigabytes of memory as well, and any DLL that takes more than a few milliseconds to load is crap to begin with.
  Shared DLLs are nothing but a problem. The very idea of a DLL is a solution to a problem of the 1980s thats just out of place in the third millenium. When you ship an EXE, you should be statically linked with whatever libraries you need, simple as that. One EXE and you're done.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
23. Re:Uninstalling doesn't help?? by daveime · 2009-03-11 18:51 · Score: 1
  
  So why are we still teaching CS students that code modularization and re-use are good things ?
  Surely the whole point of DLLs (and shared onjects on nix) was that different programs could re-use useful code ? Now every programmer has to re-invent the wheel (or at least anything above the HAL), to avoid using any third-party DLL, just in case it's vulnerable to some exploit ?
  Shouldn't we just be teaching the students, "fuckit, throw more hard disk space at everything, and duplicate code as much as possible" ?
  Not that there is any logic in that whatsoever, as it just means instead of having to patch ONE copy of the identical code, you have to patch MANY copies of the same code.
24. Re:Uninstalling doesn't help?? by gzipped_tar · 2009-03-11 20:42 · Score: 1
  
  Shared libraries are not only used to save storage space, but also facilitates code sharing in memory. If everything links the libraries statically it would be a waste of memory space at run-time.
  I agree that the role of "archives" of libraries today is diminishing in the face of cheaper storage. But sharing code among processes is still a major function of shared libraries.
  
  --
  Colorless green Cthulhu waits dreaming furiously.
25. Re:Uninstalling doesn't help?? by hesaigo999ca · 2009-03-12 01:22 · Score: 1
  
  I couldn't agree more!
26. Re:Uninstalling doesn't help?? by lgw · 2009-03-12 08:48 · Score: 1
  
  I have more memory than even my bloatware needs, for non-gaming purposes. There's no longer any point in saving memory either. Everything linking statically would "waste" a few MB out of many GB of memory - worth it if it saves me even 5 minutes of "DLL Hell".
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
27. Re:Uninstalling doesn't help?? by WNight · 2009-03-12 16:00 · Score: 1
  
  Static linking is a problem as you say, but the idea of having private copies of the DLL is still valid. The system could hash the DLL at load and merge identical ones for the same space savings.
Abject Morons by ewhac · 2009-03-11 07:06 · Score: 1

And people wonder why I'm still using Acrobat Reader 6. With JavaScript turned off.
And, seriously, how does an uninstaller that leaves DLLs behind ever pass a non-corrupt QA process?
Schwab

--
Editor, A1-AAA AmeriCaptions
1. Re:Abject Morons by v1 · 2009-03-11 07:13 · Score: 2, Insightful
  
  how does an uninstaller that leaves DLLs behind ever pass a non-corrupt QA process?
  it's always either payoffs or deadlines. (usually deadlines)
  
  --
  I work for the Department of Redundancy Department.
2. Re:Abject Morons by icebike · 2009-03-11 07:26 · Score: 1
  
  Adding JavaScript to a product who's design goals was to preserve formatting
  equivalent to a printed page was probably one of the worst software decisions
  I've seen.
  
  --
  Sig Battery depleted. Reverting to safe mode.
3. Re:Abject Morons by Cro+Magnon · 2009-03-11 07:39 · Score: 1
  
  QA process? What's a QA process?
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
4. Re:Abject Morons by digitalunity · 2009-03-11 07:53 · Score: 3, Insightful
  
  I believe that decision was made to make interactive PDF's possible. There was a serious case of feature creep in the PDF specification. This stems from Adobe really being out of touch with what users expected PDF to be(just a universal page layout format) and what they wanted to make it.
  PDF now supports buttons, Javascript and a whole slew of other features that for the most part are not typically used. In fact, anyone who wants to use those features probably shouldn't be using PDF at all since only the Adobe reader supports them! There isn't even a good open source PDF program that supports forms. Some readers display them properly, but none that I can find allow you to complete them and save the completed form.
  
  --
  You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
5. Re:Abject Morons by Anonymous Coward · 2009-03-11 07:54 · Score: 0
  
  then you're probably vulnerable since the exploit is in the jpeg2k decoding routines.
6. Re:Abject Morons by icebike · 2009-03-11 08:04 · Score: 1
  
  PDF now supports buttons, Javascript and a whole slew of other features that for the most part are not typically used. In fact, anyone who wants to use those features probably shouldn't be using PDF at all since only the Adobe reader supports them!
  Quite true.
  Most use of Acrobat is in pursuit of a document that could reliably be expected to display and print the same on my machine as on yours. Adding these features detracts from its primary purpose.
  I understand the desire for One Reader to Rule them ALL, but various call-home features and interactive content manipulation still was a wrong approach for a package with the original goal of faithful unalterable reproduction.
  Fill in forms are supported by many reader compatible clones. Even this feature is suspect. How can one be sure when filling in an IRS fill-in form that acrobat is not transmitting tax data to some third party.
  
  --
  Sig Battery depleted. Reverting to safe mode.
7. Re:Abject Morons by Anonymous Coward · 2009-03-11 08:20 · Score: 0
  
  Speaking of morons. The fix has bee applied to reader since 2/27 (according to the dates on the extracted msi file).
  Why did it take an additional 2 weeks to release the final package to end users? "Testing"? If it takes 2 weeks to get a simple fix through the process in your company either a) your company is to big and monolithic caring more about marketing than the product(s) or b) you need to drastically change your processes or c) a & b
My Bad by jgtg32a · 2009-03-11 07:11 · Score: 2, Informative

Yeah I didn't actually read that article, I had just heard that Fox-it had the vulnerability also and I just grabbed an article for Google as proof.

Shame on me, but in this case it is irrelevant.
How about a link to the MSI? by Anonymous Coward · 2009-03-11 07:12 · Score: 0

How about a link to the MSI for people who need to push out Reader ASAP?
Adobe has taken its time with the patch by sobachatina · 2009-03-11 07:24 · Score: 4, Informative

"Adobe has taken its time with the patch"
Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.
It is very naive to say this every time a patch for something is released by a company that "Slashdot" doesn't approve of. If I didn't know better I'd think the editors were just trying to get a rise out of the more childish component of their audience. (I know, I know, I must be new here.)
1. Re:Adobe has taken its time with the patch by Fulcrum+of+Evil · 2009-03-11 08:09 · Score: 1
  
  It's very naive to assume that Adobe took so long because of the burden of testing. Frequently, companies simply don't consider exploits a priority unless shamed by the press.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
2. Re:Adobe has taken its time with the patch by slashdot.org · 2009-03-11 08:37 · Score: 1
  
  Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.
  Uhm, what worse thing can they be held responsible for than having their software cause all these computers to get trojaned?
  Especially since apparently due to their negligence, even after uninstalling, the risk persists.
  The reality is that software mfgs aren't held responsible for anything ever. Which IMNSHO is ridiculous.
  As one of the people that got affected by this (first time in my 20yrs+ using computers btw), I'm seriously considering if a lawsuit here is in place. I'm sick of this, it cost me a ton of time, and I'm fucking furious with Adobe.
3. Re:Adobe has taken its time with the patch by VeNoM0619 · 2009-03-12 09:28 · Score: 1
  
  Uhm, what worse thing can they be held responsible for than having their software cause all these computers to get trojaned?
  Uhm, all these computers could have their OS partition trashed because of some Win X "feature" due to faulty testing.
  
  Then the article would've been: "Adobe releases patch from outside source, breaking millions, instead of testing!"
  
  I'm on Adobe's side, if you wanted your fix so badly/early, then take it from the "untrusted" source (oh but you wouldn't, now WOULD YOU?). Otherwise wait for the official release that has been tested more.
  
  --
  Disclaimer: I am not god.
  We may not be created equal
  But we can be treated equal.
I avoid Adobe Anything(TM) if I can by mandark1967 · 2009-03-11 07:29 · Score: 1

I'm using Summatra PDF Reader because I like the small footprint and the fact it provides me with the basic options I need without hogging resources.
Is it affected by these vulnerabilites too?

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
1. Re:I avoid Adobe Anything(TM) if I can by ratboy666 · 2009-03-11 07:55 · Score: 4, Informative
  
  And how do you know that there isn't a vulnerability?
  I'll let you in on a "secret". JBIG2 is a standard bi-level compression technique, that has been standardized. It uses statistical prediction, which makes for some interesting math. A standard reference implementation is available that works, and offers "reasonable" performance.
  Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.
  It is, of course, possible to generate other implementations. I wrote an alternate encoder that performed an order of magnitude more quickly for a client. But, it requires a great deal of analysis and skill to do so (no, I never touched decoding -- that was a hardware function. JBIG2 was used to transmit maps to a printer, which used a hardware decoder).
  Anyone using an implementation based on the reference is probably at risk of an exploit (if that was the original source). So, you cannot state that using a non-Adobe product makes you safe (unless a source review is possible, and I suspect that the skill needed for defect detection in the JBIG2 decoder is probably beyond most C programmers as well).
  But, the critical (and, unfortunately, "normal") problem of having service DLLs linked into core OS constructs certainly broadens the attack surface. Normal behavior (that is, incomplete de-installation) of system level components (because there is no reasonable way to determine the consequence of complete removal) simply exaggerates the issue.
  I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.
  You are probably not safe, either.
  
  --
  Just another "Cubible(sic) Joe" 2 17 3061
2. Re:I avoid Adobe Anything(TM) if I can by anss123 · 2009-03-11 09:25 · Score: 1
  
  Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.
  Sumatra use jbig2dec. Don't know if that's vulnerable or not.
  
  I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.
  No. Abode software dig much deeper into the shell. Sumatra only has an icon for pdf files and opens when they're clicked (no filters, browser plugins, etc).
What about 6,7 and 8? by fluor2 · 2009-03-11 07:32 · Score: 2, Interesting

We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?
1. Re:What about 6,7 and 8? by mottie · 2009-03-11 08:05 · Score: 1
  
  You might be screwed on 6 but 7 and 8 are going to be fixed.
  
  FTA: Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18.
  http://www.adobe.com/support/security/bulletins/apsb09-03.html
2. Re:What about 6,7 and 8? by jagilbertvt · 2009-03-11 08:15 · Score: 1
  
  The question then would be, is 6 vulnerable to this? Or any of the vulnerabilities since it's last patch (early 07 I think). I don't have 6 to test with, but I have to wonder when they say previous versions may be vulnerable.. Sounds like they just want you to upgrade a product that may be working fine (and at a cost of $99 for a standard upgrade copy, multiplied by the number of employees in your corp that may have it.. that's not cheap).
3. Re:What about 6,7 and 8? by Colonel+Korn · 2009-03-11 08:35 · Score: 1
  
  Go to the options menu and turn off javascript. Problem solved.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
4. Re:What about 6,7 and 8? by slashdot.org · 2009-03-11 08:42 · Score: 1
  
  We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?
  Probably someone will come out with a proper removal of the search hook DLLs that apparently stay behind if you uninstall.
  Other than that, I strongly suggest to find a non-Adobe product.
  Yes, they may have a product that seems like it's the only choice. But do you seriously want to use software from a company that has blatant disrespect for it's customers? And because of this puts their customers information at serious risk?
  I mean, how bad does software (and the writer of) need to behave before you step away from it?
5. Re:What about 6,7 and 8? by oasisbob · 2009-03-11 14:45 · Score: 2, Informative
  
  Go to the options menu and turn off javascript. Problem solved.
  *Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required at all to exploit this issue.
6. Re:What about 6,7 and 8? by Colonel+Korn · 2009-03-12 02:46 · Score: 1
  
  Go to the options menu and turn off javascript. Problem solved.
  *Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required at all to exploit this issue.
  Wow, in that case I guess I'll just remove the association between pdf and any reader in my browser. Most web pdfs can be viewed as a pdf through search engines, anyway.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
7. Re:What about 6,7 and 8? by Colonel+Korn · 2009-03-12 02:51 · Score: 1
  
  Go to the options menu and turn off javascript. Problem solved.
  *Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required at all to exploit this issue.
  Wow, in that case I guess I'll just remove the association between pdf and any reader in my browser. Most web pdfs can be viewed as a pdf through search engines, anyway.
  I meant as an html, but now that I think of it that may be insufficient as well. I guess I'll relegate pdf readers to inside of a VM from now on.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
Patching instructions by Anonymous Coward · 2009-03-11 07:45 · Score: 1, Funny

I found online a PDF with these patching instructiAFDSFHRYI/%IGM;%&TQWEFÃ'WF NO CARRIER
QA Process by Lead+Butthead · 2009-03-11 07:49 · Score: 1

What's more likely is that internally there's a bug logged for the poor uninstall behavior somewhere inside the organization that started out its life as "critical" but over time gets downgraded by PHB as being "unimportant" and eventually ended up in the "low" bin where nobody ever looks at.

--
ELOI, ELOI, LAMA SABACHTHANI!?
The patch is bigger than the install? by ThreeGigs · 2009-03-11 08:36 · Score: 4, Interesting

Patch for Reader: 103 MB
Fresh download of Reader: 41 MB
Am I the only one who thinks that a bit odd?
1. Re:The patch is bigger than the install? by Anonymous Coward · 2009-03-11 09:52 · Score: 1, Insightful
  
  I'm sure the change log explains exactly what each of those 103 million bytes do, including the reasons for it being even bigger than the whole OpenOffice package, while still not being able to convert anything to a PDF.
2. Re:The patch is bigger than the install? by westlake · 2009-03-11 10:03 · Score: 1
  
  Patch for Reader: 103 MB Fresh download of Reader: 41 MB Am I the only one who thinks that a bit odd?
  I'd say that depends on how many versions of the Reader are being patched.
3. Re:The patch is bigger than the install? by Anonymous Coward · 2009-03-11 11:41 · Score: 0
  
  Except you could read the summary, where it clearly states "The update only applies to the most recent versions of Reader and Acrobat"
  Just hand in all your cards and hang yourself with the phone cord.
Doesn't help if you're stuck on 8 by myxiplx · 2009-03-11 09:19 · Score: 1

Well, I was just about to whinge that this still doesn't help those of us stuck on version 8, but I see that today Adobe have finally fixed the 9 month old bug that stopped us upgrading: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597&sliceId=1
Unfortunately for them, today was the day we migrated every single computer over to PDF-XChange. Barring any major problem, I can't see us using Adobe products for a long while. I'm not interested in sticking with any vendor that takes 9 months to fix a show stopping bug like that.
Pwnie award nominee by coolamber · 2009-03-11 09:36 · Score: 1

This vulnerability has pwnie award written all over it.
I would like to nominate it for the most epic fail category.
http://pwnie-awards.org/2008/
The Final Straw by Erik+Fish · 2009-03-11 14:55 · Score: 1

This is what made me install AdBlock. I was good with just FlashBlock for years but with all the PDF exploits showing up in banner ads the past few months, last week I decided I'd had enough.
"Just" using a non-Adobe PDF reader is good until you grow up and realize that something not being displayed in a PDF could very easily mean serious consequences. Ever fill out an employment app in a PDF? Yeah.
acrobat alternative on Windows by mzs · 2009-03-12 03:50 · Score: 1

I had been Windows free since 1996 (Mac, Linux, FreeBSD, and Solaris only), but recently I got a used XP machine because my kids were having trouble keeping-up in school with the computer stuff because they did not have the same programs at home. Well the XP machine was just too slow, so I bought a new Vista machine (I also have FreeBSD on it for me).
Wow that sounded like an alcoholic rationalizing falling off the wagon...
What is a good alternative to Acrobat for Windows? Preview.app is fine on the Mac and xpdf works great on everything else I have ever used. I don't want to try all the Windows options, maybe someone already has and can offer the suggestion of a good one for Windows?
Re: "Abject Morons"? by John+Dowdell · 2009-03-12 07:21 · Score: 1

To read a page you wouldn't need JavaScript, true. But PDF is also a predictable way to work with editable forms, and these include input validation and business logic.
jd/adobe