Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

Posted by timothy on from the big-boat-turns-slowly dept.

SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."

15 of 87 comments (clear)

  1. Re:Do people even still use Acrobat Reader? by Ninnle+Labs,+LLC · · Score: 4, Informative

    Do people even still use Acrobat Reader?

    Yes.

  2. And? by jgtg32a · · Score: 4, Informative

    It was vulnerable also, they got the patch out quicker.

    http://www.networkworld.com/news/2009/030909-foxit-pdf-viewer-also-open.html

    1. Re:And? by Rary · · Score: 5, Informative

      It was vulnerable also, they got the patch out quicker.

      Well, technically it was a different problem that just happened to be found in similar code. So, yes, it was also vulerable, just not vulnerable to the same problem.

      "The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail Monday."

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    2. Re:And? by v1 · · Score: 2, Informative

      That just indicates that foxit decided to audit that bit of code closely to see if the problem was present in their implementation, and stumbled upon that other problem which they then fixed.

      --
      I work for the Department of Redundancy Department.
    3. Re:And? by CannonballHead · · Score: 3, Informative

      The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images

      I fail to see how that is "unrelated." Yeah, it wasn't the "same code" but it was the same code section - the code that parses the images. I'm guessing Foxit uses different code, so obviously it's not going to be the same code and thus not the exact same vulnerability...

      "unrelated" and "completely different" seem rather strong words to use. Oh well. :)

    4. Re:And? by Ninnle+Labs,+LLC · · Score: 4, Informative
      No, Secunia reported the bug to Foxit after they discovered it.

      The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit.

      So, no, Foxit didn't do anything like you claimed and in fact may not have even noticed the bug until a later point had Secunia not pointed it out.

    5. Re:And? by koro666 · · Score: 3, Informative

      It was vulnerable also, they got the patch out quicker.

      Thanks for mentioning it, I just updated it as well.

      At least though, Foxit does not install itself as a stupid browser plugin, so PDF files aren't automatically opened with it... (although they now have an optional plugin to do that, let's just hope it stays optional)

  3. My Bad by jgtg32a · · Score: 2, Informative

    Yeah I didn't actually read that article, I had just heard that Fox-it had the vulnerability also and I just grabbed an article for Google as proof.

    Shame on me, but in this case it is irrelevant.

  4. Re:Uninstalling doesn't help?? by Bearhouse · · Score: 2, Informative

    Indeed. Just lazy design & programming.

    As most good Windows admin know, it's helpful to keep a 'clean' PC or image around, with a 'base' install of the OS and required apps on it. When a nuked PC comes in, just backup user data and reimage from your base. I do a complete reinstall every year on my own machines. Amazing how much faster they are afterwards.

  5. Re:Do people even still use Acrobat Reader? by Anonymous Coward · · Score: 1, Informative

    Why isn't there a decent open source PDF reader? Not Sumatra, it's just a little too basic.

    I'm not volunteering though, I just don't care enough about PDF as a format, but it seems odd that nobody does. In theory the PDF format isn't that bad, but people mostly experience it though Adobe's reader which causes most of the problems.

    http://en.wikipedia.org/wiki/List_of_PDF_software

    Has the most common viewers.

  6. Adobe has taken its time with the patch by sobachatina · · Score: 4, Informative

    "Adobe has taken its time with the patch"

    Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.

    It is very naive to say this every time a patch for something is released by a company that "Slashdot" doesn't approve of. If I didn't know better I'd think the editors were just trying to get a rise out of the more childish component of their audience. (I know, I know, I must be new here.)

  7. Re:Uninstalling doesn't help?? by nate_in_ME · · Score: 3, Informative

    Unfortunately, the practice of leaving DLLs behind is not an easy one to solve. The problem lies in the fact that there are many installers that don't play nicely, either installing a DLL without properly registering its use with Windows, or making use of an existing DLL without doing the same. A "proper" Windows installer is supposed to update the registry(at least the last time I checked, haven't really taken the time to read the most recent guidelines) with a list of shared DLLs that it uses, so that Windows essentially has a count of the number of programs that use each DLL. The uninstaller is only supposed to remove a DLL if that count is at zero after removing the program being uninstalled from the count. But because of the many simple install/uninstall programs that don't properly handle this, you get either an uninstaller that leaves anything that is not in the app directory itself(i.e. anything in %windir%\system32), or one that asks you for what to do about each DLL that may be shared.

  8. Re:Uninstalling doesn't help?? by nate_in_ME · · Score: 2, Informative

    I believe it depends on the order of the install...since the modifications are made by the installer of the "new" program, it's my understanding that Acrobat Reader would have registered itself with Windows Indexing Service, not the other way around. So, the uninstall of Acrobat should have fixed the issue.

  9. Re:I avoid Adobe Anything(TM) if I can by ratboy666 · · Score: 4, Informative

    And how do you know that there isn't a vulnerability?

    I'll let you in on a "secret". JBIG2 is a standard bi-level compression technique, that has been standardized. It uses statistical prediction, which makes for some interesting math. A standard reference implementation is available that works, and offers "reasonable" performance.

    Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.

    It is, of course, possible to generate other implementations. I wrote an alternate encoder that performed an order of magnitude more quickly for a client. But, it requires a great deal of analysis and skill to do so (no, I never touched decoding -- that was a hardware function. JBIG2 was used to transmit maps to a printer, which used a hardware decoder).

    Anyone using an implementation based on the reference is probably at risk of an exploit (if that was the original source). So, you cannot state that using a non-Adobe product makes you safe (unless a source review is possible, and I suspect that the skill needed for defect detection in the JBIG2 decoder is probably beyond most C programmers as well).

    But, the critical (and, unfortunately, "normal") problem of having service DLLs linked into core OS constructs certainly broadens the attack surface. Normal behavior (that is, incomplete de-installation) of system level components (because there is no reasonable way to determine the consequence of complete removal) simply exaggerates the issue.

    I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.

    You are probably not safe, either.

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  10. Re:What about 6,7 and 8? by oasisbob · · Score: 2, Informative

    Go to the options menu and turn off javascript. Problem solved.

    *Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required at all to exploit this issue.