Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit

Posted by timothy on from the big-boat-turns-slowly dept.

SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."

24 of 87 comments (clear)

  1. Do people even still use Acrobat Reader? by koro666 · · Score: 3, Insightful

    I've been using Foxit Reader for almost 2 years now.

    1. Re:Do people even still use Acrobat Reader? by Ninnle+Labs,+LLC · · Score: 4, Informative

      Do people even still use Acrobat Reader?

      Yes.

    2. Re:Do people even still use Acrobat Reader? by larry+bagina · · Score: 3, Insightful

      by definition, bit-for-bit identical to Acrobat is not decent.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

  2. And? by jgtg32a · · Score: 4, Informative

    It was vulnerable also, they got the patch out quicker.

    http://www.networkworld.com/news/2009/030909-foxit-pdf-viewer-also-open.html

    1. Re:And? by Rary · · Score: 5, Informative

      It was vulnerable also, they got the patch out quicker.

      Well, technically it was a different problem that just happened to be found in similar code. So, yes, it was also vulerable, just not vulnerable to the same problem.

      "The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit. "It is a completely different vulnerability related to JBIG2," Kristensen said in an e-mail Monday."

      --

      "You cannot simultaneously prevent and prepare for war." -- Albert Einstein

    2. Re:And? by v1 · · Score: 2, Informative

      That just indicates that foxit decided to audit that bit of code closely to see if the problem was present in their implementation, and stumbled upon that other problem which they then fixed.

      --
      I work for the Department of Redundancy Department.
    3. Re:And? by CannonballHead · · Score: 3, Informative

      The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images

      I fail to see how that is "unrelated." Yeah, it wasn't the "same code" but it was the same code section - the code that parses the images. I'm guessing Foxit uses different code, so obviously it's not going to be the same code and thus not the exact same vulnerability...

      "unrelated" and "completely different" seem rather strong words to use. Oh well. :)

    4. Re:And? by Ninnle+Labs,+LLC · · Score: 4, Informative
      No, Secunia reported the bug to Foxit after they discovered it.

      The Foxit and Adobe bugs are unrelated, however, except for the fact that they are both in the code that parses JBIG2 images, said Thomas Kristensen, chief technology officer at Secunia AsP, the Danish company that reported the flaw to Foxit.

      So, no, Foxit didn't do anything like you claimed and in fact may not have even noticed the bug until a later point had Secunia not pointed it out.

    5. Re:And? by koro666 · · Score: 3, Informative

      It was vulnerable also, they got the patch out quicker.

      Thanks for mentioning it, I just updated it as well.

      At least though, Foxit does not install itself as a stupid browser plugin, so PDF files aren't automatically opened with it... (although they now have an optional plugin to do that, let's just hope it stays optional)

  3. Uninstalling doesn't help?? by erroneus · · Score: 5, Insightful

    There is a big problem I have with a number of software vendors. Their uninstalls don't do a complete uninstall! According to the article, uninstalling the reader leaves exploitable DLLs behind and remain hooked into Windows Explorer. That is just bad behavior by this software vendor. Uninstall should mean "get rid of it and all parts completely" and that should include registry entries, obscured or otherwise.

    Software vendors at large have a pretty disrespectful view of end-user computers. They feel it is right and correct for them to effectively take control of the machines their software inhabits. They are very bad house guests indeed. It might be pushing a point, but all of this sort of behavior would seem to constitute some sort of criminal trespass into computer systems. I know that was certainly the case with Sony rootkits being installed.

    It seems to me the only effective way to be sure of what is on your Windows computer is to do a fresh reinstallation of the OS and all applications any time a software change is made... that would be an add/remove or delete of an application. Don't want Adobe leaving crap behind? Reformat your system and install from scratch. I know that seems extreme, but it is likely the only way a user can have any reasonable hope of maintaining control over his computer systems.

    1. Re:Uninstalling doesn't help?? by Bearhouse · · Score: 2, Informative

      Indeed. Just lazy design & programming.

      As most good Windows admin know, it's helpful to keep a 'clean' PC or image around, with a 'base' install of the OS and required apps on it. When a nuked PC comes in, just backup user data and reimage from your base. I do a complete reinstall every year on my own machines. Amazing how much faster they are afterwards.

    2. Re:Uninstalling doesn't help?? by nate_in_ME · · Score: 3, Informative

      Unfortunately, the practice of leaving DLLs behind is not an easy one to solve. The problem lies in the fact that there are many installers that don't play nicely, either installing a DLL without properly registering its use with Windows, or making use of an existing DLL without doing the same. A "proper" Windows installer is supposed to update the registry(at least the last time I checked, haven't really taken the time to read the most recent guidelines) with a list of shared DLLs that it uses, so that Windows essentially has a count of the number of programs that use each DLL. The uninstaller is only supposed to remove a DLL if that count is at zero after removing the program being uninstalled from the count. But because of the many simple install/uninstall programs that don't properly handle this, you get either an uninstaller that leaves anything that is not in the app directory itself(i.e. anything in %windir%\system32), or one that asks you for what to do about each DLL that may be shared.

    3. Re:Uninstalling doesn't help?? by Culture20 · · Score: 3, Insightful

      I'd rather have an installer that breaks another app, so that I reinstall the first program just to get the shared DLLs. That way, no unnecessary cruft is left behind.

    4. Re:Uninstalling doesn't help?? by nate_in_ME · · Score: 2, Informative

      I believe it depends on the order of the install...since the modifications are made by the installer of the "new" program, it's my understanding that Acrobat Reader would have registered itself with Windows Indexing Service, not the other way around. So, the uninstall of Acrobat should have fixed the issue.

    5. Re:Uninstalling doesn't help?? by nate_in_ME · · Score: 2, Interesting

      I don't believe that DLL sharing was ever really a space issue, but rather a situation where developers did not want to reinvent the wheel. For example, look at Firefox's "IE Tab" extension. This is possible because the MSHTML rendering engine that IE uses is also available for other programs to connect into as well. Without DLL sharing, there would be no real way to create something like this...

    6. Re:Uninstalling doesn't help?? by erroneus · · Score: 3, Interesting

      Unfortunately it would still be for the best. Very often software is written to link to misbehaving functions and system calls quite often. Updating a single DLL can break as much or more than it fixes. Truly there are arguments for either side of that position. But ultimately when it comes to a "software product" it should be as self-contained as possible. One vendor should not be capable of rendering another program useless by updating a single DLL. Applications should be compartmentalized and self contained and especially not linked into the operating system.

  4. My Bad by jgtg32a · · Score: 2, Informative

    Yeah I didn't actually read that article, I had just heard that Fox-it had the vulnerability also and I just grabbed an article for Google as proof.

    Shame on me, but in this case it is irrelevant.

  5. Re:Abject Morons by v1 · · Score: 2, Insightful

    how does an uninstaller that leaves DLLs behind ever pass a non-corrupt QA process?

    it's always either payoffs or deadlines. (usually deadlines)

    --
    I work for the Department of Redundancy Department.
  6. Adobe has taken its time with the patch by sobachatina · · Score: 4, Informative

    "Adobe has taken its time with the patch"

    Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.

    It is very naive to say this every time a patch for something is released by a company that "Slashdot" doesn't approve of. If I didn't know better I'd think the editors were just trying to get a rise out of the more childish component of their audience. (I know, I know, I must be new here.)

  7. What about 6,7 and 8? by fluor2 · · Score: 2, Interesting

    We have dozens of Acrobat Pro 6, 7 and 8 installs. How do we fix them? Are they vulnerable? Will Adobe use this to take advantage of the market?

    1. Re:What about 6,7 and 8? by oasisbob · · Score: 2, Informative

      Go to the options menu and turn off javascript. Problem solved.

      *Sigh* This isn't true. Some versions of the exploit used Javascript for the heap spray, but Javascript isn't required at all to exploit this issue.

  8. Re:Abject Morons by digitalunity · · Score: 3, Insightful

    I believe that decision was made to make interactive PDF's possible. There was a serious case of feature creep in the PDF specification. This stems from Adobe really being out of touch with what users expected PDF to be(just a universal page layout format) and what they wanted to make it.

    PDF now supports buttons, Javascript and a whole slew of other features that for the most part are not typically used. In fact, anyone who wants to use those features probably shouldn't be using PDF at all since only the Adobe reader supports them! There isn't even a good open source PDF program that supports forms. Some readers display them properly, but none that I can find allow you to complete them and save the completed form.

    --
    You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
  9. Re:I avoid Adobe Anything(TM) if I can by ratboy666 · · Score: 4, Informative

    And how do you know that there isn't a vulnerability?

    I'll let you in on a "secret". JBIG2 is a standard bi-level compression technique, that has been standardized. It uses statistical prediction, which makes for some interesting math. A standard reference implementation is available that works, and offers "reasonable" performance.

    Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.

    It is, of course, possible to generate other implementations. I wrote an alternate encoder that performed an order of magnitude more quickly for a client. But, it requires a great deal of analysis and skill to do so (no, I never touched decoding -- that was a hardware function. JBIG2 was used to transmit maps to a printer, which used a hardware decoder).

    Anyone using an implementation based on the reference is probably at risk of an exploit (if that was the original source). So, you cannot state that using a non-Adobe product makes you safe (unless a source review is possible, and I suspect that the skill needed for defect detection in the JBIG2 decoder is probably beyond most C programmers as well).

    But, the critical (and, unfortunately, "normal") problem of having service DLLs linked into core OS constructs certainly broadens the attack surface. Normal behavior (that is, incomplete de-installation) of system level components (because there is no reasonable way to determine the consequence of complete removal) simply exaggerates the issue.

    I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.

    You are probably not safe, either.

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  10. The patch is bigger than the install? by ThreeGigs · · Score: 4, Interesting

    Patch for Reader: 103 MB
    Fresh download of Reader: 41 MB

    Am I the only one who thinks that a bit odd?