Slashdot Mirror
Adobe Fixes Recent PDF Flaw, But Not Before Auto Exploit
SkiifGeek writes "With Adobe's patch for the JBIG2Decode vulnerability due in a few days time, new methods to target the vulnerability have been discovered that make it far riskier than previously thought. Didier Stevens recently showed the world how it is possible to exploit the vulnerability without the user actually opening an affected file, and now he has discovered a way that allows for completely automated exploitation that results in anything up to a Local System account without any user interaction at all and only relies upon basic Windows components and Acrobat Reader elements. There are some mitigating factors that limit the overall risk of this new discovery, but it does also highlight that merely uninstalling the Reader will not protect you from exploitation and does raise the possibility that other tools will access the vulnerable components and thus be vectors for attack." However, the fix is now in: nk497 writes "Adobe had finally released a fix for a PDF vulnerability discovered — and already exploited — last month. The update only applies to the most recent versions of Reader and Acrobat, with early versions and Unix editions not fixed until later this month. Adobe has taken its time with the patch, despite an independent security researcher releasing her own fix just days after the flaw was announced."
Do people even still use Acrobat Reader?
Yes.
It was vulnerable also, they got the patch out quicker.
http://www.networkworld.com/news/2009/030909-foxit-pdf-viewer-also-open.html
There is a big problem I have with a number of software vendors. Their uninstalls don't do a complete uninstall! According to the article, uninstalling the reader leaves exploitable DLLs behind and remain hooked into Windows Explorer. That is just bad behavior by this software vendor. Uninstall should mean "get rid of it and all parts completely" and that should include registry entries, obscured or otherwise.
Software vendors at large have a pretty disrespectful view of end-user computers. They feel it is right and correct for them to effectively take control of the machines their software inhabits. They are very bad house guests indeed. It might be pushing a point, but all of this sort of behavior would seem to constitute some sort of criminal trespass into computer systems. I know that was certainly the case with Sony rootkits being installed.
It seems to me the only effective way to be sure of what is on your Windows computer is to do a fresh reinstallation of the OS and all applications any time a software change is made... that would be an add/remove or delete of an application. Don't want Adobe leaving crap behind? Reformat your system and install from scratch. I know that seems extreme, but it is likely the only way a user can have any reasonable hope of maintaining control over his computer systems.
"Adobe has taken its time with the patch"
Of course an independent research company was able to get a patch out quicker- they didn't have test their "fix" and they won't be held responsible if it breaks something else.
It is very naive to say this every time a patch for something is released by a company that "Slashdot" doesn't approve of. If I didn't know better I'd think the editors were just trying to get a rise out of the more childish component of their audience. (I know, I know, I must be new here.)
And how do you know that there isn't a vulnerability?
I'll let you in on a "secret". JBIG2 is a standard bi-level compression technique, that has been standardized. It uses statistical prediction, which makes for some interesting math. A standard reference implementation is available that works, and offers "reasonable" performance.
Almost every developer that is charged with JBIG2 implementation is going to use the reference implementation.
It is, of course, possible to generate other implementations. I wrote an alternate encoder that performed an order of magnitude more quickly for a client. But, it requires a great deal of analysis and skill to do so (no, I never touched decoding -- that was a hardware function. JBIG2 was used to transmit maps to a printer, which used a hardware decoder).
Anyone using an implementation based on the reference is probably at risk of an exploit (if that was the original source). So, you cannot state that using a non-Adobe product makes you safe (unless a source review is possible, and I suspect that the skill needed for defect detection in the JBIG2 decoder is probably beyond most C programmers as well).
But, the critical (and, unfortunately, "normal") problem of having service DLLs linked into core OS constructs certainly broadens the attack surface. Normal behavior (that is, incomplete de-installation) of system level components (because there is no reasonable way to determine the consequence of complete removal) simply exaggerates the issue.
I assume that your "alternative" also links into the shell constructs of Windows, exposing a similar attack surface.
You are probably not safe, either.
Just another "Cubible(sic) Joe" 2 17 3061
Patch for Reader: 103 MB
Fresh download of Reader: 41 MB
Am I the only one who thinks that a bit odd?