Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Posted by timothy on from the kpdf-has-better-panning-anyhow dept.

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

23 of 211 comments (clear)

  1. Ditch Acrobat... by nweaver · · Score: 4, Informative

    Adobe is really slow about security patches on Acrobat. This is just the latest.

    Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.

    --
    Test your net with Netalyzr
    1. Re:Ditch Acrobat... by Fatalis · · Score: 4, Informative

      It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      --
      Deus est fatalis
    2. Re:Ditch Acrobat... by Anonymous Coward · · Score: 2, Informative

      According to Secunia disabling Javascript does not mitigate the risk. Old news?

      http://secunia.com/blog/44/

    3. Re:Ditch Acrobat... by maxume · · Score: 3, Informative

      On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.

      Clearly they don't care about using my disk (obviously, neither do I).

      --
      Nerd rage is the funniest rage.
    4. Re:Ditch Acrobat... by Kneo24 · · Score: 2, Informative

      You won't run into them too often outside giant bureaucratic systems where some boss thought using PDFs for forms was a great idea.

      I ran into something similar at work once. I had the guys in QA load up my thumb drive with all of the procedures that go for the product line I had inherited from one of the other leads there that... well, no need to digress... The documentation was just so fucking sloppy that most of it had to be completely rewritten from scratch. I couldn't make heads or tails of anything when I went to do any testing.

      I sat down with the technician that I was now in charge of for this stuff. As I was trying to have him teach me everything, he just placed the documentation to the side and stated that it would be easier to teach me without it. It took me about an hour, but I finally started understanding everything he was teaching me. The documentation started to make sense, but it was still so horribly inaccurate that the fact that any person actually spent time writing anything down was a waste of resources.

      With understanding in tow, I take my thumb drive home and open it up. .pdf's everywhere, sizes as large as 2MB.

      As far as I had known, the only person who had a writer to edit these had left the company years ago. Making updates to these specifically was not going to happen. No matter, I was rewriting them all anyway. I load up word knowing that was the standard program in use at work and start pounding at my keyboard.

      Document sizes were smaller (not that that was too important), documents could be edited by them if they needed to (very important), and any moron could actually follow the documentation step by step with full understanding what was going on.

      When I had asked the QA team why there even .pdf's anyway, they pretty much summed it up to bureaucratic nonsense. Apparently the president thought it was a great way to keep everything under "lock and key".

  2. Re:No problem for Macs, really by 1729 · · Score: 4, Informative

    What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

    I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

  3. Re:Inevitable post recommending Foxit Reader by Fatalis · · Score: 3, Informative

    I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

    --
    Deus est fatalis
  4. Okular instead by CajunArson · · Score: 2, Informative

    Okular rocks, and it apparently can run on Windows as well.
    My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  5. Re:Disabling Javascript is standard by RobBebop · · Score: 4, Informative

    Quite so... I didn't even realize that PDF's could run Java scripts...

    But now I've got a new hoop to jump through when I update a new computer:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
    5. Click OK

    Simple as that!

    --
    Support the 30 Hour Work Week!!!
  6. Re:Inevitable post recommending Foxit Reader by Rude+Turnip · · Score: 5, Informative

    The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  7. Re:Disabling Javascript is standard by Etherized · · Score: 2, Informative

    This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.

    Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.

  8. Re:Kill Adobe reader, not java script by keeegan · · Score: 1, Informative

    Not much better than pdfcreator, but we use this at my work: http://www.primopdf.com/

  9. Re:This is a Zero-Day? by Red+Flayer · · Score: 4, Informative

    Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  10. Re:PDF Forms under Linux by Anonymous Coward · · Score: 1, Informative

    Try again. Recent versions of evince allow you to enter data in fill out forms. I have been told ocular does this as well, but haven't personally tried it.

  11. disabling js will not save you by Deanalator · · Score: 5, Informative

    Check out the stuff Immunity is selling.
    http://www.immunityinc.com/ceu-index.shtml

    They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

    Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

    The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

  12. Sumatra by Tubal-Cain · · Score: 5, Informative

    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

  13. Already ran into this... by Anonymous Coward · · Score: 1, Informative

    Fortunately Avira caught the trojan (first time this piece of shit reported something that wasn't a false positive). But I was on a site and, I think it came in through one of the advertisement banners, but suddenly I notice my web browser stopped temporarily and the system slowed down a bit. I noticed AcroRd32.exe had spawned in the processes list. About 30 seconds later it finds TR/Crypt.XPACK.Gen [trojan] in C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\DCF18OEB\xrun[1].tmp and C:\WINDOWS\system32\rn.tmp. At least I fucking hope the trojan was blocked, if it already wrote a .tmp file to system32 I'd hate to think something got installed that slipped past the AV's notice.

    But yeah, this definitely came through a .PDF file that somehow piggybacked on a web banner because there was some randomly-named pdf file in Acrobat Reader's file history list when I checked. I promptly disabled JavaScript and disabled the Acrobat Reader plugin. But, you know, why did Firefox allow a web banner to run a .pdf file? Isn't this browser supposed to be secure? I'm using FireFox because I got sick of Internet Explorer pulling this exact same shit on me -- letting rogue sites run whatever code they wish on my computer. So I'm going to be looking for a new browser but I have a feeling all of them, even Opera and Chrome and whatever, they all are probably badly written like this.

    The virus information sites don't really say much what this specific trojan does. Is it a key logger?

  14. Re:Y'know... by Anonymous Coward · · Score: 1, Informative

    Sounds like some of your standard template files (eg. normal.dot) have macros in them.

    If you don't know what the macros are for and believe they should not exist, you should be clicking "no" and then getting back to work.

  15. Precisely why I use Preview on OSX by rinoid · · Score: 2, Informative

    I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.

    I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.

    Finally, all PDFs are associated with Preview and not Acrobat.

  16. Re:Inevitable post recommending Foxit Reader by Jaysyn · · Score: 2, Informative

    I routinely create, view & print really big PDFs. When comparing FoxIt & Adobe the time difference between opening & printing a E-sized PDF on my machine is huge. FoxIt blows Adobe completely out of the water in every manner I can think of.

    Most of the time Adobe will never actually print anything out, or if it does, it will be missing elements.

    --
    There is a war going on for your mind.
  17. Re:Kill Adobe reader, not java script by VeNoM0619 · · Score: 5, Informative

    Hate to tell you, but FoxIT has Javascript on by default.

    Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

    And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

    --
    Disclaimer: I am not god.
    We may not be created equal
    But we can be treated equal.
  18. Re:PDF Forms under Linux by zippthorne · · Score: 2, Informative

    You can fill them in, but you'll have to print them. You can't use it to submit forms.

    --
    Can you be Even More Awesome?!
  19. Re:Adobe Reader has more holes that swiss cheese by Spit · · Score: 2, Informative

    The default on Ubuntu is evince, which does all that.

    --
    POKE 36879,8