Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Posted by timothy on from the kpdf-has-better-panning-anyhow dept.

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

11 of 211 comments (clear)

  1. Ditch Acrobat... by nweaver · · Score: 4, Informative

    Adobe is really slow about security patches on Acrobat. This is just the latest.

    Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.

    --
    Test your net with Netalyzr
    1. Re:Ditch Acrobat... by Fatalis · · Score: 4, Informative

      It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      --
      Deus est fatalis
    2. Re:Ditch Acrobat... by maxume · · Score: 3, Informative

      On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.

      Clearly they don't care about using my disk (obviously, neither do I).

      --
      Nerd rage is the funniest rage.
  2. Re:No problem for Macs, really by 1729 · · Score: 4, Informative

    What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

    I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

  3. Re:Inevitable post recommending Foxit Reader by Fatalis · · Score: 3, Informative

    I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

    --
    Deus est fatalis
  4. Re:Disabling Javascript is standard by RobBebop · · Score: 4, Informative

    Quite so... I didn't even realize that PDF's could run Java scripts...

    But now I've got a new hoop to jump through when I update a new computer:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
    5. Click OK

    Simple as that!

    --
    Support the 30 Hour Work Week!!!
  5. Re:Inevitable post recommending Foxit Reader by Rude+Turnip · · Score: 5, Informative

    The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  6. Re:This is a Zero-Day? by Red+Flayer · · Score: 4, Informative

    Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  7. disabling js will not save you by Deanalator · · Score: 5, Informative

    Check out the stuff Immunity is selling.
    http://www.immunityinc.com/ceu-index.shtml

    They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

    Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

    The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

  8. Sumatra by Tubal-Cain · · Score: 5, Informative

    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

  9. Re:Kill Adobe reader, not java script by VeNoM0619 · · Score: 5, Informative

    Hate to tell you, but FoxIT has Javascript on by default.

    Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

    And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

    --
    Disclaimer: I am not god.
    We may not be created equal
    But we can be treated equal.