Adobe Confirms PDF Zero-Day, Says Kill JavaScript
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.
It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.
--- Mr. DOS
Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.
What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.
Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.
Seems like a solution in search of a problem to me.
Ok, color me surprised then... Thank you for the clarification.
I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...
This comment does not necessarily represent the views and opinions of the author.
Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)
Your hair look like poop, Bob! - Wanker.
There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?
Pretty good is actually pretty bad.
Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.
It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!
All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.
PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/
Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.
These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.
ACs don't waste your time replying, your posts are never seen by me.
Images can be embedded in cdata tags. Its not easy or really recommended, but possible.
Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"
Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.
Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.
So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.
"Negative-One-Day Exploit"
Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.
As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."