Slashdot Mirror
Adobe Confirms PDF Zero-Day, Says Kill JavaScript
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...". I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
I suppose there must be a place for them, but it seems to me they're mostly used by people too lazy to create a page with the information they want to display, and instead just put a link to the PDF they sent to their printer, often from a years out of date brochure or flier.
Programatically clone a page to the end of the document.
Calculate and fill fields based on the value entered into other fields.
Update reference data from the web.
There are good uses.
Go green: turn off your refrigerator.
The US Postal Service click-n-ship requires you turn on that JS crap in Acrobat. Once you click "yes", Acrobat leaves it on unless you go disable it again, each time. Vendors like the USPS need to get a clue.
I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.
For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.
Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.
I am becoming gerund, destroyer of verbs.
It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"
I'm not familiar with what you're talking about, here -- can you point me to an example? Also, when would you need to do this?
PDF doesn't need to be a spreadsheet.
Seems like HTML/XML/Javascript would be a better solution to that, don't you think?
!#@%*)anks for hanging up the phone, dear.
pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).
So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
Deus est fatalis
These are things that have frustrated me for years, especialyl as more and more applications are presuming to do it. It's like people have never heard of the concept of windows scheduler/cron, or even spawning off an update thread in the background on startup. Processors and hard drives are so fast these days that even bloated and beefy software (I'm looking at YOU openoffice.org and netbeans) provides acceptable startup times without a "launcher" application.
As far as Adobe - the only thing I ever do with my PDF files is read them. Every year I watch Reader's footprint get bigger and bigger, and yet there is /no/ difference in my experience with it (except that it's slower) than there was several years ago.
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get
That would also be quite nice. A simple Updater API would go a long way and might clean up some of this crap.
For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.
If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.
If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.
If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.
So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.
That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.
These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader [wikipedia.org] which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.
You think using Foxit will help you avoid security flaws? Check this out:
http://www.foxitsoftware.com/pdf/reader/security.htm
Those are just the ones they found - Foxit isn't even a big target for black hat hackers. Once it is - the Foxit religion will lose faith and switch to something else I'm sure. It would actually be possible to write an exploit that exploits Foxit and Adobe Reader.
Having worked on Acrobat - I know that it is audited all the time by the security team there. You can do a ton of code reviews, and fix a lot of vulnerabilities quickly (which they did all the time actually - stuff you've never seen exploited because of this), but being that we are human stuff comes up. Like anyone who is a security target: it is a cat and mouse game at this point and until that happens to your product you'll probably never appreciate the problem.
^^ this. I had no idea recent versions (or even old ones) of adobe reader even had javascript. Why?
Its considered by most people to be a static document format, leave interactivity to HTML or other formats.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Both of those apps are Linux only, and most of us aren't going to toss our entire OS or load up a VM every time we simply want to view a PDF.
And as for the other poster who "worked for Adobe" and touted Acrobat VS Foxit security? Your link has a GRAND TOTAL of three vulnerabilities for the ENTIRE 3 series of Foxit. You have seen more vulnerabilities in adobe than that in the past 4 months.
If the choice is go to an OS where NONE of my hardware actually works(sorry but Linux supports less than 15% of my current gear) or stick with the huge amount of super bloated malware attracting Kitchen sink adding that is Adobe Reader I frankly just wouldn't allow PDFs just like I don't allow ActiveX. But thankfully there is Foxit so I don't have to make that choice. And I'm really really glad that linux works for you dude, but being a PC repairman I can tell you there is a LOT of us where it just don't. For us the solution needs to actually run on Windows, and not through the mess that is CygWin.
ACs don't waste your time replying, your posts are never seen by me.
I'm not a Windows user so I've never used Foxit. That said, your complaints sound somehow wrong to me.
First, you say "Foxit isn't even a big target for black hat hackers" like it's a bad thing. Here's some news for you: Some of us utterly dislike the software monoculture companies like Adobe and Microsoft are selling, partly because it creates big targets for black hats...
Second, you didn't comment on the bloat accusations. It's great Adobe does audits, but wouldn't it be great if they didn't have to audit source code that builds into a 180MB monster?
I'm sure they have a client demanding each one of those 'features', but why does everyone on the planet need to have all those feature installed and enabled as well? It's a balance between (perceived) ease-of-use and security, and I think I know which side Adobe is leaning on.