Slashdot Mirror
Adobe Confirms PDF Zero-Day, Says Kill JavaScript
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
Adobe is really slow about security patches on Acrobat. This is just the latest.
Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.
Test your net with Netalyzr
kill Javascript.
And while you're at it, deep-six the rest of that Web 2.0 crap.
Just not on my lawn, you crazy kids!
Welcome to the Panopticon. Used to be a prison, now it's your home.
...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.
It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.
--- Mr. DOS
What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.
I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.
The problems also affect Acrobat proper.
"I use a Mac because I'm just better than you are."
Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.
What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.
Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.
Seems like a solution in search of a problem to me.
How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...". I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
I suppose there must be a place for them, but it seems to me they're mostly used by people too lazy to create a page with the information they want to display, and instead just put a link to the PDF they sent to their printer, often from a years out of date brochure or flier.
Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?
Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)
Your hair look like poop, Bob! - Wanker.
I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
Deus est fatalis
We don't need JavaScript in a PDF viewer, at least not for normal purposes. The problem is that Adobe keeps putting additional functionality in the reader. Functionality that I don't need 99% of the time. It's hard enough to create a secure document viewer thats able to do font rendering and vector graphics and such. Lets focus on that and use another viewer for forms and such. Heck, create a PDF viewer first where I can normally select and copy text.
BTW, this is how I currently use PDF documents. I use a small PDF viewer that does almost nothing but show/zoom and select for documents from the internet. I turn to Adobe if and only if I receive complicated PDF's from a known source. Oh, and OpenOffice writer if I want to make my own simple PDF's or when I make comments on a document/webpage or PDF.
I'd have thought most people who post here would be savvy enough to have NoScript installed.
They are talking about disabling JavaScript in Adobe Reader, not in your web browser.
Okular rocks, and it apparently can run on Windows as well.
My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.
AntiFA: An abbreviation for Anti First Amendment.
There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?
Pretty good is actually pretty bad.
Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.
It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!
Quite so... I didn't even realize that PDF's could run Java scripts...
But now I've got a new hoop to jump through when I update a new computer:
Simple as that!
Support the 30 Hour Work Week!!!
The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).
Bill Clinton: Pimp we can believe in. - The Shirt!!!
This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.
Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.
All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.
PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.
According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/
Any document that wants JS will prompt you, and if you breeze by with a "yes", then JS is now on for all documents, until you go disable it again. If you say "no", then your document may not even open. PDF's are great for so many things, scale wonderfully, etc. This feature bloat just ruins it.
Acrobat has had buffer-overflow vulnerabilities in even with JS turned off, due to some nonsense about Windows prefetching the meta info or something.
I suppose there must be a place for them
If you had job you could download and print tax forms.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
I run along them all the time just in general information gathering.
I'd love for them to be in a freer format, but at the same time, I love that they are in a format I can read on my computer.
It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"
> and if you breeze by with a "yes"
Not to disagree with you, but ... did you ever see any "standard user" answering "NO" when a popup appears implying that a "YES" is just needed to do the intended work? "What the hell could be that f**k javascript thing? I just want to read the damn document"....
Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml
They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.
Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.
The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.
To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...
Here is a link to an article discussing the registry keys needed to turn off javascript in Reader. Scripting this should help automate your new machine build without any added human intervention.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
RTF, No. HTML, yes. Or would you not consider Google App's spreadsheet to be complex? Images can be embedded in cdata tags. Its not easy or really recommended, but possible.
Well.. maybe. Or Maybe not. But Definitely not sort of.
If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
If you don't use a reader with a browser plugin, a PDF is just as likely to crash your browser as a zip file.
Indeed I am (or was).
-mkb
pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).
So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.
Fortunately Avira caught the trojan (first time this piece of shit reported something that wasn't a false positive). But I was on a site and, I think it came in through one of the advertisement banners, but suddenly I notice my web browser stopped temporarily and the system slowed down a bit. I noticed AcroRd32.exe had spawned in the processes list. About 30 seconds later it finds TR/Crypt.XPACK.Gen [trojan] in C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\DCF18OEB\xrun[1].tmp and C:\WINDOWS\system32\rn.tmp. At least I fucking hope the trojan was blocked, if it already wrote a .tmp file to system32 I'd hate to think something got installed that slipped past the AV's notice.
.PDF file that somehow piggybacked on a web banner because there was some randomly-named pdf file in Acrobat Reader's file history list when I checked. I promptly disabled JavaScript and disabled the Acrobat Reader plugin. But, you know, why did Firefox allow a web banner to run a .pdf file? Isn't this browser supposed to be secure? I'm using FireFox because I got sick of Internet Explorer pulling this exact same shit on me -- letting rogue sites run whatever code they wish on my computer. So I'm going to be looking for a new browser but I have a feeling all of them, even Opera and Chrome and whatever, they all are probably badly written like this.
But yeah, this definitely came through a
The virus information sites don't really say much what this specific trojan does. Is it a key logger?
I can second this: I've encountered fill-in forms that just didn't play nicely with Preview.app.
Another issue is that the full-screen presentation mode in Acrobat works much more nicely for, e.g., giving PDF presentations compiled in LaTeX. It works with clickers for advancing slides.
That is all.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
OOps, the cone fell off my heart... I loooooove OO.o + Foxit
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.
I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.
Finally, all PDFs are associated with Preview and not Acrobat.
Images can be embedded in cdata tags. Its not easy or really recommended, but possible.
Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"
Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.
Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.
So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.
So, uh, why are documents executable in the first place?
In all seriousness, does anyone know if these zero-day exploits affect Preview? 1729's post implies that they wouldn't, but I'm curious.
All intents and purposes. Not intensive purposes.
I routinely create, view & print really big PDFs. When comparing FoxIt & Adobe the time difference between opening & printing a E-sized PDF on my machine is huge. FoxIt blows Adobe completely out of the water in every manner I can think of.
Most of the time Adobe will never actually print anything out, or if it does, it will be missing elements.
There is a war going on for your mind.
Ok, how does Acrobat/PDF thing impact the finding, downloading, and viewing of porn? Not all? Then why use it?
I drank what? -- Socrates
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
Deus est fatalis
I had to install it to e-file my state taxes
I had to install it just to print out a DHL address sticker.
This is not the sig you're looking for.
"Negative-One-Day Exploit"
Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.
As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."
Here's a question: when is someone going to fix Javascript?
Why is it that we all have mods to block it on our browser. We have to disable it in our PDF readers. Why is no one complaining to the developers of javascript about this? Have we just given up the problem as intractable?
"I Don't Have Enough Faith to be an Atheist"
And not only is turning off Javascript a broken record....it breaks part of their own product! Those that pay large amounts for their LiveCycle product to do forms will kill their own application as a result. Turning off javascript ONLY works for those that use PDF to view documents only. And Adobe's the 800 rude gorilla of the market. While Foxit is interesting it's not an Enterprise class product.
Im on ur drive... eatin ur sectorz! om nom nom.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
I dont really mind the startup time, but the idea that a program adds itself to my bootup menus and runs all the time, really puts me off. The tiny overhead of the updater application doesn't bother me so much, its the fact that it exists at all that indicates a serious design flaw!
That is why on windows always choose xmplay^H^H^H foxit over itunes^H^H^H adobe pdf!
Unfortunately people still flock to this software because of its 'features', and the atrocities of its design are hard to get across to non-geeks.
Surely windows has a cron you can use update program regularly without running it all the time!?
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get though. Additionally a preload system that allows programs to boot faster would let most of these 3rd party programs die (I mean one that software can add itself to, in addition to the standard preload).
IranAir Flight 655 never forget!
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
I'm not usually a subscriber to the "evil big company" theory, but I'm not too fond of trusting Adobe to install and run whatever they want, regardless of whether or not I have asked for it. Actually, I guess I am a subscriber to that theory - since I don't tend to let anyone run their crap on my PC unless I know exactly what it does or can at least be reasonably sure that it's not doing something stupid*. That's a large part of how I've stayed virus free for a couple of decades, in spite of not running anti-virus.
Aside from that - I'm not sure that I agree that's what memory is for. When I'm working in game development and my development tools are consuming 3GB of memory, you're damn right I"m picky about someone taking up an unnecessary 60MB plus. I view my computer's memory as /my/ resource, to be used by my computer as I want it to.
* like allowing anybody at all to run flawed javascript when I open a PDF file -- which should be a read only format for viewing and printing documents
These are things that have frustrated me for years, especialyl as more and more applications are presuming to do it. It's like people have never heard of the concept of windows scheduler/cron, or even spawning off an update thread in the background on startup. Processors and hard drives are so fast these days that even bloated and beefy software (I'm looking at YOU openoffice.org and netbeans) provides acceptable startup times without a "launcher" application.
As far as Adobe - the only thing I ever do with my PDF files is read them. Every year I watch Reader's footprint get bigger and bigger, and yet there is /no/ difference in my experience with it (except that it's slower) than there was several years ago.
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get
That would also be quite nice. A simple Updater API would go a long way and might clean up some of this crap.
This is for the previous Reader vulnerability. The new one is very much in the Javascript functions:
http://www.securityfocus.com/bid/34736
I just opened up Adobe Reader on my Desktop Mac and disabled Javascript in the preferences...
And then I just opened up Adobe Reader on my laptop Mac and disabled Javascript in the preferences...
And then I just opened up Adobe Reader on my stand-alone PC and disabled Javascript in the preferences...
And then I just opened up Adobe Reader on my XP Pro Parallels VM on my desktop Mac and disabled Javascript in the preferences...
And then I just opened up Adobe Reader on my VIsta Home Pro 64-bit Parallels VM on my desktop Mac and disabled Javascript in the preferences...
And then I remembered all my VM snapshots and my Mac TIme machine backups that would need to be changed if I ever used them..
OMFG! Why didn't they just disable such bloat as the default? Stupid is as stupid does.
221 Megabytes! For a document reader!?
Hey! It's not just a document reader!
It also has M-x tetris.
just as likely to crash your browser as a zip file.
I use IE6, you insensitive clod!
The website for the Foxit program, mentioned by several posters as an alternative to Reader, has, right on the home page, Flash! the best thing ever!
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
DVI?
I'm curious. What about the Adobe Acrobat browser plugin that is installed with the reader? Doesn't it also support the same embedded JavaScript? I haven't yet found any clarification on this, but I am inclined to assume that it does.
If it does, it'd be trivial to use "hidden" embedded PDFs in a web page as an attack vector. And if the plugin doesn't share preferences with the stand-alone reader, turning it off in the reader won't do much good.
Does anyone know?
It's not a js bug, it's a bug in Adobe code that can be exploited because they've included a scripting language.
In my opinion javascript is a nice, flexible Java-like language that has gotten a really bad reputation to very little fault of its own. If you really think there is something we need to fix in javascript especially, maybe you should be more specific?
Users should be ditching acrobat reader anyway. The program is horribly slow, laiden with bugs and vulnerabilities, and has the worse method of updating. Off the internet, I think Adobe Reader and Acrobat are great but for viewing PDF's online, bad idea. Find yourselves another reader to use and if you need Acrobat only to author PDF files, get something free. Plenty of free PDF writers out there.
This nag message is gone since Acrobat Reader 9 (IIRC)
...or just get a PDF reader that's free software.
Please help publicise swpat.org - the software patents wiki
How about just get rid of PDFs in general? I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...".
All the time.
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
Embed graphics that scale with the text. Embed fonts. Make book quality printings. You know, things people want to do with documents, portably, without changing how the document looks.
After all, I am strangely colored.
http://www.foxitsoftware.com/pdf/reader/ much leaner and snappier than Acrobat
Indeed, I honestly had no idea that PDFs ran JS! Why is JS needed for PDFs anyway? I remember when PDF was just a glorified (already executed and semi-rendered) PostScript replacement...
Nick
I mean, how many times have you opened up a page and said to yourself "Sweet, it's a PDF, now I can...".
All the time at work. And replace the "..." with "print it out".
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
You have a small mind. Government forms and payroll stubs are two important uses.
(For usage as an "official" document, exact format is *everything*).
Now, has anyone ever used PDF to print counterfeit money? There are some limitations ...
The way I always describe why PDF is preferred over any other format for layouts is, "It's not a 'save as' format, it's a 'print as' format," and if they don't gloss over at that I continue with the difference between rendering a page on the screen to see it's size that isn't a paper size, or print to this printer which has different margins than that printer so what margins does the "file" have, and how PDF ignores all that because it's already been printed correctly and to it's own format for a page.