Slashdot Mirror
Adobe Confirms PDF Zero-Day, Says Kill JavaScript
CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"
Adobe is really slow about security patches on Acrobat. This is just the latest.
Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.
Test your net with Netalyzr
...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.
It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.
--- Mr. DOS
What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.
I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.
Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.
What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.
Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.
Seems like a solution in search of a problem to me.
Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?
Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)
Your hair look like poop, Bob! - Wanker.
I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
Deus est fatalis
Okular rocks, and it apparently can run on Windows as well.
My only feature upgrade request would be to have the underlying PDF engine allow for saving of annotations back to the PDF files... I want a digital highlighter pen.
AntiFA: An abbreviation for Anti First Amendment.
There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?
Pretty good is actually pretty bad.
Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.
It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!
Quite so... I didn't even realize that PDF's could run Java scripts...
But now I've got a new hoop to jump through when I update a new computer:
Simple as that!
Support the 30 Hour Work Week!!!
The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).
Bill Clinton: Pimp we can believe in. - The Shirt!!!
This issue is in Acrobat's own javascript implementation. Acrobat itself runs javascript code that's embedded in PDFs, so the browser doesn't have anything to do with it.
Noscript will do nothing to help you here, and your post brings to mind the old adage - a false sense of security can be worse than no security at all.
All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.
And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!
I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.
Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.
PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I needed to fill out a PDF form, (was not allowed to do it by hand) but couldn't find anything under Linux besides acrobat which would do this. I tried xpdf, evince, and GhostView. Google was of no help. I had to resort to actual Acrobat (not on my computer) which at the time had *unpatched* vulnerabilities! Any alternatives would be welcome.
According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/
It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"
Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml
They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.
Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.
The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.
To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...
If you have a good PDF viewer, they aren't slow to load and won't crash your browser.
If you don't use a reader with a browser plugin, a PDF is just as likely to crash your browser as a zip file.
pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).
So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.
I never launch Acrobat Reader, and only rarely Acrobat Professional thanks to the simplicity and speed of Preview.app.
I remove the acrobat plug-in (manually from /Library/Internet Plug-Ins/ since Adobe BORKED their installers to a complete nightmare level) -- I'd just as soon download the PDF or view it in window if I'm in a webkit browser.
Finally, all PDFs are associated with Preview and not Acrobat.
Images can be embedded in cdata tags. Its not easy or really recommended, but possible.
Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"
Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.
Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.
So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.
I routinely create, view & print really big PDFs. When comparing FoxIt & Adobe the time difference between opening & printing a E-sized PDF on my machine is huge. FoxIt blows Adobe completely out of the water in every manner I can think of.
Most of the time Adobe will never actually print anything out, or if it does, it will be missing elements.
There is a war going on for your mind.
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
Deus est fatalis
"Negative-One-Day Exploit"
Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.
As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."
Im on ur drive... eatin ur sectorz! om nom nom.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
I dont really mind the startup time, but the idea that a program adds itself to my bootup menus and runs all the time, really puts me off. The tiny overhead of the updater application doesn't bother me so much, its the fact that it exists at all that indicates a serious design flaw!
That is why on windows always choose xmplay^H^H^H foxit over itunes^H^H^H adobe pdf!
Unfortunately people still flock to this software because of its 'features', and the atrocities of its design are hard to get across to non-geeks.
Surely windows has a cron you can use update program regularly without running it all the time!?
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get though. Additionally a preload system that allows programs to boot faster would let most of these 3rd party programs die (I mean one that software can add itself to, in addition to the standard preload).
IranAir Flight 655 never forget!
That's what memory is for, though. I have 4 GiB of it, and I don't see the gain from having it go unused over having it occupied by a sloppily made app. In return, I get something I enjoy using more.
I'm not usually a subscriber to the "evil big company" theory, but I'm not too fond of trusting Adobe to install and run whatever they want, regardless of whether or not I have asked for it. Actually, I guess I am a subscriber to that theory - since I don't tend to let anyone run their crap on my PC unless I know exactly what it does or can at least be reasonably sure that it's not doing something stupid*. That's a large part of how I've stayed virus free for a couple of decades, in spite of not running anti-virus.
Aside from that - I'm not sure that I agree that's what memory is for. When I'm working in game development and my development tools are consuming 3GB of memory, you're damn right I"m picky about someone taking up an unnecessary 60MB plus. I view my computer's memory as /my/ resource, to be used by my computer as I want it to.
* like allowing anybody at all to run flawed javascript when I open a PDF file -- which should be a read only format for viewing and printing documents
These are things that have frustrated me for years, especialyl as more and more applications are presuming to do it. It's like people have never heard of the concept of windows scheduler/cron, or even spawning off an update thread in the background on startup. Processors and hard drives are so fast these days that even bloated and beefy software (I'm looking at YOU openoffice.org and netbeans) provides acceptable startup times without a "launcher" application.
As far as Adobe - the only thing I ever do with my PDF files is read them. Every year I watch Reader's footprint get bigger and bigger, and yet there is /no/ difference in my experience with it (except that it's slower) than there was several years ago.
Why micosoft don't provide an updater program for windows, requiring companies to provide their own repos, i don't get
That would also be quite nice. A simple Updater API would go a long way and might clean up some of this crap.
^^ this. I had no idea recent versions (or even old ones) of adobe reader even had javascript. Why?
Its considered by most people to be a static document format, leave interactivity to HTML or other formats.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.