Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Posted by timothy on from the kpdf-has-better-panning-anyhow dept.

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

39 of 211 comments (clear)

  1. Ditch Acrobat... by nweaver · · Score: 4, Informative

    Adobe is really slow about security patches on Acrobat. This is just the latest.

    Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.

    --
    Test your net with Netalyzr
    1. Re:Ditch Acrobat... by Fatalis · · Score: 4, Informative

      It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      --
      Deus est fatalis
    2. Re:Ditch Acrobat... by TommydCat · · Score: 4, Insightful

      Ok, color me surprised then... Thank you for the clarification.

      I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...

      --
      This comment does not necessarily represent the views and opinions of the author.
    3. Re:Ditch Acrobat... by wiredlogic · · Score: 5, Interesting

      For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

      --
      I am becoming gerund, destroyer of verbs.
    4. Re:Ditch Acrobat... by Gordo_1 · · Score: 3, Funny

      Bloated? I don't think one should describe what Adobe has done to Acrobat Reader simply as "Bloat". I suggest redefining the term as a verb with a tip of the hat to the new masters, as in "you silly hack, you've adobed your software!"

      After getting fed up with Reader in the wake of the Feb. 19th PDF remote exploit notice (http://www.adobe.com/support/security/advisories/apsa09-01.html/) I decided to install FoxIt (I know, proprietary, not open source goodness)... But anyway, when I went to uninstall Adobe Reader, Windows claimed it to be taking up 221MB on my hard drive. 221 Megabytes! For a document reader!?

      After installing FoxIt, Windows claims that it takes up only 7.15MB, which I corroborated by checking the size of the install directory. For the life of me, I can't figure out what exactly it is that Adobe Reader does that FoxIt doesn't. They're functionality identical so far as I can tell. So what in god's name is Adobe doing with that extra 200 megabytes of disk space?

    5. Re:Ditch Acrobat... by OakDragon · · Score: 4, Funny

      Adobe is really slow about security patches on Acrobat.

      Have you updated the Adobe Updater? Perhaps what we need is an updater to update the Adobe Updater.

      --
      Dark Reflection
    6. Re:Ditch Acrobat... by hairyfeet · · Score: 4, Insightful

      Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.

      These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    7. Re:Ditch Acrobat... by Anenome · · Score: 3, Funny

      "So what in god's name is Adobe doing with that extra 200 megabytes of disk space?"

      I shouldn't really be telling you this, but there's an easter-egg video involving Carrot Top hidden somewhere in Adobe Reader. Call it a result of the 'more megabytes = more powerful' school of software management :P

      --
      "I Don't Have Enough Faith to be an Atheist"
    8. Re:Ditch Acrobat... by maxume · · Score: 3, Informative

      On my install, which is 9.0 updated to 9.1, there are 60 megabytes of setup files. 20 of it is the installer for 9.0, and 40 of it is the installer for 9.1. Of the remaining 120 megabytes (that's right, the total is 180 megabytes), about 45 megabytes are devoted to dlls and executables, and about 30 are devoted to 'linguistics' resources, which must be language support files.

      Clearly they don't care about using my disk (obviously, neither do I).

      --
      Nerd rage is the funniest rage.
    9. Re:Ditch Acrobat... by Skuld-Chan · · Score: 4, Interesting

      For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.

      If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.

      If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.

      If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.

      So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.

      That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.

  2. Y'know... by Mr.+DOS · · Score: 5, Insightful

    ...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

    It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

          --- Mr. DOS

  3. Re:No problem for Macs, really by 1729 · · Score: 4, Informative

    What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

    I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

  4. Can we always kill javascript? by nine-times · · Score: 4, Insightful

    Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.

    What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.

    1. Re:Can we always kill javascript? by characterZer0 · · Score: 4, Interesting

      Programatically clone a page to the end of the document.

      Calculate and fill fields based on the value entered into other fields.

      Update reference data from the web.

      There are good uses.

      --
      Go green: turn off your refrigerator.
    2. Re:Can we always kill javascript? by colfer · · Score: 3, Interesting

      The US Postal Service click-n-ship requires you turn on that JS crap in Acrobat. Once you click "yes", Acrobat leaves it on unless you go disable it again, each time. Vendors like the USPS need to get a clue.

    3. Re:Can we always kill javascript? by iamhigh · · Score: 5, Insightful

      And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

      --
      No comprende? Let me type that a little slower for you...
    4. Re:Can we always kill javascript? by bcrowell · · Score: 4, Insightful

      Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

      Yep. They want flash, pdf, and AIR to be ubiquitous. This article shows their point of view: "What's wonderful for Adobe is, we are pretty much everywhere you look. [...] Just about every Web site uses Flash. Every tax form you download off the IRS is done in PDF. So it's OK if the average consumer does not know who Adobe is. We're almost like air." They want their suite of tools to be a ubiquitous consumer-level software tool like Windows, and they understand that if they're going to make money that way, they have to convince people that their tool is better than the free alternatives, just as MS has to convince people to desire Windows rather than Linux.

      Adobe is very clever about making their formats and implementations open enough to get them widely adopted, while maintaining their market position via a combination of (a) the first-move advantage when they release new features, and (b) keeping certain aspects of their formats and implementations just proprietary enough to maintain the perception that the competition isn't as good. You see it with flash, where they've opened up a lot recently, but for most developers there is really no viable alternative to using Adobe's tools. You see it with pdf, where they sell people snake oil, e.g., convincing them that the DRM features are useful, even though they're trivial to circumvent.

      One of the big things working in their favor is patents. E.g., flash supports mp3 but not ogg, which makes it difficult to make a legal, OSS toolchain for flash development, because the license for mp3 forbids distribution of encoders in large numbers without paying a royalty. Ditto for patented color management and patented video codecs. Any patented special sauce they can add to their apps makes it easier for them to differentiate themselves from the free competition.

      --
      Find free books.
  5. creeping featuritis by wiggles · · Score: 3, Insightful

    Why the hell do we need javascript in a document reader in the first place? Acrobat is not a web browser, and I fail to see any situation that justifies a scripting language that has nothing to do with static documents. I suppose it could be useful for some fill-in forms, but that's about it.

    Seems like a solution in search of a problem to me.

  6. Why do PDF readers need Javascript? by serutan · · Score: 5, Funny

    Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

    1. Re:Why do PDF readers need Javascript? by Red+Flayer · · Score: 5, Funny

      Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

      That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    2. Re:Why do PDF readers need Javascript? by RobBebop · · Score: 3, Funny

      Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

      Woah now! Don't let the cat out of the bag too early. Considering how far toilets have come over the century, you'll be happy with a little Javascript injection turning your toilet into a Spam Zombie.

      Let's review:

      1. Toilet 0.0: A bush. Possible attack vectors include bee stings and bear claws.
      2. Toilet 1.0: A hole in the ground. Insects and burrowing creatures stung and bit you when you dug your hole to close to them.
      3. Toilet 2.0: The community toilet. Walls give you privacy, but god awful smells make it painful to use.
      4. Toilet 3.0: The Flush Toilet. Don't put too much in or it overflows.
      5. Toilet 4.0: The Autoflush Toilet. Same as previous, but multiple flushes each time you try to wipe yourself.
      6. Toilet 5.0: (coming soon) Internet Integrated Diagnostics Toilet. Javascript vulnerabilities and toxic Chinese workmanship.
      --
      Support the 30 Hour Work Week!!!
  7. Kill Adobe reader, not java script by 140Mandak262Jamuna · · Score: 3, Insightful

    Start using Foxit or some such pdf reader. Everybody and his brother wants to be a browser. Why the hell did Adobe add javascript and the ability to open internet connections and hypertext links inside a PDF reader?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Kill Adobe reader, not java script by VeNoM0619 · · Score: 5, Informative

      Hate to tell you, but FoxIT has Javascript on by default.

      Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

      And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

      --
      Disclaimer: I am not god.
      We may not be created equal
      But we can be treated equal.
  8. Re:Disabling Javascript is standard by OverlordQ · · Score: 4, Insightful

    And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)

    --
    Your hair look like poop, Bob! - Wanker.
  9. Re:Inevitable post recommending Foxit Reader by Fatalis · · Score: 3, Informative

    I read a lot of PDF files, mostly books and the like, and I recently switched back to Adobe Reader from Foxit, after using it for years. I don't see any difference speed-wise on my machine, it behaves slightly better, looks much better, and it's still proprietary, closed software anyway. With Foxit, its browser plugin used to be unstable with Firefox for whatever reason too. Adobe's plugin seems to work better. As far as I'm concerned about security, I've turned off JS support in Adobe Reader. This seems to prevent many exploits, and takes away no useful functionality, as far as I'm aware. Even it someone managed to perform an exploit that didn't depend on JS, I'd still be protected by Firefox not running with administrative priviledges. All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

    --
    Deus est fatalis
  10. Mac? by dingen · · Score: 3, Insightful

    There's an Adobe PDF reader for the Mac? Seriously? Who on Earth would install that monster on a platform with native PDF-support?

    --
    Pretty good is actually pretty bad.
  11. Adobe Reader has more holes that swiss cheese by Manip · · Score: 4, Insightful

    Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.

    It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!

  12. Re:Disabling Javascript is standard by RobBebop · · Score: 4, Informative

    Quite so... I didn't even realize that PDF's could run Java scripts...

    But now I've got a new hoop to jump through when I update a new computer:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
    5. Click OK

    Simple as that!

    --
    Support the 30 Hour Work Week!!!
  13. Re:Inevitable post recommending Foxit Reader by Rude+Turnip · · Score: 5, Informative

    The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  14. Re:Inevitable post recommending Foxit Reader by thePowerOfGrayskull · · Score: 4, Insightful

    All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

    And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!

  15. Re:Inevitable post recommending Foxit Reader by nine-times · · Score: 5, Insightful

    I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

    Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

    PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

  16. Re:This is a Zero-Day? by Red+Flayer · · Score: 4, Informative

    Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  17. Disabling Javascript won't mitigate the risk still by biddly718 · · Score: 3, Insightful

    According to Secunia disabling Javascript does not mitigate the risk. Old news? http://secunia.com/blog/44/

  18. Incessant Acrobat JavaScript nagging by Allen+Varney · · Score: 4, Interesting

    It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"

  19. disabling js will not save you by Deanalator · · Score: 5, Informative

    Check out the stuff Immunity is selling.
    http://www.immunityinc.com/ceu-index.shtml

    They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

    Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

    The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

  20. Sumatra by Tubal-Cain · · Score: 5, Informative

    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

  21. Re:Inevitable post recommending Foxit Reader by Your.Master · · Score: 3, Interesting

    pdf came out in 1993. XML became a W3C standard in 1998 (working draft in 1996).

    So, frankly, they hadn't and have an excellent excuse for not having heard of it. Besides which, you have to consider the hardware and software limitations of 1993 and compare the problems that human-readable formatting solves compared to the problems PDF is intended to solve. PostScript, font, and raster graphics embedding are not especially served by this compared to costs that were significant at the time.

  22. Re:Inevitable post recommending Foxit Reader by nine-times · · Score: 3, Insightful

    Images can be embedded in cdata tags. Its not easy or really recommended, but possible.

    Yeah, I don't know if this helps, but my original sentence was intended to be read, "Neither HTML nor RTF can really* even (do complex layouts with embedded images) in a single file. [* Disclaimer: by 'really' I mean in any way that is sensible and well-supported.]"

    Ok, so I don't know if that's exceptionally clear anyway, but I gave it a shot. The point is, yes, you can do very complex layouts in HTML, but lots of things require extensive HTML/CSS knowledge to do properly and in a cross-platform manner, and maybe even weird and complex hacks. You can't simply take your Word document with a complex layout and do "save as HTML" and get a good HTML file that maintains that layout.

    Beyond that, except for dropping the image into the HTML in base64 (which... well... I wouldn't advocate doing that under most circumstances) including images will require separate files which will then have to be passed along with the HTML and kept in the same relative path, or else you'll lose the images. And then there's the issue of fonts, which newer browsers are only beginning to address with web fonts.

    So really, if you want to pass along a single file while maintaining complex layout very accurately, and you don't particularly want the file to be easy to edit, then PDF is a good choice for that purpose. I can't think of another format that's anywhere nearly as good for that purpose.

  23. I purpose a new term by cyberfunkr · · Score: 4, Insightful

    "Negative-One-Day Exploit"

    Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.

    As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."