Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Confirms PDF Zero-Day, Says Kill JavaScript

Posted by timothy on from the kpdf-has-better-panning-anyhow dept.

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

27 of 211 comments (clear)

  1. Ditch Acrobat... by nweaver · · Score: 4, Informative

    Adobe is really slow about security patches on Acrobat. This is just the latest.

    Its the reason why Miko Hypponen of F-Secure says you should ditch acrobat and use something else.

    --
    Test your net with Netalyzr
    1. Re:Ditch Acrobat... by Fatalis · · Score: 4, Informative

      It's about disabling JS in Acrobat itself, not in general. For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      --
      Deus est fatalis
    2. Re:Ditch Acrobat... by TommydCat · · Score: 4, Insightful

      Ok, color me surprised then... Thank you for the clarification.

      I think I'll step out and talk a walk to muse about why companies writing mission-specific utilities throw in the kitchen sink-type bloat and wonder why they couldn't see their ship coming in over the Sea of Vulnerabilites...

      --
      This comment does not necessarily represent the views and opinions of the author.
    3. Re:Ditch Acrobat... by wiredlogic · · Score: 5, Interesting

      For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

      Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

      --
      I am becoming gerund, destroyer of verbs.
    4. Re:Ditch Acrobat... by OakDragon · · Score: 4, Funny

      Adobe is really slow about security patches on Acrobat.

      Have you updated the Adobe Updater? Perhaps what we need is an updater to update the Adobe Updater.

      --
      Dark Reflection
    5. Re:Ditch Acrobat... by hairyfeet · · Score: 4, Insightful

      Because like ActiveX Adobe wanted to make Acrobat a "rich web app" or whatever buzzword bingo they have for net apps this week, and forgot that adding that equals really big malware hole you can drive a truck through? Everybody wants to position their app to take a piece of the net, just look at how Netscape killed their lead by piling all this apps together and making Communicator instead of sticking with the already well known Navigator and concentrating on making it better.

      These companies don't see that we often simply want a simple app to do a simple job fast, cleanly, and with minimum bloat. Instead they try piling in the kitchen sink hoping that one of the bazillion functions they pile in there might make it the "must have" for "the next generation" or again whatever buzzword bingo you choose. Just look at all the crap Nero has piled into what was once a clean and easy burning app. That is why for myself, my customers, and my family I routinely install Foxit Reader which simply renders PDFs quickly, with minimum fuss, updates itself by default, and is very light on resources and doesn't try to run 24/7 like Adobe. Unlike Adobe Foxit hasn't tried to add the kitchen sink. It just renders PDFs fast. Give me that over app bloat any day.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:Ditch Acrobat... by Skuld-Chan · · Score: 4, Interesting

      For most people there is no difference, but if you are working with livecycle forms online (which some public sites use) nothing but Adobe Reader will work with those.

      If you use postscript passthrough - I don't know if any apps outside of Adobe that support this.

      If you use annotations (3d objects, comments/notes, multimedia, videos etc) - most other readers don't support this - or if they do they only support notes/comments.

      If you need to deploy a pdf viewer to a couple thousand machines - I'm not aware of any that have an installer for automating this - Adobe Reader does however.

      So its not for everyone, but speaking from experience it is for a lot of people and a lot of big enterprises.

      That said - Foxit is probably the most feature complete pdf viewer outside of stuff from Adobe, however It would be generous of me to say that it supports 1/10th of the pdf features Adobe Reader supports.

  2. Y'know... by Mr.+DOS · · Score: 5, Insightful

    ...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

    It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

          --- Mr. DOS

  3. Re:No problem for Macs, really by 1729 · · Score: 4, Informative

    What dumbass would install Acrobat reader when Mac OS X itself can read/write PDFs.

    I had to install it to e-file my state taxes. The fill-in tax forms had a lot of behind-the-scenes scripting (javascript, I assume) and only worked with the Adobe browser plugin.

  4. Can we always kill javascript? by nine-times · · Score: 4, Insightful

    Sorry, I know I'm beating a dead horse and risking karma-whore status, but do we really need a scripting language in PDFs at all? I mean, yes, sorry, I know that there are probably people out there who need that, but I'd wager the gross majority don't.

    What most of us need (or at least what I need) PDF for is to have a portable format that's open, widely supported, and can give me pixel-perfect output regardless of the platform or what fonts you have installed. I don't need scripting, flash, embedded movies, or anything else of the sort. Can we just have PDF left alone, to be the static display/print format? If Adobe really wants to do all this other crap, can they please invent a new format, and not try to force me to install the viewer for that app? Because I want to view PDFs, but I have no interest in the associated security risks or bloat from throwing the kitchen sink into PDF functionality.

    1. Re:Can we always kill javascript? by characterZer0 · · Score: 4, Interesting

      Programatically clone a page to the end of the document.

      Calculate and fill fields based on the value entered into other fields.

      Update reference data from the web.

      There are good uses.

      --
      Go green: turn off your refrigerator.
    2. Re:Can we always kill javascript? by iamhigh · · Score: 5, Insightful

      And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

      --
      No comprende? Let me type that a little slower for you...
    3. Re:Can we always kill javascript? by bcrowell · · Score: 4, Insightful

      Because it's an open format, if Adobe doesn't "innovate" on it and stay king-of-the-hill, they will lose market share to other products that will embed movies and such. Adobe has to continue to innovate or they risk losing their status as the big cheese, and they make lots of money with Acrobat professional.

      Yep. They want flash, pdf, and AIR to be ubiquitous. This article shows their point of view: "What's wonderful for Adobe is, we are pretty much everywhere you look. [...] Just about every Web site uses Flash. Every tax form you download off the IRS is done in PDF. So it's OK if the average consumer does not know who Adobe is. We're almost like air." They want their suite of tools to be a ubiquitous consumer-level software tool like Windows, and they understand that if they're going to make money that way, they have to convince people that their tool is better than the free alternatives, just as MS has to convince people to desire Windows rather than Linux.

      Adobe is very clever about making their formats and implementations open enough to get them widely adopted, while maintaining their market position via a combination of (a) the first-move advantage when they release new features, and (b) keeping certain aspects of their formats and implementations just proprietary enough to maintain the perception that the competition isn't as good. You see it with flash, where they've opened up a lot recently, but for most developers there is really no viable alternative to using Adobe's tools. You see it with pdf, where they sell people snake oil, e.g., convincing them that the DRM features are useful, even though they're trivial to circumvent.

      One of the big things working in their favor is patents. E.g., flash supports mp3 but not ogg, which makes it difficult to make a legal, OSS toolchain for flash development, because the license for mp3 forbids distribution of encoders in large numbers without paying a royalty. Ditto for patented color management and patented video codecs. Any patented special sauce they can add to their apps makes it easier for them to differentiate themselves from the free competition.

      --
      Find free books.
  5. Why do PDF readers need Javascript? by serutan · · Score: 5, Funny

    Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

    1. Re:Why do PDF readers need Javascript? by Red+Flayer · · Score: 5, Funny

      Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

      That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  6. Re:Disabling Javascript is standard by OverlordQ · · Score: 4, Insightful

    And yet another person misses the point. It's not talking about JavaScript in your browser, it's talking about JavaScript in the Reader software. I guess it's a given that somebody with the uid of 317 didn't RTFA ;)

    --
    Your hair look like poop, Bob! - Wanker.
  7. Adobe Reader has more holes that swiss cheese by Manip · · Score: 4, Insightful

    Adobe seriously needs to get its act together. Adobe Reader is in the top 5 most exploited applications and we have a new "highly serious" bug getting released every month or so.

    It is slow, it is huge, and it is full of bugs... And it is entirely unjustified for an application designed to read a single file format!

  8. Re:Disabling Javascript is standard by RobBebop · · Score: 4, Informative

    Quite so... I didn't even realize that PDF's could run Java scripts...

    But now I've got a new hoop to jump through when I update a new computer:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the âEnable Acrobat JavaScriptâ(TM) option
    5. Click OK

    Simple as that!

    --
    Support the 30 Hour Work Week!!!
  9. Re:Inevitable post recommending Foxit Reader by Rude+Turnip · · Score: 5, Informative

    The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  10. Re:Inevitable post recommending Foxit Reader by thePowerOfGrayskull · · Score: 4, Insightful

    All in all, I think Foxit Reader is nice, but slightly overrated. Adobe deserves their fair share of criticism, but they still deliver a more polished product.

    And without additional cost to you, that delivery includes a 60MB runtime footprint and two or three always-running updater applications!

  11. Re:Inevitable post recommending Foxit Reader by nine-times · · Score: 5, Insightful

    I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

    Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

    PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

  12. Re:This is a Zero-Day? by Red+Flayer · · Score: 4, Informative

    Perhaps you are confused as to what a zero-day exploit is. It means there were exploits in the wild prior to Adobe being aware of the vulnerability.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  13. Incessant Acrobat JavaScript nagging by Allen+Varney · · Score: 4, Interesting

    It's fine that Adobe recommends disabling JavaScript in Acrobat, but it would be nice if, once you disable JavaScript, Acrobat didn't thereupon constantly nag you to re-enable it "from now on for all documents" every time you open a .PDF. "It looks like you've disabled JavaScript! Can we please turn it back on forever, you poor ignorant dimwitted user you?"

  14. disabling js will not save you by Deanalator · · Score: 5, Informative

    Check out the stuff Immunity is selling.
    http://www.immunityinc.com/ceu-index.shtml

    They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

    Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

    The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

  15. Sumatra by Tubal-Cain · · Score: 5, Informative

    To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

  16. Re:Kill Adobe reader, not java script by VeNoM0619 · · Score: 5, Informative

    Hate to tell you, but FoxIT has Javascript on by default.

    Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

    And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.

    --
    Disclaimer: I am not god.
    We may not be created equal
    But we can be treated equal.
  17. I purpose a new term by cyberfunkr · · Score: 4, Insightful

    "Negative-One-Day Exploit"

    Used to refer to exploits that have existed in the wild for a long time, known to be a easy access point for exploits by consumers, but have only just been announced as a critical threat by the application owners.

    As in, "Javascript in a PDF file? That's a negative-one-day exploit just waiting for a press release."