Adobe Confirms PDF Zero-Day, Says Kill JavaScript

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

Y'know...

[Mr.+DOS]

...maybe it's about the same time Adobe did to JavaScript in Reader as Microsoft did to macros in Excel and Word, oh, about a decade ago? Leave them disabled until the user approves them for a specific document.

It's a flawed solution: the user will still be the weakest link, but it's better than having it always on all the time by default.

      --- Mr. DOS

Why do PDF readers need Javascript?

[serutan]

Having never handled PDF documents except to read them, I wasn't even aware they could contain Javascript. I don't understand why they need to. Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

Re:Why do PDF readers need Javascript?

[Red+Flayer]

Jeez, are we going to get to the point where it's not safe to go to the bathroom because the toilet can execute Javascript?

That didn't sound so bad. Until I thought about stack overflow vulnerabilities.

Re:Inevitable post recommending Foxit Reader

[Rude+Turnip]

The printing industry is heavily dependent upon PDF files in their workflow. PDF attachment via email has basically replaced the fax machine in any professional industry. The format offers everyone a standard format that will look exactly the same everywhere. And, I can create a single PDF from multiple source documents (spreadsheets & word processor docs).

Re:Inevitable post recommending Foxit Reader

[nine-times]

I can't even think of a good example of something you can do with a PDF that you can't do with a properly designed web page or an RTF document.

Set up formatting and layout for your document in a way that should display the same way when you move transfer the file to another computer, and have it also look the same when you print it out. I mean, that's really what PDF is for, and it's very good for that purpose. Neither HTML nor RTF can really even do complex layouts with embedded images in a single file.

PDF is given a bad name by the slow, bloated application that most people view them on (Adobe Reader). It's not really ideal to treat them like web pages, but most of the dread you feel when you have to click on a link to a PDF is really more the fault of the reader than the format. If you have a good PDF viewer, they aren't slow to load and won't crash your browser.

Re:Ditch Acrobat...

[wiredlogic]

For whatever stupid reason, Adobe thought it would be useful to have scripts in PDF files. I've disabled it ages ago, but I still run it elsewhere on web.

Which is ironic since PDF was originally designed to be a reduced, non-Turing complete version of Postscript partly for the safety of a restricted interpreter.

Re:Can we always kill javascript?

[iamhigh]

And there are far better solutions than a PDF *display* application to accommodate all of those. Have an application that does that and spits out the PDF. That was the point of the OP; we don't need Adobe to be a be-all-end-all for computer programming. We simply need it to display data.

disabling js will not save you

[Deanalator]

Check out the stuff Immunity is selling.
http://www.immunityinc.com/ceu-index.shtml

They crafted a totally reliable exploit for the jbig2 vuln without needing javascript. Javascript gives you the option to use things like heap spray, which can be really useful for exploitation, but not necessary.

Also notice that immunity also has exploits for things like foxit reader, so switching your favorite pdf reader every week isn't going to save you either.

The main problem here is that parsing pdf is hard. Even the ones that created the format can't do it right. My suggestion would be to use a web based solution to view pdfs until adobe creates a lighter, more secure version of reader that contains nothing but the necessary plug-ins.

Sumatra

[Tubal-Cain]

To provide a break from all the Foxit endorsements: Sumatra is open source, works well and is smaller than Foxit. Also, it is a stand-alone executable, not an installer. Now I just need to figure out how to set Continuous scrolling as default...

Re:Kill Adobe reader, not java script

[VeNoM0619]

Hate to tell you, but FoxIT has Javascript on by default.

Edit, Preferences, "Enable JavaScript Actions" is checked by Default.

And yes, this is default, because I just installed the software today to verify the many claims about "just install FoxIT" with no other information.