Slashdot Mirror
Adobe Warns of Reader, Acrobat Attack
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
I thought after so many vulnerabilities everyone had turned that off in Reader...
Why on earth do you need JavaScript in a PDF?
If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.
This shit happens every other week now.
Eloi are stupid, throw morlocks at them!
Normally that would be my first response as a joke, but I begin to wonder if Adobe could affect anything that is not root-level (or admin level).
The Kai's Semi-Updated Website Thingy
Why is Reader being used in large-scale deployments? It's freeware-ish and gets no more support from Adobe than many of the other free pdf reader alternatives out there would get. I have Reader installed at my work without having Writer or Photoshop either.
This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window.
I've used Reader forever, and I never even noticed that there was a preferences dialog. There's 26 sub-dialogs, each with one or two dozen options, and (checking a few at random) I see several that look worthy of more investigation. Anyone know of any recommendations of where I should start?
Nothing for 6-digit uids?
Yikes! I hate acrobat attacks!
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Either fix your javascript holes or disable it till you do.
Sincerely, A.C.
No one uses Adobe Reader for anything other than business PDF's.
Seriously, The launch time for a PDF off the web is too large for me to bother. First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.
Seriously - I have only ever seen PDF's used at work and at school, and anywhere else they exist usually aren't worth the bother.
So who are the people taking advantage of these vulnerabilities?
It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I got a variation of worm on my machine, being dropped into a .bak file in the adobe directory. I was running 7.0 (somehow, I neglected to ever upgrade). I have since upgraded to 9.2, however, an alternative application seems like a good idea now.
Seems like deja vu, since this has issue cropped up before, what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]
Which makes it a good idea to use alternatives like Preview, and Skim (for OS X), as well as Foxit Reader for Windows.
It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.
Some days it's just not worth
chewing through my restraints.
Separate your programs from your data, and your documents from your interactive media.
I want to delete my account but Slashdot doesn't allow it.
I use this instead: https://addons.mozilla.org/en-US/firefox/addon/7518
I was browsing a soft porn site and suddenlty Acrobat launched, then crashed. So it looks like someone really is trying to use this. Since I use Acrobat 4, I think I'm safe from this. (I need a full version of Acrobat for DTP, and version 4 does the job, and quite quickly. If I need to open a later version file I use FoxIt.)
a DOCUMENT READER shouldn't be interpreting javascript.
Seriously. Web pages are interactive. Documents are meant to be read and maybe filled out. The only reason we need PDF is for stuff that needs to look the same on every screen and print out the way it looks. We don't need Javascript in them.
...was the last good Reader version, with the installer weighing in at a whopping 6MB. After that, feature creep turned it into insane bloatware. I'm willing to bet that 99.9% of PDFs out there are 5.x "compliant" and do not need these newer "features" we never really asked for in the first place.
Hey Adobe, are you listening? How about you give us JUST a Reader? I would say call it Reader Light, but you would probably get sued by many a beer company...
No.
Sincerely, Adobe
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.
Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.
Seven puppies were harmed during the making of this post.
Do we really need to make everything dynamic and interactive? Why do documents need scripting support? Why do emails need scripting support? We're blurring the line between documents and applications and security is suffering as a result. Are the benefits really worth it?
Yesterday morning, my system started up saying a new version of Acrobat reader was available. HOWEVER, reader_Sl.exe couldn't be found on my reader dir, plus I had it disabled in msconfig in the Startup tab.
How the hell did this thing startup? Adobe doesn't seem to make it easy to disable any pre-loader app on startup. Why does every software company insist on jamming this crap on everyone's system?
I would love to see Symnatec, etc list this as malware. After all, same symptoms(drains system resources), and was added w/o user consent, nor is it easy to remove.
I hate when acrobats attack. They're so freaking limber!
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Nevertheless, the Adobe reader still (I'm sorry to say) does a noticeably better job of rendering PDFs than any of the FOSS alternatives I've tried on Linux. Especially if the PDF includes much in the way of text scanned at too low a DPI setting.
Isn't it high time that Adobe got its act together with this thing? Javascript attacks, the whole non-redacted-data text redaction "feature" that recently bit the TSA - I mean REALLY.
Come on Adobe, you can do better.
I'm a 2000 man.
I loaded a pdf in firefox and didn't see any options within the plugin menus for disabling javascript. Anyone know what to do with the plugins? I haven't used the stand alone reader in a while.
After being bitten by a PDF vulnerability before (I run as a normal user account so it didn't completely own my box and was fairly easy to clean up) I disabled the PDF plugin in Firefox. Now if I try to view a PDF I get an open/download request for the file rather than just opening automatically.
This way a site can't open any PDF files without me knowing.
It seems Adobe PDF reader is fast becoming the new IE in terms of web security.
I would love to see Symnatec, etc list this as malware
I would love to see Symantec listed as malware ... have you seen how difficult it is to actually uninstall that thing (completely), and what a piece of spamming shit it turns into once your free trial is over ?
Why does PDF reader need JavaScript support?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
This has nothing to do with "web security" -- IE's problems are because it allows access for remote sites to local resources. It also has a lot of holes.
MIME types -- the things that enable launching Acrobat when a PDF file is encountered -- are used to determine how to display images, sounds etc. Surely you're not advocating disabling all MIME types, or confirming each one? You could have a plain text page with no images, sounds, etc and you'd never be surprised by things launching or displaying without your permission. You might as well use Lynx at that point.
No, he’s advocating disabling MIME types of particularly egregious known repeat offenders.
Opening PDFs in the browser is just an extra convenience anyway. When I click a link to a PDF, it automatically downloads to the desktop and I can open it from there, if I actually wanted to download and open the PDF. I don’t need it to load inside my browser (and if I didn’t expect it, I probably won’t appreciate having to wait for the plugin to load).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Hold on, now, at some point, Adobe WAS a good product, until everybody found out ( did the hackers know way before??) that some javascript was not safe. Hell 3/4 of sites using js in their pages is unsafe, but don't do anything about it.
The reason why they need any js in there is beyond me, as I have never used any pdfs with js embedded....
but I am sure there is a reason, they should just take it out completely out of all their versions, and add an add-on utility that adds it back in, that way only the truly knowledged who need it will get it, then they are "use at your own risk crowd".
Why worry so much, your stocks wont go down if you take out js as a whole and fix 95% of Adobe vulnerabilities because of it. Stocks would go up, no???
Yes.
And the MIME type "application/x-executable" should enable the Operating System to execute the file.
Launching a proprietary application which is known to have lots of vulnerabilities to interpret data coming from an untrusted network has clearly nothing to do with security.
But as long as you can turn it of, there is no need to fall back to Lynx.
CERT has some suggestions for securing Adobe Reader here:
http://www.kb.cert.org/vuls/id/257117
Note that the above vulnerability note is not this particular vulnerability, but the same mitigations apply time and time again. The mitigations include:
- Enable DEP
- Disable JavaScript
- Disable automatic opening of PDF files by Internet Explorer
- Disable the displaying of PDF files in your web browser
You're right that management has to share responsibility. Off-shoring exposes management incompetency. If you get Off-shore programmers that lack experience because they were shoved through some quick schooling to meet demand then they simply won't be able to do the job right even if he were a local.
The manager should stop the shoddy product from coming out but he won't because he was never good at his job. The difference is when they had to hirer locals at a decent wage they're more likely to be qualified enough to help cover up management incompetency.
Badly designed OS's let badly designed apps, do bad things.
From AcroRd32.exe's PE header:
Acrobat was linked with the /DYNAMICBASE and /NXCOMPAT linker options. This means that on Windows Vista and 7, the executable is loaded at a random address and NX is enabled. The DLLs are all loaded at random addresses too. Does the exploit still work with those countermeasures?
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I've been running Sumatra PDF for the last year, and there's less drama.
The trouble with Adobe Reader is that Adobe keeps trying to make it into a proprietary web browser. It knows about links, it runs Javascript, and it has a DRM scheme. None of which are needed by 99.9+% of PDF documents. Forms are a bit more popular, but PDF forms are kind of lame anyway; you can fill them up, but they don't do anything.
Didn't this just happen last month? And the month before that?
When I first heard about a Javascript vulnerability in Acrobat, I tried to turn it off. It must have worked, because Acrobat complained EVERY F***ING TIME I opened it. Really annoying. I don't know if they've fixed that, but it almost seems to me like Adobe is trying to perpetuate the Javascript bugs not just by having it on by default, but by punishing you for turning it off.
I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
Acrobat 4.0 works fine.
Hi Xenophobia! Ever wondered how things are getting fixed so quickly now ?
Btw, Reader and Flash are the most widely available platforms today. Its pretty obvious that it would be targeted the most. I don't think I would be blaming management too much.
I keep hoping that the next big exploit to hit Adobe's crapware will be the one that either causes the company to come to its senses, or even causes almost everyone to abandon it.
It's almost like Adobe is on a quest to make the most horrible software ever conceived:
These things are just not acceptable from what is a simple helper utility. Adobe is doing it wrong.
Acrobat uses JavaScript for enhanced functionality. Where are the exploits coming from? Is there something wrong with the actual functions that Adobe is creating (lack of bounds checking, etc.)? Is the problem that the JavaScript engine they are using is full of holes (buffer overflows, etc.)?
In other words, to recycle an old meme, where's the beef?
in adobe and it requires a windows reboot. This is the most compressed conglomeration of fail I've ever seen (this week)!
Adobe needs to consider taking a class in computers.
How does one go about doing this. I can not find Reader other than in my Add/Remove programs:
recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."