Slashdot Mirror
Adobe Warns of Reader, Acrobat Attack
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
I thought after so many vulnerabilities everyone had turned that off in Reader...
Why on earth do you need JavaScript in a PDF?
If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.
This shit happens every other week now.
Eloi are stupid, throw morlocks at them!
Normally that would be my first response as a joke, but I begin to wonder if Adobe could affect anything that is not root-level (or admin level).
The Kai's Semi-Updated Website Thingy
Why is Reader being used in large-scale deployments? It's freeware-ish and gets no more support from Adobe than many of the other free pdf reader alternatives out there would get. I have Reader installed at my work without having Writer or Photoshop either.
This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window.
I've used Reader forever, and I never even noticed that there was a preferences dialog. There's 26 sub-dialogs, each with one or two dozen options, and (checking a few at random) I see several that look worthy of more investigation. Anyone know of any recommendations of where I should start?
Nothing for 6-digit uids?
Yikes! I hate acrobat attacks!
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
No one uses Adobe Reader for anything other than business PDF's.
Seriously, The launch time for a PDF off the web is too large for me to bother. First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.
Seriously - I have only ever seen PDF's used at work and at school, and anywhere else they exist usually aren't worth the bother.
So who are the people taking advantage of these vulnerabilities?
It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Seems like deja vu, since this has issue cropped up before, what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]
Which makes it a good idea to use alternatives like Preview, and Skim (for OS X), as well as Foxit Reader for Windows.
It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.
Some days it's just not worth
chewing through my restraints.
Separate your programs from your data, and your documents from your interactive media.
I want to delete my account but Slashdot doesn't allow it.
I use this instead: https://addons.mozilla.org/en-US/firefox/addon/7518
I was browsing a soft porn site and suddenlty Acrobat launched, then crashed. So it looks like someone really is trying to use this. Since I use Acrobat 4, I think I'm safe from this. (I need a full version of Acrobat for DTP, and version 4 does the job, and quite quickly. If I need to open a later version file I use FoxIt.)
a DOCUMENT READER shouldn't be interpreting javascript.
Seriously. Web pages are interactive. Documents are meant to be read and maybe filled out. The only reason we need PDF is for stuff that needs to look the same on every screen and print out the way it looks. We don't need Javascript in them.
Adobe Acrobat 5.x was still kind of bloated. Even on machines nowadays it'll still take a few seconds to boot up - with that annoying little splash screen of some guy prancing about with a few office complexes in the background.
I've never used just the 5.x reader before, where would you even GET that...
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.
Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.
Seven puppies were harmed during the making of this post.
Do we really need to make everything dynamic and interactive? Why do documents need scripting support? Why do emails need scripting support? We're blurring the line between documents and applications and security is suffering as a result. Are the benefits really worth it?
I hate when acrobats attack. They're so freaking limber!
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Nevertheless, the Adobe reader still (I'm sorry to say) does a noticeably better job of rendering PDFs than any of the FOSS alternatives I've tried on Linux. Especially if the PDF includes much in the way of text scanned at too low a DPI setting.
Isn't it high time that Adobe got its act together with this thing? Javascript attacks, the whole non-redacted-data text redaction "feature" that recently bit the TSA - I mean REALLY.
Come on Adobe, you can do better.
I'm a 2000 man.
I loaded a pdf in firefox and didn't see any options within the plugin menus for disabling javascript. Anyone know what to do with the plugins? I haven't used the stand alone reader in a while.
After being bitten by a PDF vulnerability before (I run as a normal user account so it didn't completely own my box and was fairly easy to clean up) I disabled the PDF plugin in Firefox. Now if I try to view a PDF I get an open/download request for the file rather than just opening automatically.
This way a site can't open any PDF files without me knowing.
It seems Adobe PDF reader is fast becoming the new IE in terms of web security.
A few seconds? On a modern machine I can load a 100 page scanned PDF in Adobe Acrobat in under 0.5 seconds (perceptibly instant with Aero) with Acrobat 9.0.2 on a Core 2 Duo/Core i7. Are you using a slow machine?
I would love to see Symnatec, etc list this as malware
I would love to see Symantec listed as malware ... have you seen how difficult it is to actually uninstall that thing (completely), and what a piece of spamming shit it turns into once your free trial is over ?
Why does PDF reader need JavaScript support?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
On a Core 2 Duo, 1 Gig RAM on an XP, 20 page PDF takes on average 4 to 5 seconds to load. This is just the full install of Adobe Acrobat 5.0
Agreed. I went from 5 to 9 and wow what a shock. Although I have to admit the last patch helped tremendously (it was suffering from really poor load times).
And, Adobe, get rid of that stupid FNPLicensingService.exe spyware that tries to run constantly in the background. I detest the idea of not being trusted when I *PAID* for the damn software!
This may be a difference between Windows 7 and Windows XP. Superfetch in Windows 7 loads the binary into RAM after first run - or if it's a commonly used program - automatically. Therefore, I'm almost always running the program from RAM.
However, even on the initial start, it doesn't take more than 1-2 seconds. I haven't used Acrobat 5.0 in such a long time. Perhaps Reader loads faster.
Foxit Reader loads very quickly as well.
This has nothing to do with "web security" -- IE's problems are because it allows access for remote sites to local resources. It also has a lot of holes.
MIME types -- the things that enable launching Acrobat when a PDF file is encountered -- are used to determine how to display images, sounds etc. Surely you're not advocating disabling all MIME types, or confirming each one? You could have a plain text page with no images, sounds, etc and you'd never be surprised by things launching or displaying without your permission. You might as well use Lynx at that point.
No, he’s advocating disabling MIME types of particularly egregious known repeat offenders.
Opening PDFs in the browser is just an extra convenience anyway. When I click a link to a PDF, it automatically downloads to the desktop and I can open it from there, if I actually wanted to download and open the PDF. I don’t need it to load inside my browser (and if I didn’t expect it, I probably won’t appreciate having to wait for the plugin to load).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Hold on, now, at some point, Adobe WAS a good product, until everybody found out ( did the hackers know way before??) that some javascript was not safe. Hell 3/4 of sites using js in their pages is unsafe, but don't do anything about it.
The reason why they need any js in there is beyond me, as I have never used any pdfs with js embedded....
but I am sure there is a reason, they should just take it out completely out of all their versions, and add an add-on utility that adds it back in, that way only the truly knowledged who need it will get it, then they are "use at your own risk crowd".
Why worry so much, your stocks wont go down if you take out js as a whole and fix 95% of Adobe vulnerabilities because of it. Stocks would go up, no???
CERT has some suggestions for securing Adobe Reader here:
http://www.kb.cert.org/vuls/id/257117
Note that the above vulnerability note is not this particular vulnerability, but the same mitigations apply time and time again. The mitigations include:
- Enable DEP
- Disable JavaScript
- Disable automatic opening of PDF files by Internet Explorer
- Disable the displaying of PDF files in your web browser
You're right that management has to share responsibility. Off-shoring exposes management incompetency. If you get Off-shore programmers that lack experience because they were shoved through some quick schooling to meet demand then they simply won't be able to do the job right even if he were a local.
The manager should stop the shoddy product from coming out but he won't because he was never good at his job. The difference is when they had to hirer locals at a decent wage they're more likely to be qualified enough to help cover up management incompetency.
Badly designed OS's let badly designed apps, do bad things.
From AcroRd32.exe's PE header:
Acrobat was linked with the /DYNAMICBASE and /NXCOMPAT linker options. This means that on Windows Vista and 7, the executable is loaded at a random address and NX is enabled. The DLLs are all loaded at random addresses too. Does the exploit still work with those countermeasures?
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I've been running Sumatra PDF for the last year, and there's less drama.
The trouble with Adobe Reader is that Adobe keeps trying to make it into a proprietary web browser. It knows about links, it runs Javascript, and it has a DRM scheme. None of which are needed by 99.9+% of PDF documents. Forms are a bit more popular, but PDF forms are kind of lame anyway; you can fill them up, but they don't do anything.
Didn't this just happen last month? And the month before that?
When I first heard about a Javascript vulnerability in Acrobat, I tried to turn it off. It must have worked, because Acrobat complained EVERY F***ING TIME I opened it. Really annoying. I don't know if they've fixed that, but it almost seems to me like Adobe is trying to perpetuate the Javascript bugs not just by having it on by default, but by punishing you for turning it off.
I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
Acrobat 4.0 works fine.
I keep hoping that the next big exploit to hit Adobe's crapware will be the one that either causes the company to come to its senses, or even causes almost everyone to abandon it.
It's almost like Adobe is on a quest to make the most horrible software ever conceived:
These things are just not acceptable from what is a simple helper utility. Adobe is doing it wrong.
Acrobat uses JavaScript for enhanced functionality. Where are the exploits coming from? Is there something wrong with the actual functions that Adobe is creating (lack of bounds checking, etc.)? Is the problem that the JavaScript engine they are using is full of holes (buffer overflows, etc.)?
In other words, to recycle an old meme, where's the beef?
What OS? When I disabled JS in Win 7 x64, it didn't ask that I restart the OS or even the application for that matter! I'm pretty sure I had the same behavior in XP. Are you sure the restart was related to changing the setting rather than some OS update? I find that very bizarre.