Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Warns of Reader, Acrobat Attack

Posted by timothy on from the gnome's-reader's-pretty-good-y'know dept.

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

32 of 195 comments (clear)

  1. Anyone still has JavaScript enabled? by Anonymous Coward · · Score: 5, Funny

    I thought after so many vulnerabilities everyone had turned that off in Reader...

    1. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 4, Interesting

      I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

      The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

    2. Re:Anyone still has JavaScript enabled? by maxume · · Score: 2, Insightful

      And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.

      --
      Nerd rage is the funniest rage.
    3. Re:Anyone still has JavaScript enabled? by wkk2 · · Score: 3, Interesting

      JavaScript in PDFs has always been trouble. I use forms that auto complete, add columns, etc. A compromise might be a default of prompt before running scripts with a recommend/default of "no". I'd always click "no" unless I trusted the source. Since that would marginalize the product it will probably never happen. I wish I had never upgraded from 4.

    4. Re:Anyone still has JavaScript enabled? by Zumbs · · Score: 3, Informative

      Your wish is my command: http://www.oldversion.com/Acrobat-Reader.html.

      --
      The truth may be out there, but lies are inside your head
    5. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 5, Insightful

      Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.

    6. Re:Anyone still has JavaScript enabled? by digitalhermit · · Score: 2, Interesting

      It's easy enough to disable, but everytime a doc gets loaded with embedded JS, the reader will prompt to enable it with a message saying something like "the document may not display correctly" without it enabled. Clicking the "yes" will then re-enable it. The problem with this approach is that we get so many warnings that people may automatically start enabling JS accidentally.

  2. Javascript Again by Anonymous Coward · · Score: 4, Informative

    If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.

    1. Re:Javascript Again by gad_zuki! · · Score: 2, Insightful

      What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.

      The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have no legitimate reason for a JS PDF.

    2. Re:Javascript Again by JeffSpudrinski · · Score: 2, Interesting

      I have javascript disabled at each user login on our network (through the logon script), just in case someone has re-enabled it when their system was last logged on. I haven't found a way to totally lock it out yet.

      The huge problem is that Adobe offers to enable javascript for users when they open a PDF with Javasript in it. It displays a message along the lines of "you're not seeing everything here unless you enable javascript...click here to enable it" with a big friendly "YES" button. Kind of defeats the purpose when it's made so easy for users to re-enable.

      I warn users not to enable it, but most either don't care or don't pay attention...and at least 80% of them will always click "YES" or "OK" just to get a message box to go away without reading it. (Invariably followed by a tech call stating "I clicked OK on something...what's wrong with it and why don't you know off the top of your head what I did wrong?")

      Nice of Adobe to make it so helpful and user-friendly to re-enable the most dangerous part of their software.

      -JJS

  3. Does it run Linux? by filesiteguy · · Score: 2, Interesting

    Normally that would be my first response as a joke, but I begin to wonder if Adobe could affect anything that is not root-level (or admin level).

    --
    The Kai's Semi-Updated Website Thingy
  4. Acrobat attack. by NoYob · · Score: 5, Funny
    They're horrible. You have guys flipping and attacking you with their feet while standing on their hands. You have two other guys with one sitting on the other's shoulders while they punch down on you. You try to fight back and they just do backflips away or jump and balance on some pole way above your head.

    Yikes! I hate acrobat attacks!

    --
    It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
  5. Re:Preferences? by Killer+Orca · · Score: 4, Funny

    Wherever it says 'Uninstall'

  6. Why javascript in a pdf reader? by 140Mandak262Jamuna · · Score: 3, Interesting

    It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Why javascript in a pdf reader? by StuartHankins · · Score: 3, Interesting
      The companies which require this functionality have already decided to use the market leader's product. Since you have absolutely no way of convincing them all to switch to something else, perhaps you should be the one to look for alternative solutions.

      You had a niche application, WYSISWYPrint. Try to compete with the swift, quick to load, quick to render competition or you will be lost in the netherworld between browsers and pdf renderers.

      If anything, the PDF standard is increasing usage worldwide. PDF is a very well documented standard -- I speak as someone who wrote a program to create PDF files with images and form fields from scratch using VB 6 with no plugins -- so go ahead and create your own reader, market it and make it the #1. Nothing's stopping you.

  7. Limit permissions and seek alternatives? by oDDmON+oUT · · Score: 2, Informative

    Seems like deja vu, since this has issue cropped up before, what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]

    Which makes it a good idea to use alternatives like Preview, and Skim (for OS X), as well as Foxit Reader for Windows.

    It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.

    --
    Some days it's just not worth
    chewing through my restraints.
    1. Re:Limit permissions and seek alternatives? by oDDmON+oUT · · Score: 3, Informative

      Replying to my own last line as an informational thing:

      http://en.wikipedia.org/wiki/List_of_PDF_software

      --
      Some days it's just not worth
      chewing through my restraints.
  8. Don't cross streams by Gothmolly · · Score: 3, Insightful

    Separate your programs from your data, and your documents from your interactive media.

    --
    I want to delete my account but Slashdot doesn't allow it.
  9. Re:Really... by Monkeedude1212 · · Score: 3, Insightful

    To send an email after filling out a form and clicking sumbit in a PDF.

    Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?

  10. seen it, I think by 1u3hr · · Score: 2, Informative

    I was browsing a soft porn site and suddenlty Acrobat launched, then crashed. So it looks like someone really is trying to use this. Since I use Acrobat 4, I think I'm safe from this. (I need a full version of Acrobat for DTP, and version 4 does the job, and quite quickly. If I need to open a later version file I use FoxIt.)

    1. Re:seen it, I think by StuartHankins · · Score: 3, Informative

      Sounds like you need NoScript and AdBlock.

  11. Re:BUT WAIT!!!! by betterunixthanunix · · Score: 3, Interesting

    Acrobat and Reader are bloated. Try something a little lighter like XPDF or Okular.

    --
    Palm trees and 8
  12. Re:Adobe still used why? by COMON$ · · Score: 2, Interesting

    I would love a good alternative personally. All my users do is read the PDFs and we use PDFCreator for merging documents. I just havent found one that seems to be solid enough for the enterprise push. Any recommendations from people who have made the switch? I am getting tired of patching every 5 minutes.

    --
    CS: It is all sink or swim...oh and did I mention there are sharks in that water?
  13. Re:BUT WAIT!!!! by jasonwc · · Score: 2, Interesting

    Half of my readings in Law School are scanned documents/books in PDF format. Many of the documents are 25-40 MB in size and several hundred pages. I find that PDFs actually load very quickly - much faster than a similarly sized Word or Open Office document, and easier to read. Of course, you can use any PDF reader and not just Adobe Reader/Acrobat.

    On my Core 2 Duo and Core i7 systems, I can open PDFs pretty much instantaneously (less than 0.5 seconds). The only delay is the download. Thankfully, this is one area where Comcast's 25 Mbit "Speedboost" actually comes in handy. At school, being able to download at 100 Mbit/sec makes the files load even faster. The only issue is that Adobe Reader sometimes stalls and I have to try again. However, I find the Adobe reader plugin to generally work better than the alternatives, and I like the full screen reader. I've used Foxit for the tab support but I prefer Reader for its menu layout simplicity when I don't need many documents open.

  14. Re:Preferences? by ByOhTek · · Score: 2, Insightful

    or Here

    Both are good places to start. You can end at the other.

    Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  15. Re:Look at the Acrobat Reader credits. by Dunbal · · Score: 3, Insightful

    If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.

          Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.

          Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.

    --
    Seven puppies were harmed during the making of this post.
  16. Re:Preferences? by clone53421 · · Score: 3, Informative

    You could try the Edit -> Preferences -> JavaScript window. Here, I’ll make a little instruction sheet for you.

    http://img38.imagefra.me/img/img38/1/12/15/clone53421/f_viwjj0m_1729695.jpg

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  17. Re:Really... by kbielefe · · Score: 3, Insightful

    Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.

    --
    This space intentionally left blank.
  18. Re:Why need to view PDFs inline in the browser any by clone53421 · · Score: 2, Informative

    No, he’s advocating disabling MIME types of particularly egregious known repeat offenders.

    Opening PDFs in the browser is just an extra convenience anyway. When I click a link to a PDF, it automatically downloads to the desktop and I can open it from there, if I actually wanted to download and open the PDF. I don’t need it to load inside my browser (and if I didn’t expect it, I probably won’t appreciate having to wait for the plugin to load).

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  19. Re:Preferences? by Anonymous Coward · · Score: 2, Funny

    Oh, thanks. That's nice and all but my company blocks all JPG images. Could I get that in a PDF?

  20. Re:Really... by Deagol · · Score: 3, Interesting

    > A spreadsheet app is also substantially larger than a PDF reader.

    This *is* Adobe we're talking about here. For grins, I just installed Adobe Reader 9.2 and Gnumeric 1.9.16 on a XP VM, and for the informal survey of the "Program Files" directory, Adobe (203MB) weighs in at almost twice that of Gnumeric (106MB).

    I vote for using the best app for the job. In the case of this thread, I wholeheartedly think the spreadsheet is that tool.

    --
    Method of processing duck feet
  21. Re:Really... by lahvak · · Score: 3, Interesting

    No, PDF format is a crippled postscript. It was intentionally crippled so it will NOT be a language, because distributing documents written in a programming language was not secure. Then they realized they crippled it too much, and added javascript to it. It is an improvement, since the scripts are localized in the document, easier to identify, they can be disabled if you want to, etc.

    I think in general having scripting language embedded into an interactive document format is a good idea, however, it seems that Adobe's implementation is rather buggy and badly designed.

    --
    AccountKiller