Rogue PDFs Behind 80% of Exploits In Q4 '09

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

How about

How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

Re:How about

[God'sDuck]

The article does not say "80% of PDF exploits," it says "80% of ALL SOFTWARE exploits."

Re:How about

How about "We don't need a stinkin' Adobe Reader on non-Windows platforms"? Is it really that hard to understand?

Re:How about

I beg to differ.
Foxit Software's Reader is pretty well known now, and has been mentioned on Slashdot numerous times over the past year or so, when there's been articles involving PDF's.

Re:How about

Yeah it's known to a bunch of nerds but in the real world everyone uses Adobe reader.

Re:How about

Their product is a nice vector, too.

Re:How about

Foxit is a buggy piece of crap.

Re:How about

[sopssa]

Uh, no one needs Adobe Reader on any platform. There are plenty of alternatives and Foxit is probably the best one (and isn't as bloat as Adobe's)

Re:How about

And in the Mac world nobody uses Adobe Reader because Mac OS X can open PDFs and "print" to PDF natively.

Re:How about

Why should I even consider using reader when my mac comes with a perfectly good postscript/PDF tool out of the box. Your statement is only true in the windows environment where Ghostscript is the only alternative and Ghostscript is a major PITA

Re:How about

who cares, non-windows desktop platforms are just as relevant as non-adobe pdf readers. aka not at all. you can use your inferior readers all you want on your openbsd boxes.

Re:How about

[sneaker98]

Don't defend them. Adobe is one of the worst bloatware software companies on the planet. They deserve this flak. Frankly, when my browser locks up, guess what program is almost always to blame? Adbobe Reader. What a piece of crap.

Re:How about

[Bert64]

The difference is that windows is the only platform which doesn't come with a PDF reader by default...

And to make matters worse, many users aren't aware that alternative pdf readers exist at all, how many mac users do you think install adobe's viewer because they don't realise preview.app can handle PDF files very well. Users have the mindset that file formats are proprietary and belong to specific programs.

Re:How about

[Bert64]

A disturbing number of mac users actually install adobe reader and let it set itself as their default pdf viewer, despite that OSX already comes with a much better PDF viewer, people are conditioned to think that PDF files require adobe acrobat.

Re:How about

[sopssa]

To be honest I'd be more worried if Windows did come with a default PDF reader. The format is overly complex with scripting capabilities and everything else under the sun and bugs are going to slip in, and the install base would be even more widespread than now with Adobe PDF Reader (or are you suggesting we should pre-install Adobe's PDF Reader on every Windows?)

I also doubt that all of the different Linux distros come with a pdf reader..

Re:How about

[cusco]

What no one, especially Adobe, talks about is the possibility that some of these crackers are former programmers for Adobe with access to source code. I'm sure the fact that Adobe rarely fixes holes in its software, preferring to make customers upgrade instead, makes them an even more tempting target. Probably 3/4 of our customers are running Acrobat Reader 7 or earlier because no one wants to go to the trouble of upgrading reader software, and Adobe's filthy habit of forcing customers to install garbage that they vehemently don't want (like their stinking download manager) doesn't help matters.

For that matter I don't know the situation now, but previously security at Adobe's facilities was almost non-existant. I once had a co-irker who, in the days before WiFi everywhere, would drop by Adobe's offices, tailgate someone into the building and sit down at a random cubicle when he needed Internet access.

Re:How about

[BrokenHalo]

There are plenty of alternatives...

This is true. It is also true that most of them load a lot more quickly than the Adobe product. However (sometimes depending on how the PDF is created), most of then don't actually render the PDF as well as the Adobe reader.

Re:How about

im talking about relevant desktop OSes not mac

Re:How about

[Yvan256]

Frankly, when my browser locks up, guess what program is almost always to blame? Adobe Reader. What a piece of crap.

I'm sorry, but it's totally untrue! When your browser locks up, it's probably Adobe Flash which is to bla... oh wait, never mind.

Re:How about

[lee1]

Is the number disturbing because it's too low or too high? I use Reader on my Mac because Preview renders some things poorly and lacks s few features.

Re:How about

[cbiltcliffe]

Users have the mindset that file formats are proprietary and belong to specific programs.

How about:

Users have the mindset that their documents are somehow stored "inside" the program. Consider a conversation I had recently about a customer that needed a newer office suite, but didn't like the Office 2K7 ribbon:

Me: Ok...so we'll uninstall Office 97, and install OpenOffice instead. It's free.
Them: But all my documents are in Word.
Me: Yes. OpenOffice will handle them just fine.
Them: But all my documents are stored in Word. If you take Word off my computer, how will I get my documents?
Me: Just use the File->Open menu in OpenOffice, and load the file.
Them: [blank stare]
Me: The documents are still on your computer, you'll just load them in a different program.
Them: But...[weakly]..all my documents are in Word.

They honestly thought that Word was somehow this black box thing that "contained" all their documents, and gave them the ability to edit them at the same time. They were absolutely convinced that removing Word from their computer would take all their documents with it.

Re:How about

[RDW]

'Probably 3/4 of our customers are running Acrobat Reader 7 or earlier because no one wants to go to the trouble of upgrading reader software, and Adobe's filthy habit of forcing customers to install garbage that they vehemently don't want (like their stinking download manager) doesn't help matters.'

The thing I especially love about this is how Adobe have now stopped providing security updates for Acrobat 7 (the full version you pay money for, not just the reader). Acrobat 7 was a current product until just over 3 years ago, and now the only way to get a safe installation is to pay again for a version upgrade. Given the 'security' record of Adobe products over the last few years, you might think they'd have the good grace to hang their heads in shame and continue fixing a flagship product for a bit longer, if only as a public service. But no, Acrobat 7 is EOL and you pay up or risk getting owned. There's Foxit, of course, but they've recently jumped on the 'installing garbage' bandwagon with a slimy bundled toolbar. I guess that leaves PDF-XChange (which seems rather nice).

Re:How about

[Hucko]

So do it the other way.

Install OpenOffice demonstrate the files aren't necessarily in Word and uninstall OO.org

Re:How about

[westyvw]

Where is this "real world"? In my experience its been users use whatever crap their computer came with or what they use at the office. Average IT shops are too damn stupid to even think they could get by with an alternative PDF writer, even though they could save a bundle of money. And there's the problem. In the "real world" poorly educated masses of IT shops do a poor job by believing their vendors. Sooner or later the competitive edge will adjust that equation, and I for one would rather be on the leading edge then watch it go by.

Two solutions.

1.) Spend millions of dollars on R&D for a new pdf analyzer and redistribute it.
2.) Turn off javascript and any other dynamic content.

We all know option 2 is way too easy, so we'll just go with the first one.

Re:Two solutions.

[obarthelemy]

or use foxit reader ?

yes, but...

..do they run on evince?

Re:yes, but...

Hackers know that people running evince have nothing worth exploiting, no credit card numbers to steal, no banking logins, no friends in their address book. Not even any bandwidth to use for spamming or DoSing, since that will all be being used to download porn, probably from the same site serving up the maliciously crafted pdf.

Also, evince is a steaming pile of horseshit.

Should PDFs be dangerous?

[TubeSteak]

How much danger am I in once javascript is turned off for Adobe's pdf reader?

Re:Should PDFs be dangerous?

[toleraen]

That and disabling browser integration generally mitigates the issue. That is until they figure out a way to force Reader to use javascript regardless of your setting...

Re:Should PDFs be dangerous?

Use an alternative viewer.

Then turn off javascript.

Re:Should PDFs be dangerous?

Don't turn it off! I spent a whole day making the charts in my PDF rearrange themselves with some nifty javascript. If you turn javascript off and you encounter my document on the web you won't get the full experience!!

Re:Should PDFs be dangerous?

[Skuld-Chan]

Disabling browser integration will not disable javascript in Reader... (in fact many of these exploits will operate normally in the stand-alone product).

The only real risk of disabling javascript in Reader/Acrobat is that if you try to use any form that has any logic in it - it will of course not work.

Re:Should PDFs be dangerous?

[Krneki]

Never, ever install the PDF plug-in, for any browser. They are slow as hell and open up security issues. Always open PDF files with a stand alone program and for added security make sure it ain't Adobe.

Re:Should PDFs be dangerous?

[toleraen]

Err, hence I said "That and disabling browser integration" in response to the OP's question.

There's no risk in disabling it. If you download a form that requires it Reader will prompt you and ask if you want to enable JavaScript for that particular PDF. If it's from a trusted source, go ahead and allow it. I've seen plenty of PDFs prompt for Javascript access and when denied seem to have no negative impact. Forms are about the only type I've seen that are impacted.

Browser only?

From what I'm seeing, it looks like it's just a problem if you're looking at Adobe documents in a browser; then the browser gets hijacked. So, if you're just looking at a PDF in stand lone Reader, there shouldn't be anything to worry about.

Or more likely

[FreeUser]

How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

Or how about:

"Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."

Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.

Re:Or more likely

[kyuubiunl]

Um.............follow the bouncing ball FreeUser ADOBE Flash

Re:Or more likely

[sopssa]

Ah, the old "Windows is insecure" rant.

Drive-by installs via exploit vulnerability can happen on any OS. Only thing that might currently mitigate that is SELinux, but it's pain in the ass generally and no casual user would put up with it. Most of the vulnerabilities now a day are in 3rd party softwares like Flash or PDF Reader. They are exactly as vulnerable on any system.

It pretty much all happens on Windows currently only because its so popular (and the users are generally dumber than those geeks running for example Linux on desktop).

Fact is, no OS is secure unless it's completely locked down, and even then there are probably vulnerabilities in the OS. And please, I don't want my desktop computer to be an iPhone.

Re:Or more likely

So, in spite of the fact that different OS platforms have different development, different code, different security levels, they're all exactly the same???

Riiiiight.

It still mainly happens on Windows because the OS, development and security models are the most attractive to exploits. Far above the proportion that Windows has in the marketplace.

Re:Or more likely

[ThaReetLad]

No, it's because very few linux users are computer illiterate, while a great many windows users are. Targeting windows users (and with attacks like this, it is the users that make the attack possible, not the platform) is going for the low hanging fruit.

Re:Or more likely

[devent]

It pretty much all happens on Windows currently only because its so popular (and the users are generally dumber than those geeks running for example Linux on desktop).

Apache is the most popular web server and it is open source. Shouldn't it have more security problems as IIS? Where is the Code Red for Apache, that infected over 250.000 servers?

Windows is targeted because of the poor security choices from Microsoft. To name a few, ()patch Tuesday, ()cannot delete opened file, ()No distinction between administrator and normal user, ()backward compatibility back to DOS, ()GUI in server and for administration tasks,()no distinction between executables and normal files,()whole hard drive is writable, ()complex database for configuration and the list goes on.

Re:Or more likely

[sopssa]

Whoa, you're bringing up ten year old worms to the table. Do you even understand how many old worms there has been with Linux/UNIX in all of its history, most of them not even requiring a web server?

Any of those things you list as "poor security choices from Microsoft" aren't even such.

patch Tuesday

Patch Tuesday streamlines the update process in large companies. It would be really bad solution from MS to force the update randomly, possibly breaking things. Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel. Is that really a better security choice? Would you want Windows to be the same way?

cannot delete opened file

This has nothing to do with security choice for Windows. And you can force-delete a file, at your own risk.

No distinction between administrator and normal user

You're still running Windows 95 or what?

backward compatibility back to DOS

There's no such really anymore, haven't been since XP. It's an emulated layer, and also breaks most of the old viruses because of that.

GUI in server and for administration tasks

How does this lower security again?

no distinction between executables and normal files

Just like Linux doesn't have either. You can set executable bit on any file and it happily runs.

complex database for configuration

Specifically for what? MySQL also has pretty complex database (inside itself) for its settings and users.

Re:Or more likely

[newdsfornerds]

You commie FOSS people say its Microsoft's fault every time. Free software is tererism! True Patriots Use Windows! -- Your friendly neighborhood MSFT shill.

Re:Or more likely

[newdsfornerds]

That Apache argument is one of the best I have heard. Sometimes I think I should develop a database for all the reasons Windows sucks.

Re:Or more likely

[flyneye]

Gosh guys, whats the difference in platforms really?
It's a given there are bugs, there will continue to be bugs as code is written and no end in sight, no matter the platform.
The constant I continue to see are those willing to search out the bugs and publish them to the public rather than the manufacturer, with the excuse that "patches will be released quicker because of the menace".
        Should we, the public who do nothing but invest money in hardware, software and media suffer just to feed the ego of some whizkids?
      I propose an international hunting season, with prizes as bounty for the reproductive organs of those participating.
Of course, officially law enforcement would frown on the practice, but in the end it would be largely uninvestigated as the motives came to light. I'm sure some already harmed companies would add to the prizes. Individuals who've lost precious data would pool some cash as well.
      Black hats and phishers could just be killed and skinned.
        Maybe I'm just amusing myself, maybe I'm just amusing you. Maybe something to start thinking about.

Re:Or more likely

[NotBorg]

Bla bla bla victim of popularity. Yes you can expect your popular product to be attacked more because of its popularity. But that doesn't excuse the vendor of fixing it. The same popularity should (if your business model isn't full of fail) enable you to audit your code and respond to vulnerabilities faster. The number of attacks are up but so is your research and development funding.

The problem is that even though a vendor knows the attacks are coming and often has the resources to head it off, very often the vendor doesn't bother doing anything until just before or very quickly after the bad press happens.

Expect Adobe's products to be bad for security until they've accumulated enough bad press and then they'll miraculously become much better. They won't be immune but they'll be on par with unpopular software's security (which is often by obscurity).

Security is not proportional to popularity. If it were than the IE product line would NOT have improved nearly as much as it has. If it's proportional to anything its proportional to the amount of effort you put into making it secure. IE got better because there was lots of press that said Firefox is better for your security.

Same with Windows. Windows got much better at security even though its popularity didn't change in a significant way. As a fan boy you must agree that Windows did get better and you also must agree that Windows isn't any less popular. Ergo the popularity==insecure doesn't work well for you. (Unless you wish to tell me that Windows is still the same insecure pile of crap it always has been. I'm happy with that.)

Re:Or more likely

Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel.

Absolutely not true, you don't know what you're talking about. Please post no more. Your credibility has failed and you'll only worsen your cause by doing so.

Re:Or more likely

[BitZtream]

Where is the Code Red for Apache

This was certainly an MS issue, the fact that the number of apache INSTALLATIONS is considerably smaller. The default IIS install having crappy permissions didn't help. The fact that most of the infections where on client PCs and servers that never should have had IIS installed plays a part in it. The fact that admins run Apache and are far more likely to keep it up to date than gradma who never installs updates.

Either way, it is all MSes fault, no doubt about it, Apache has far more experience on the Internet, but its silly to pretend it couldn't happen to Apache. Its not like its ever happened to anything before, not like anyone has ever trojan sendmail or anything ...

()patch Tuesday

As opposed to 'whenever we feel like, sometimes every day for a week, sometimes nothing for a month'

()cannot delete opened file

Trivial to resolve, and not really any worse than a zombied process

()No distinction between administrator and normal user

What? Do you know what permissions are? WindowsNT held a distinct advantage in ACL support over any free OS for years, and game the commercial unixes a run for their money in some cases. Do you know what the 'SYSTEM' user is? Do you know that you don't normally ever have 'root' on a NT machine? The administrator account is just a user with lots of permissions. SYSTEM would be the equivalent to root. This isn't something you even normally get access to, you have to trick the OS into giving you the ability to use the root account.

()backward compatibility back to DOS

So today its backwards compatible, are we going back to 'Windows breaks compatibility' tomorrow? First off, it isn't DOS compatible, isn't even close. NT will run most 'console' apps and some 'DOS' apps, but only those that are very well played DOS apps, essentially those that don't do much more than text processing or basic file OS, no real hardware access or speed tricks.

()GUI in server and for administration tasks

I used to feel this was a problem, now days, meh, I don't give a shit. The RAM and disk space occupied by the GUI is trivial and on most of my servers its such a small percentage I don't give a shit. Its nice when you can't talk to the machine remotely and still want to run GUI apps however.

Hell the X libraries are probably installed on all my servers so I can run various other X apps locally with remote display, most of them are running a local X session anyway, just in case I have to actually use the console in a hurry.

()whole hard drive is writable

Which part is the issue for you? You don't trust file permissions but you trust a read-only mount? That seems pretty silly since they are both actualized in the same kernel. Or are you refering to some other exploit? Maybe the MBR access, that I could see being a valid complaint, but you were too vague for me to assume you actually had a real reason to bitch

()complex database for configuration and the list goes on.

Yea, this can be a pisser. I've seen people have horrible nightmares dealing with those problems. Personally I've never had any issue with the config db that prevented me from just using the GUI to do what I wanted. Maybe corruption has passed me by for now.

Either way, 90% of the time, using the GUI and a couple right clicks is still faster than editing httpd.conf in a text editor. Not always the case, but you're going to be hard pressed to prove that either said is 'faster' or 'more efficient' using one of the other assuming the person doing it is familiar with the method being used. Throw someone who's only worked with IIS at httpd.conf and its going to get messy and probably break. Throw someone who's only worked with

Re:Or more likely

[Super_Z]

Patch Tuesday streamlines the update process in large companies. It would be really bad solution from MS to force the update randomly, possibly breaking things.

You seem to confuse "offer" with "force". Why not offer a patch when it is ready and let the companies decide themselves when and how often to patch? Just like every other OS vendor on the face of the planet?

Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel.

If by "Linux" you mean every major Linux distribution, then you are simply wrong.

no distinction between executables and normal files

Just like Linux doesn't have either. You can set executable bit on any file and it happily runs.

Actually, the executable bit is the distinction between executables and normal files. You cannot run a normal file without specifically setting the executable bit. It is a "security feature".

complex database for configuration

Specifically for what? MySQL also has pretty complex database (inside itself) for its settings and users.

The OP is talking about the Registry.

Re:Or more likely

[GoatEnigma]

Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason....

Seriously though, no one says that. No one even says "Information Superhighway".

Re:Or more likely

[hairyfeet]

Bingo! Give that man a ceeegar! As a PC repairman I have managed to cut down my users infection rates by a good 80-85% by changing their habits. Autoupdates enabled, Firefox instead of IE, ABP installed, updated Comodo AV/Firewall installed, but I can't get it any lower than that. Why? PEBKAC, that's why.

I have actually sat beside a user and said "Don't open that. It is a password protected .zip file sent by email. It is a virus" and had the user go "Ohhhh you worry too much! This is from my BBF Kim! She wouldn't do anything like that!" and guess what? She opened it, infected her PC with one of those lovely rogue AV programs and drug the whole network down to a crawl as it pounded the hell out of the other PCs looking for exploitable boxes. Needless to say dealing with those users I wear this face pretty much daily.

Dealing with the PEBKACs I can tell you that Linux would NOT help in those cases! I even tried it once, put a "must click on everything that has porn in the title!" user on PCLOS just to see if it would help. He had the whole machine borked so bad it wouldn't boot in under 3 days. How? He decided he didn't like Synaptic and instead Googled "Linux programs" and installed a bunch of shit from Freshmeat and ended up in dependency hell.

With Windows 7, Comodo, and Firefox I have managed to seriously cut down the infection rate of my stupidest customers, but in the end stupid is as stupid does. All the best security in the world won't help the dancing bunnies problem if your user wants to see the bunnies. No matter how foolproof you design you WILL find out there are always bigger and better fools.

Re:Or more likely

[toadlife]

Leaving aside your ridiculous invocation of a ten year old worm for IIS, you do realize since the release of IIS6 in 2003, IIS6 and IIS7 have had FAR FEWER vulnerabilities discovered than any version of Apache, right?

The rest of your rant is evidence you don't seem to have a very good grasp of how Windows works.

Re:Or more likely

[toadlife]

You cannot run a normal file without specifically setting the executable bit. It is a "security feature".

On a desktop system, it's a annoyance. So much that modern DE's like KDE has numerous methods to get around it. It might be considered a "security feature" by people with no imagination.

Re:Or more likely

[toadlife]

Popularity doesn't make products insecure. It makes them potential targets.

Re:Or more likely

[iris-n]

You know the old Italian proverb: "Si non è vero è ben trovato"

And it was funny.

Re:Or more likely

[drsmithy]

That Apache argument is one of the best I have heard.

No, it's idiotic. If for no other reason than because Apache servers are such a tiny minority of computers in the first place.

Being the most popular of an insignificant proportion, is no different to just being an insignificant proportion.

Re:Or more likely

[drsmithy]

Windows is targeted because of the poor security choices from Microsoft. To name a few, ()patch Tuesday, ()cannot delete opened file, ()No distinction between administrator and normal user, ()backward compatibility back to DOS, ()GUI in server and for administration tasks,()no distinction between executables and normal files,()whole hard drive is writable, ()complex database for configuration and the list goes on.

These are all disingenuous at best, flat-out false at worst. Surely you can do better ?

Re:Or more likely

[drsmithy]

Security is not proportional to popularity.

Frequency and consequences of exploitation (which is what people here generally mean when they say "security"), however, is.

Re:Or more likely

[nmp0906]

Yes sir. Training users does significantly help as does a comprehensive suite of programs. Limited permissions/accounts can also help in a controlled environment (so users can't go installing Super Smileys 3000 on a whim) and would address the remainder of the user issues above. One reason Firefox has been so successful is it's auto-updating feature for browser and extensions. It doesn't ask, it just does, by default. This is where Adobe has failed miserably. This is why such a large percentage of its Acrobat/Reader and Flash installed user base is outdated and thus still vunerable to yesterday's attacks. The fact that Adobe's aforementioned software has arguably more security flaws out of the gate, auto updates, by default, would significantly assist in helping keep their userbase safe. It's a fairly convoluted process to check your flash version (google for flash version update or similar) and not easily found if browsing their site. (Aside: One app, Grooveshark, actually prompts when you have an outdated version of Flash citing security concerns and provides a nice link to update. Awesome.) I hate manually having to check each of my programs for an update. That's dumb. Almost as dumb as MS patch Tuesday. "We have some serious flaws here, but we can't let you install the fix until next Tuesday. In the meantime, hope you don't get hacked." Sigh. When will people start taking security seriously?

Re:Or more likely

[newdsfornerds]

He compared apples to apples.
"Where is the Code Red for Apache, that infected over 250.000 servers?"
Well, where is it?

Re:Or more likely

[geminidomino]

You cannot run a normal file without specifically setting the executable bit. It is a "security feature".

On a desktop system, it's a annoyance. So much that modern DE's like KDE has numerous methods to get around it. It might be considered a "security feature" by people with no imagination.

And that's the attitude that made windows' security what it was for 15+ years.

Re:Or more likely

[hairyfeet]

Oh, you want to add insult to injury? The newest Adobe updates includes crapware! That's right, it will install "Norton Security Scan" which will then bug the piss out of your users to buy it if you don't warn them ahead of time to uncheck the box. Fun huh? But if you are using Firefox an easy way to check is to go here but I agree it is a PITA that it doesn't autoupdate. of course now that they are bundling crapware I'm not so sure I would trust them to update by themselves anyway.

But I couldn't disagree more about Patch Tuesday. When I was working on large deployments patch Tuesday was a Godsend, as it gave me time to test before rolling out to the main PCs. The last thing you would want in a large enterprise environment is patches being released every other day. You would spend all your time fighting fires unless you deployed a WSUS and refused to allow the machines to update without permission. The only thing I would do differently is allow the option of signing up for patches as they are finished, but that would probably cause more exploits as script kiddies hacked the patches and put out exploits ahead of patch Tuesday. As long as MSFT keeps putting out KB articles with workarounds for problems before patch Tuesday I'm okay with it.

Re:Or more likely

[toadlife]

If that were true the same type of problems would exist with desktop *nix too, because the "I just want the fuckin' thing to work" attitude pervades the user base and drives the development of every major desktop platform.

Re:Or more likely

[geminidomino]

If that were true the same type of problems would exist with desktop *nix too, because the "I just want the fuckin' thing to work" attitude pervades the user base and drives the development of every major desktop platform.

Yes, but *nix, as is often pointed out, is not a "major desktop platform", partly because (until recently, at least) it DOESN'T try to feed every unreasonable user-attitude, like "Let my system be rooted trivially rather than implement security that might be 'annoying', and call that 'having imagination.'"

tl;dr: Those who would sacrifice necessary security for temporary ease-of-use deserve neither security nor ease-of-use.

Re:Or more likely

[toadlife]

like "Let my system be rooted trivially rather than implement security that might be 'annoying', and call that 'having imagination.'"

Ubuntu's ultra insecure SUDO implementation which allows any process launch under the default users account to gain root privileges with impunity says you're wrong.

Re:Or more likely

[Runaway1956]

"Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason," - Freeuser

I'm strongly tempted to use that as my sig. Road-kill, or the smell of piss in the subway? Tough decision . . . .

Re:Or more likely

[geminidomino]

Ubuntu is not *nix. Ubuntu is Ubuntu. Ubuntu does so many things wrong it's pathetic. It was also exactly what I had in mind with my parenthetical "Until recently at least" comment.

It tries to be more like windows, and behaves stupidly.

Re:Or more likely

[toadlife]

While my original points stand, I agree with everything you've just said.

Re:Or more likely

[Schmorgluck]

vunerable to yesterday's attacks.

This sooo should be maid a common acronym. "Come on, your system is so VYA".

What about alternate readers?

[Monoman]

Is the problem with the Adobe Reader program itself or the file format? Do third party PDF readers have the same security issues?

Re:What about alternate readers?

[Antiocheian]

Of course not, but disabling Javascript and firewalling Foxit as well isn't a bad idea.

Re:What about alternate readers?

The official PDF spec includes scripting and DRM and all kinds of other crap that 99.99% of pdfs don't use. Many 3rd party readers limit themselves to just displaying documents, so the third party readers are have a much smaller surface area of attack.

Re:What about alternate readers?

Good not know. I've long suggested other readers anyway, since many "print" to PDF and don't have the same heavy-handed DRM aspects.

Re:What about alternate readers?

[Skuld-Chan]

Yes Foxit actually has security issues as well.I personally don't think there are as many because Foxit isn't in as much wide use (Foxit isn't bundled with new PC's for instance).

The plain and simple fact is that it is hard to make secure software. Couple that with the fact that the PDF format is well over 20 years old (as you can imagine there's a lot of legacy code in the viewer) and you have a recipe for the perfect security nightmare.

The other problem is - once one researcher/hacker finds a big exploit the blood is in the water and suddenly you have a bunch of people looking into it for obvious reasons.

Re:What about alternate readers?

[theseus75]

Just posted a how-to screencast after reading this story so people can find and use alternatives. http://www.youtube.com/watch?v=6wuwqPN4kxg

Me too? NOT

[ratboy666]

The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.

And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.

Which means that I will continue to use "Evince" and hope that it won't be targeted soon.

Re:Me too? NOT

[Trepidity]

It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format

That is also my reason for choosing this fine document format for my CV.

Re:Me too? NOT

[gad_zuki!]

Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.

This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?

Re:Me too? NOT

[SnuffySmith]

I was one of the ones, many years ago, that was frustrated that PDFs didn't do more. Now I only want to use PDFs to deliver documents that have content that can't be altered, and print out like I well expect them too. I repent of my former desire that PDFs do stuff.

Unless of course, ooh cool, Adobe came up with a killer app by combining PDF and Flash in to one thing. Have they already done this? Have I missed the boat?

Re:Me too? NOT

[nine-times]

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.

And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.

Re:Me too? NOT

[LenE]

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Instead of bothering you when you do something dangerous, it bothers and encourages you to let it behave insecurely. Adobe has become the new Microsoft, with respect to hindering user security.

-- Len

Re:Me too? NOT

[maxume]

Reader does not throw any javascript prompts for documents that do not contain javascript.

Re:Me too? NOT

[jonadab]

> The web plugin should be retired and just force the
> pdf to open in the full reader. One can dream, right?

You can actually do this, in the Firefox prefs, under the Applications tab. (Doing this is on my standard deployment checklist, mainly because it's less confusing for the users. With the embedded reader plugin, the user doesn't realize they've left the web and doesn't understand why browser features, such as the Print and Print Preview commands, don't work. When Adobe Reader opens in a separate window, it's somewhat more evident to the untrained eye what's going on.)

However, if you ever upgrade or reinstall Adobe Reader, it changes the pref back, and you have to fix it again.

IMO, opening the Reader in a separate window *ought* to be the default setting. But apparently Adobe feels differently.

Re:Me too? NOT

[JasterBobaMereel]

Why does a document viewer need to run code (javascript of whatever)

99.99% of people use it to display and/or print static documents .... it's only that Adobe keep extending it to do thing outside this ....

The core view a PDF is fairly bug free and exploit free it is the extensions that are buggy and vunerable ....

Re:Me too? NOT

[Skuld-Chan]

Interestingly enough - in my days at Adobe doing Tier 3 support - the exploit PDF's I'd get from various sources internally were hard to move around the network because virus scanners would delete or clean them up.

I found this rather surprising many times because these scanners would do this to files that were zero day exploits and files that weren't yet disclosed to the public.

Also if your installing reader to your enterprise you can disable browser integration, javascript and a myriad of other features out of the box.

Acrobat/Reader does have a trust manager - but that is only invoked when the viewer goes to an external service to the PC (like the net).

Re:Me too? NOT

[Skuld-Chan]

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Hrm tested this in 9 - it only complains with Javascript disabled that the PDF contains some elements that might not be displayed properly because of the preference, and ONLY IF you open a PDF with Javascript in it.

Static PDF files it does not display any warning if JS is off.

Re:Me too? NOT

[Skuld-Chan]

If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?

If you have a browser form that has a script to submit to a server and valid the form fields while doing so - why is that bad?

Re:Me too? NOT

[Yvan256]

Flash Paper?

Re:Me too? NOT

How does opening the PDF in the reader as a separate process help? It's still Adobe Reader, opening the same trick PDF, which is going to have the same result.

Plus there's probably the danger that rather than processing data from the untrusted Internet, it's now opening a local file, which must be safe...

If PDFs were just downloaded and saved, people will either stop using them, or complain that it's too difficult, or too slow, to open them.

Re:Me too? NOT

"If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?"

It's not, however Word handles the potential that a macro is malicious by warning you that a macro is present, unlike Adobe, which just executes anything willy-nilly.

Re:Me too? NOT

[pclminion]

Believing any document format to be "inert" is a fallacy. All data must be somehow interpreted by the computer in order to be useful -- a pile of bits on a hard drive is not useful to any human. Whether there are exploitable flaws in the software which interprets the data is only loosely related to the data itself. There have been exploitable bugs in everything from PDF readers to MIME decoders to MP3 players. Obviously, deliberately embedding a scripting language into a document format does not help matters, but don't confuse yourself into believing that some document formats are inherently safer than others. The vulnerability is fundamentally in the software, not the document.

Re:Me too? NOT

[nine-times]

...but don't confuse yourself into believing that some document formats are inherently safer than others. The vulnerability is fundamentally in the software, not the document.

I'm not the one confusing things. First, of course it's not the format itself, but what's interpreting the file. Text files are pretty harmless all by themselves, but I don't go sending arbitrary text files to be interpreted by bash. Likewise, it's not the inclusion of javascript in PDFs that's a problem, but rather the fact that PDF viewers interpret that javascript creates a great opportunity for malicious code.

And yes, theoretically, if a viewer has exploitable flaws, then you can exploit them. I'm sure you could write a text viewer that would run arbitrary code when a malicious text file was opened in it-- but you don't really see that very often, do you? Talking about these PDF exploits, what percentage of them do you think came from exploiting the javascript engine, and what percent came from an exploit in the graphics rendering?

Theoretically, yes, vulnerabilities can exist in any document viewer such that a malicious document can cause problems. However, that doesn't mean that all document formats are created equally, and it doesn't mean that the conventional split between applications and documents isn't helpful.

Re:Me too? NOT

[Late+Adopter]

All data must be somehow interpreted by the computer in order to be useful

It's not a question of code being run, it's a question of attack surface. A properly-designed document format that does few things can be interpreted by simpler code, and thus is less likely to be exploitable for attacks. PDFs should be proof of this rule by now, given how much of a monstrosity both the spec and Adobe reader are at this point. See also javascript vulnerabilities in browsers.

Re:Me too? NOT

[gad_zuki!]

>You can actually do this, in the Firefox prefs, under the Applications tab. (

Oh, I do. Id prefer to see it as the default for the application. Joe Sixpack isnt doing this.

Re:Me too? NOT

[Ahnteis]

But EVERY document I've seen HAS javascript. I don't know what that javascript is, but I assume it's stuck in there automatically by Adobe Acrobat (not reader) or something because it's ALWAYS there. (Some 3rd party PDF creators might not put it in. I haven't tested.)

Re:Me too? NOT

[Ahnteis]

You can do it that way, but it's better to go into Acrobat settings under "internet" and tell it not to open PDFs in the browser. Then disable the plugin. ;)

Re:Me too? NOT

[maxume]

Apparently you are mostly downloading malware droppers.

Try some of the pdfs from the IRS, the several I downloaded this week did not have any javascript in them.

Re:Me too? NOT

[jbengt]

If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?

It's not bad to run a useful and benign macro that you wrote youself.
What's bad is that in a botnet's hands VBA has access to the entire computer, and not just to the document or its' folder. (yes, I know that there have been some improvements in that regard, but that depends more on the OS & application settings than on inherent VBA limitations)

Re:Me too? NOT

[inviolet]

And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

You are making the "keep the code separate from the data!" argument. You forget the one place in every application where code and data intermingle: the stack.

There is no getting around the stack. It is itself data about what code to execute next.

Re:Me too? NOT

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Funny... it doesn't do that for me -- are you sure it isn't a malware payload a prior PDF dropped that's harassing you?

Re:Me too? NOT

[nine-times]

Just to be clear: I have no problem with macros. I have no problem with scripts. If you want to write a macro in Word that will make your workflow easier and faster, I think that's great. I think it's great that Microsoft had the forethought to include support for scripting in MS Office.

What I object to is embedding macros in Word documents. I think this is dangerous design. If you want to write your own macro and store it on your computer, then you shouldn't need to embed it in the document itself. If you want to pass the macro to another user, you should be able store the macro in its own file and copy that file sending it along with the file you want to run it on.

However, if you want to pass around a single file where you fill out a bunch of fields and it actively does stuff with that information, then that's an application. It's not a document anymore. If Microsoft and Adobe want to enable their users to create their own mini-applications to do this sort of thing, then that seems like a great idea. Create a new file type with a different filename extension so that I can block them in email and otherwise treat them like applications.

Re:Me too? NOT

[Spit]

That's even worse; user opens the malware PDF which contains JS, Adobe reader moans that JS is diabled and the document is screwed without it, user enables JS. Very poor.

Re:Me too? NOT

[mpe]

The web plugin should be retired and just force the pdf to open in the full reader.

Where the reader need not be the Adobe mess. It's also annoying when websites moan about the Adobe plugin not being present in the browser. When it's quite literally none of their business how the browser handles PDF files.

Re:Me too? NOT

[mpe]

What's bad is that in a botnet's hands VBA has access to the entire computer, and not just to the document or its' folder. (yes, I know that there have been some improvements in that regard, but that depends more on the OS & application settings than on inherent VBA limitations)

You'd have thought by now there'd be a list of scripting functions which are mainly, even exclusivly, used by malware.

JavaScript just needs to go, wherever it is used.

JavaScript was designed a simple hack more than 15 years ago. Unfortunately, it has been blown WAY out of proportion, and into something that a lot of people take seriously.

There's no need for JavaScript support in a PDF reader, for fuck sakes! And if they do need to embed a language, they should have used one that's sensible and not as easily exploitable. There are numerous embeddable Scheme interpreters available, for instance. Hell, even Python, Ruby or Perl would be a better idea than JavaScript. At least their implementations aren't full of holes and exploits like just about every JavaScript implementation is.

Why does anyone use Adobe reader anymore?

[vlm]

Why does anyone use adobe reader anymore?

On Winderz I use foxit, on linux I mostly use kpdf.

Other than endless exploits, and it seems subjectively to be a bit slower, would I gain anything by using adobe reader?

Re:Why does anyone use Adobe reader anymore?

[Noughmad]

It also can't override the evil^H^H^H^H printing protection bit.

Re:Why does anyone use Adobe reader anymore?

[bradley13]

Because it works? Adobe reader may be bloated, but Foxit is primitive. KPDF has issues when printing.

Re:Why does anyone use Adobe reader anymore?

[memnock]

i just read PDFs, i don't design or write docs in them. Foxit works just as well for that purpose as Adobe. i can open multiple window/copies of a PDF with Foxit. i don't know if i can do that with Adobe.

Re:Why does anyone use Adobe reader anymore?

[Dishevel]

Primitive how. I use it all the time. I put it on all the computers in the company. It is small, fast and secure. I have never had a problem opening, reading or printing a PDF file. When doing those things it is in fact superior to Adobe reader everytime.

Re:Why does anyone use Adobe reader anymore?

I'm a contract manufacturer. My customers like to email blue prints in PDF format. I've tried printing these in 1:1 scale using different PDF viewers and as a result I did return to Adobe.

Re:Why does anyone use Adobe reader anymore?

[asvravi]

I had problems viewing documents with complex formatting and embedded Chinese fonts on Foxit. Returned to Adobe. It is easy to miss some information in the document without even realizing it, if the reader sacrifices functionality in favor of being lightweight. I would any day prefer fidelity to the PDF spec over being lightweight.

Re:Why does anyone use Adobe reader anymore?

[Skuld-Chan]

Primitive how. I use it all the time.

You cannot use Foxit on Livecycle forms and other kinds of interactive forms. Foxit doesn't support online commenting and reviewing, Foxit doesn't support 3d annotations (Reader even supports PMI extensions). Yeah Reader is big, but it has a ton of customer requirements.

Foxit does have security advisories - google it, and its not even a major target.

Re:Why does anyone use Adobe reader anymore?

[Dishevel]

The requirements are shit. If you want to edit do not use PDF. PDF should be scaled back to what it was needed for. All these "requirements" are really just trying to use the wrong format to do what you want. When you try to make one format do everything in the world it WILL be buggy. It WILL be slow. It WILL be insecure. Its not like the users here never want a PDF to do something else for them. I just refuse to allow it into my environment.

Re:Why does anyone use Adobe reader anymore?

[Skuld-Chan]

Says you, but if you had people handing you cash to do this you'd glad get your company's engineering department to make it.

I mean - how do you personally justify HTML with Javascript? Its the same concept.

Re:Why does anyone use Adobe reader anymore?

[Dishevel]

Its not the point. What I am handed money for is keeping others in the company able to do their job in a safe and secure way at minimal cost to my company. That means that I have to hear some whining once in a while and keep Adobe reader off my systems. The risk is to high. If my people need to edit documents then they need something that is NOT a PDF. If they need to annotate the PDF then Foxit will do that. It will do it more securely and faster than reader will. My job is to push for best practices and deal with the bullshit that comes from it. Not to collect a paycheck and follow the path of least resistance.

Wider target audience

[nstrom]

Attacking Adobe Reader means that people who use Firefox are also at risk. For a long while, the popular security paradigm on Windows was that if you used IE you were at risk, but if you kept up with Windows Update and used only Firefox to browse the web you were pretty much safe from the majority of the exploits in the wild. Now that malicious PDFs are out there in force, users of Firefox are vulnerable once again.

Re:Wider target audience

For a long while, the popular security paradigm on Windows was that if you used IE you were at risk,

Just because it was popular doesn't mean it was correct. There has been plugin exploits that have worked in Firefox, this isn't a new technique.

This will kill pdf

[dee.cz]

one already can't send pdf attachments or even links to pdf to customers without risk of mail being deleted or lost in spam folder.

Two simple safeguards that help

[BlueParrot]

a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.

b) Use an alternative PDF reader/viewer.

Re:Two simple safeguards that help

Firefox will by default use a plug-in for opening PDFs. I wish Firefox opened a dialog with these choices when opening PDFs (or any other files for which plug-ins are installed): save file, open file (with app defined by the shell), open file with firefox plug-in, or send url to external app.

Why?

[msauve]

Probably because, based on UI, speed, size, sheer awkwardness and oddball behavior (does it still act like you're doing a reinstall when you change a config option?), Acrobat consists mostly of unmaintainable spaghetti code - leaving it full of potential exploits.

80% of exploit code or incidents?

[SnuffySmith]

So, as I understand it, this article (and the referenced report) refer to code, not the total number of infections/attacks. It would be useful to know (1) how many computers are affected by PDF attacks, and (2) how many PDFs out there are compromised.

But does it run in Linux?

[mspohr]

I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".

Re:But does it run in Linux?

I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".

Why yes, you can!

Later today, Adobe plans to patch several critical vulnerabilities in Reader and Acrobat for Windows, Mac and Linux.

Re:But does it run in Linux?

[Yvan256]

Since Mac OS X has built-in support to read and write PDFs, who installs Adobe Reader on a Mac?!

Re:But does it run in Linux?

[NatasRevol]

As far as I've ever seen, only Windows converts who don't know any better.

Re:But does it run in Linux?

[lee1]

I do, because Preview is so bad.

Re:But does it run in Linux?

[JumpDrive]

Well for one the VP of Technology in our Company.
But I think it is more a personality issue with him. Basically you can tell him he shouldn't do something for any number of reasons. He will spend days trying to figure out why he has to do something exactly the way you asked him not to it.
I just cringed when someone told him he couldn't use Adobe Reader on his MacBook. Sure enough a week later it was installed.

Re:But does it run in Linux?

Since Mac OS X has built-in support to read and write PDFs, who installs Adobe Reader on a Mac?!

If you want to read any PDF's from the SAE you need acrobat.

Re:But does it run in Linux?

[SoupIsGoodFood_42]

Bad in what way? I use it all the time for all sorts of files and have found it simple, fast, and reliable.

Re:But does it run in Linux?

[lee1]

It is those things, but I've found it also has some deficiencies. Two I can think of right now: does not support embedded movies or other pdf annotations, and the rendering of photographs embedded within pdf documents is unsharp. Also, I don't think it handles tagged documents correctly. So for simple documents without pictures, it's ok and lightweight, but for many of the documents I want to use it for, it just doesn't work.

Re:JavaScript just needs to go, wherever it is use

[ThinkingInBinary]

they should have used one that's sensible and not as easily exploitable.

Why is JavaScript so easily exploitable? It's probably the APIs available to the JavaScript, and not the language (or interpreter) itself that's exploitable.

Adobe is a security nightmare

[Coopjust]

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

I scan with Secunia's (a Danish computer security company) freeware tool to check if I have insecure applications.

3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

Firefox Users can use Mozilla's plugin check.

One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.

Re:Adobe is a security nightmare

[fishbulb-]

I opened the Advanced interface of Secunia PSI, the program overview says:
'Cannot display graph, as Adobe Flash Player does not appear to be installed in Internet Explorer on your computer...' then provides a link to install it.

I feel betrayed.

Re:Adobe is a security nightmare

[Coopjust]

I wasn't even aware that the PSI used the Trident rendering engine. I thought for sure they'd use Gecko or WebKit.
The more you know, I suppose.
The tool works very well though- it warns me about having insecure versions of GTK, for instance.

Re:Adobe is a security nightmare

[Sporkinum]

That irritated the hell out me too! Especially since flash is a pain in the ass to update. You may install a new one, but old cruft is left behind that can be difficult to remove sometimes. Other than the flash issue, Secunia PSI is excellent.

Re:Adobe is a security nightmare

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

Nonsense, I have no affiliation with Microsoft, but in my experisnce they make the most secure software on the planet. Their programs are all stellar and don't need your Secunia.

*throws chair*

Re:Adobe is a security nightmare

[juancnuno]

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner.

Do you run with administrator privileges? You're not secure if you do so.

Re:Adobe is a security nightmare

[sleeper0]

Thanks for the secunia pointer, seems like just the type of thing I've been wanting.

Re:Adobe is a security nightmare

Very cool tool. Thanks.

Re:Adobe is a security nightmare

posted your comment on my facebook. thanks for the links.

Re:JavaScript just needs to go, wherever it is use

I agree with this analysis of Javascript. It was never designed with security in mind, much like the original versions of Windows.

That said, it's sort of silly anyway. How do these PDFs arrive? By email or downloaded from the internet. And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.

We all know the defense. It's getting people to use their brains instead of happily clicking on everything that doesn't dodge their mouse pointer.

The weakest link in security is the user. Ya, it isn't ALL the user's fault, but you can only take secure programming so far before you start trying to protect people from themselves. And, as we all know, trying to protect people from themselves is a good way to piss them off.

It isn't "I want some of that too"

[asdf7890]

In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.

It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).

The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.

Re:It isn't "I want some of that too"

[BillX]

(if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion)

Even if they are releasing patches the same day, given Adobe's practices to date, who that has been around a few years is naive enough to willfully accept an Adobe update and believe is in their best interest? Traditionally, an Adobe "upgrade" means only the addition of new flashing adverts in the document window (Reader), DRM functions (Reader), 10+-meg increase in file size (Reader), doubling of CPU utilization and/or halving of framerate (Flash player), or new privacy-eroding features like persistent "Flash cookies" and free access to your peripherals (Flash player). Anymore, the fear of russian h4x0rz using your HDD for kiddie porn is the only thing driving the Adobe upgrade cycles, and I would not be surprised if they are happy that way.

Not just Adobe

[bjackson1]

I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).

The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.

Re:Not just Adobe

Using an alternative reader is not the ultimate solution. It also helps to disable Javascript actions in the reader. Jscript is mostly seen in PDF's that use forms where user input is done. For the most part you can disable JS and enable it only when needed and you know the true source of the PDF.

Re:Not just Adobe

[Inda]

I'm not calling you a shill, Mr bjackson1, but we all know they lurk on Slashdot.

Can anyone else confirm that Foxit has known security problems?

Re:Not just Adobe

[caluml]

running Windows 7 x64 in Firefox

Wow, that's quite impressive! What OS was Firefox running on? Bonus points if it was Linux or Mac.

Re:Not just Adobe

[Paradigm_Complex]

Can anyone else confirm that Foxit has known security problems?

Sadly, yes. Foxit isn't happy with just doing basic rendering on PDF's, but wants to be a more completely alternative to Adobe's Reader. This includes things like running PDF's scripting, and makes it harder to implement securely.

I'm not saying a secure, full-featured PDF reader can't be made, so much as that you're a lot safer using a program that only does the basic rendering. Foxit doesn't fit the bill. It's also closed source >.>

Re:Not just Adobe

Has Firefox been ported to Emacs yet?

Re:Not just Adobe

[pclminion]

Has Firefox been ported to Emacs yet?

No, but Emacs will read PDFs now (I'm not kidding)

Re:Not just Adobe

[Inda]

Cheers. I didn't even know it handled JS before checking at home. JS is now off. Time to look for another reader.

Re:Not just Adobe

http://www.foxitsoftware.com/announcements/200939coAT.html

foxit has a better security record, not a perfect security record.

Re:Not just Adobe

So emacs will run pdfs, pdf supports javascript, a language firefox is written in, which in turn runs windows 7 x64..
Any chance we can get emacs ported to that to complete the loop?

Re:Not just Adobe

[MightyDrunken]

That bug is fairly old and has been fixed for awhile, there is a newer security flaw for Foxit reader 3 which is equally as dangerous, SA37049. This is patched as well. I'm not sure you will gain better security by changing to another PDF reader.

Re:JavaScript just needs to go, wherever it is use

It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.

Just take a look at the wtfjs blog to see some examples of JavaScript's outright stupidity. Keep in mind that those are virtually all language flaws, not problems with the DOM or an API.

This inconsistency makes it very difficult to implement properly, let alone with good performance, and lets security issues slip in that just wouldn't happen when implementing more sensible languages like C, Python, Ruby or Scheme.

The problem is with the language itself, not with the DOM or any APIs. That's why the language itself needs to go.

Hard month for Adobe.

[quadelirus]

First flash is blamed for most application crashes on the Mac. Now PDFs are the number one vector for malicious code in Q4 '09. Hard month for Adobe?

Re:Hard month for Adobe.

[mambodog]

Don't forget the controversy of Adobe allegedly trying to sabotage the HTML5 spec.

Re:Hard month for Adobe.

[beakerMeep]

If you read the emails by the W3C WG, they dismissed that as utter nonsense and normal procedure and rightly criticized those accusing Adobe as being extremely unprofessional.

Because of JavaScript support in Adobe Reader!

[JakFrost]

I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.

With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.

Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.

Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

Re:Because of JavaScript support in Adobe Reader!

[maxume]

Uncheck "Preferences->Internet->Display in browser" and Acrobat will prompt you to save those files rather than automatically loading them (this will probably also render your downloading extension redundant).

Re:Because of JavaScript support in Adobe Reader!

[david_thornley]

Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

If I wanted to disable Javascript entirely, I'd do it in the browser preferences or options or whatever that is. The advantage of NoScript is that it does it selectively. Most sites I go to I've just activated permanently in NoScript. Of course, this leaves me vulnerable to an attack from Slashdot and other such sites, but I can't get perfect security.

Re:Because of JavaScript support in Adobe Reader!

[downhole]

The nice part about NoScript is the selective script blocking. With just the browser on its own, you can only turn JavaScript on entirely or off entirely. NoScript lets you turn on JavaScripts from the domains of the site that you're browsing, and block all others, like the dozens of scripts from all of the ads doing God knows what. Like on Slashdot, I can allow slashdot.org so that the threads all show up right, and still have the other scripts, reportedly from fsdn.com and doubleclick.net, blocked. You can block everything by default, and if you go to a page that doesn't work well enough, start enabling scripts until it works right while still blocking all of the nasty and annoying stuff.

Re:Because of JavaScript support in Adobe Reader!

But Acrobat, which is buggy and insecure, is still running. Probably harmlessly, but why take the chance?

Instead, go to Tools->Add-ons->Plugins and disable the Adobe Acrobat plugin. Then FireFox will prompt you to save PDF files or open them in Acrobat.

Which PDF viewer?

[pseudofengshui]

I'm using Foxit Reader right now, but after hearing about vulnerabilities similar to Adobe I'm reviewing my options.

Anyone have some suggestions for a more secure PDF reader?

Re:Which PDF viewer?

I have found the best solution is to contact the site owner and request they print out the PDF and snail mail it to you.

Re:Which PDF viewer?

[hitnrunrambler]

I'm wondering the same thing myself. I use Sumatra instead which is a far more stripped down reader. My instincts tell me that I'm safer because it doesn't have all of the integration (java etc) but I'd love to see some comparisons.

Re:Which PDF viewer?

Preview.app :)

Re:Which PDF viewer?

[jonadab]

> Anyone have some suggestions for a more secure PDF reader?

Sure. First use pdf2ps to convert it to PostScript, then use other software (e.g., PStill) to convert it to eps, then use Inkscape to convert that to SVG, use Gimp or ImageMagick to rasterize it (e.g., to PNG) and open the result in IrfanView for viewing and printing. Each step of this operation can be done in a separate virtual machine...

Re:Which PDF viewer?

[Raven737]

Well if you just want to READ pdf files (not print them) then i would suggest just loading them in Google Docs.
You don't need any plugins for that (no Flash etc) as each page is simply converted to an image server side. I would think that this is secure.

In any case i always disable all file format plugins in FireFox. It actually happened a few days ago that i was suddenly asked to save a PDF file even though i didn't click on any link, on examining adblock i found a hidden iframe that apparently tried to load what i am very certain was a malicious pdf in the background.

Re:JavaScript just needs to go, wherever it is use

[DeadCatX2]

Why is JavaScript so easily exploitable?

Probably because it's a weakly typed language and therefore programmers are sloppy when they use it.

Duh.

[castironpigeon]

It's not difficult to figure out why PDFs are targeted.

1. Most big corporations and academia use PDFs for everything from forms to memos to sending photos of last week's retreat.
2. Most big corporations and academia hire super-specialists that can, for example, diagnose a medical issue that occurs in 1 in 10,000,000 people within 5 minutes, but these people cannot function in the larger world and have no time, patience, or idea of what to do with these things you call "files."
3. Most of these aforementioned corporations and academia will have ridiculously oversized bureaucracies that can agree to standards once every 15 years, are easily swayed by easy solutions, such as those advertised by Adobe, and don't really know or care about whether anything gets done so long as the policies they set 15 years ago are followed to the letter.
4. And yes, Adobe makes awful, bloated software that's full of security holes and doesn't get patched for weeks or months after those holes are made public.

In other words, the issue is roughly 25% bad software and 75% PEBKAC.

Javascript in PDFs? How dumb is Adobe?

[bradley13]

As another poster pointed out: including scripting capabilities in "static" documents is just dumb. We've already been through this a few years ago, with people sending around Microsoft Office documents.

Microsoft "fixed" this, in the sense that Office now warns you if a document contains scripting. Better, of course, is that many people have learned not to send or accept such documents in the first place. This was part of what made PDFs popular: a format to send documents that (a) cannot easily be changed and (b) is not a security risk. Millions of business documents are sent as PDFs just for these reasons.

How stupid must Adobe be, to open themselves to this kind of attack. There should be no scripting in PDF documents. Alternatively - second best - scriptiing should be disabled by default, unless the user specifically authorizes it (as with Microsoft Office documents).

Bad Adobe, no donut.

Ubiquity...

[Bert64]

They target Adobe's PDF reader because it is extremely widespread, most users don't even realise PDF is a standard and that other readers exist... They think it's a proprietary format only supported by a single program.
As a consequence, virtually every potential victim will be running exactly the same code, or a small subset of possible versions making them a very easy target.
Also Adobe's software hasn't been attacked much before, and therefore is likely to have many more undiscovered bugs.

This is also the reason IE is generally targeted less, now that other browsers are taking significant market share away, except in corporate deployments (where the recent attacks on google proved that targeting IE is still an effective strategy).

Also, most malware filters permit PDF files through..

gentlemen the time is now.

[nimbius]

we can no longer wait while this threat emerges, it is time for us all to purchase ScanSafe(c) and renew contracts regularly and indefinitely to their fullest. may there be no further discussion of alternative readers, operating systems, or patches and repairs that could be made. This report clearly outlines the repercussions of using the PDF format in that it is an unholy vessel by which godless demons infest your small business and personal computer to rape the data within. Only through the glory of ScanSafe may you truly be at ease.

clueless...

[hesaigo999ca]

This statement shows how clueless the author is about why hackers chose Adobe.
>Exactly why hackers choose Adobe as their prime target is tougher to divine
Adobe apparently has 99% market share for the PDF industry....as well offers free readers without the need for license or redistribution.
If you think also that almost all windows machines have some form of adobe reader, writer or other installed on them, and most apps cross communicate formats, then you can see why the most successful hacks are PDF files.

I use foxit pdf viewer, as it does not contain all the vulnerabilities that adobe does, as it does not allow javascript etc.
for the same reason i prefer firefox over IE

Re:JavaScript just needs to go, wherever it is use

[Zaiff+Urgulbunger]

It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.

Ahhh I see the problem -- you're confusing JavaScript with PHP!

And it's another Windows problem

[David+Gerard]

Acrobat is cross-platform, but this only affects Windows users in practice - because Mac users use Preview, and Unix users use something Xpdf/GhostScript-derived.

Solution: FoxitPro. Now.

Anyone else catch this typo?

[Kryptonut]

"In 2009, 107 Abode vulnerabilities were logged into CVE, nearly double the 58."

Sumatra PDF - sort of OK, maybe.

[Animats]

I've been using Sumatra PDF for the last year. It's rather clunky and uses too much memory on long documents, but it's adequate for most viewing.

Its renderer is rather slow, though. And when you zoom, it renders the document first zoomed in X, then, seconds later, in Y as well. That's just stupid.

Yet another reason

why Adobe needs to die.

Missing the broad side of the barn

[westlake]

Exactly why hackers choose Adobe as their prime target is tougher to divine, however.

Adobe Reader and Adobe Flash have as close to a 100% share of the desktop as makes no difference. The geek's dislike of these programs has had no more effect on their use than the phases of the moon or the rising and setting of the sun.

The Complete National Geographic on DVD was a runaway software best-seller during the Christmas shopping season. Adobe AIR powered, of course

The Flash 10 Beta Player [for Windows] delivers hardware accelerated H.264 HD video today - and not in some nebulous HTML5 future.

There are several steps to lock down Adobe Reader

[WD]

This US-CERT vulnerability note has details for steps for making Adobe Reader safe to use:
http://www.kb.cert.org/vuls/id/508357

As you mentioned, disabling JavaScript helps. But you can also prevent PDFs from opening automatically with the plug-in, and also prevent them from opening automatically with the stand-alone reader. There are some other mitigations there as well.

Of course, this all requires manual configuration. There is no hope for the average home user.

Re:JavaScript just needs to go, wherever it is use

PHP brings the shittiness of JavaScript server-side. JavaScript brings the shittiness of PHP client-side.

Re:JavaScript just needs to go, wherever it is use

[BillX]

And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.

It's possible that .PDF exploits are so successful because the average user doesn't think of them as an executable file. Under windows, the idea of "don't open .exe attachments!" has been drummed into the heads of all but the noobest of noobs (grandparents, AOL'ers etc.), but how many "experts" pass every web URL to a virus scanner before browsing to it? (Buffer overflow exploits against some JPG and PNG parsers exist in the wild and may be successfully exploited in older browsers as well as graphics packages.) How many scan a .txt file for viruses? (Even Microsoft's notepad.exe includes one or more undocumented "parsing" features* besides plain text display; who knows if an exploitable bug exists in any of them.) Another way to think is, whose fault is it *really* that a non-executable filetype is... well, executable?

* try this: under Win32, create a new file in Notepad.exe starting with the exact string ".LOG" (no quotes), save and close, and open the file again. The current date and time will be automagically pasted in each time you open the file.

Foxit, Sumatra, PDF-Xchange, others?

I've seen references to people using Foxit and Sumatra as alternatives for PDF viewers, I'd like to suggest Tracker's PDF-Xchange (Google it) as another good option. Tracker sells development tools for working with PDFs, so I suspect the free version of the viewer is considered to be a showcase. They also have several additional layers of viewers and editors, much like adobe does.

As for JavaScript, if it's turned on in the viewer application there's also a warning message when it's being used.

Finally for Firefox consider Nitro PDF's Firefox plugin that prompts you for each PDF file as to whether you want to open it or save it - this may prevent some attacks, though I'm not sure how it handles embedded PDFs.