Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Finally Fixes Remote Launch 0-Day

Posted by kdawson on from the stay-safe-out-there dept.

Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.

15 of 82 comments (clear)

  1. It's not a 0-day anymore.... by snowraver1 · · Score: 4, Insightful

    Why is every unpatched exploit a 0-day attack? Wouldn't this be more like a multi-month exploit?

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
    1. Re:It's not a 0-day anymore.... by Darkness404 · · Score: 3, Informative

      Because its an attack out in the wild that the developers didn't know about and before a patch can be shipped.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:It's not a 0-day anymore.... by vawarayer · · Score: 5, Funny

      Details in the PDF file attached to this e-mail.

    3. Re:It's not a 0-day anymore.... by Skuld-Chan · · Score: 3, Informative

      The difference is how much warning you get. Most of the security bugs Adobe fixes are found internally (you'll never hear about those - unless it greatly affects product functionality), and even those told to them externally by 3rd party researchers they usually get a several month lead time.

      Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

    4. Re:It's not a 0-day anymore.... by tomhudson · · Score: 2, Informative

      Not so hard to do with web platforms, where "pushing it out" means changing a file or two on a server.

      Of course, we've seen (here on slashdot) what happens when you try to do that too often ... but most of us have probably been in a situation where we're told to shell into the box and manually edit a file "right now!!!" with a best-guess way to stop something from being a problem, even if it's only to disable certain functionality temporarily while you work out a real fix.

    5. Re:It's not a 0-day anymore.... by grcumb · · Score: 3, Informative

      Zero day bugs are where some guy says "surprise look what I found" on his blog without any warning despite how long a bug takes to fix.

      No, zero-day exploits are are... (wait for it) actively exploited in the wild before the first 'look what I found' ever appears.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    6. Re:It's not a 0-day anymore.... by lennier · · Score: 2, Insightful

      Nope. Exploitation and disclosure are two completely different things.

      If you've found an unpatched exploit and you're a black hat, are you going to blog to the whole world about it? Or quietly add it to your botnet kit without telling anyone?

      If the second, it's a 0-day. No warning, no defense, no lead time, just blam, click the wrong web page, read the wrong email, or open the wrong PDF and you're rooted without knowing it.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  2. Re:Still I don't know by The+MAZZTer · · Score: 2, Funny

    At first I thought you were just clueless, then I realized you were just a troll, now I'm just confused.

  3. The Microsoft Word of PDF viewers by MacCoder · · Score: 5, Informative

    For the 90% of us who don't require all the minutiae of functionality and cruft which Adobe Reader offers, there are options. Obviously Mac folk are covered by Apple's built in Preview, but on Windows, Sumatra PDF is amazing and ridiculously small. It's better than Foxit, in my opinion, for barebones PDF viewing in Windows. Check it out! http://blog.kowalczyk.info/software/sumatrapdf/index.html

    1. Re:The Microsoft Word of PDF viewers by lgw · · Score: 3, Interesting

      Sadly, my employer has chosen a payroll provider (ADP) that requires Adobe Reader specifically to view paystubs. Foxit won't work, nor will any of the other options (apparantly Acrobat has some stupid web toolbar option that's beyond PDF). Why would anyone do that? Now when I need to see my paystub I have to download 200MB of Adobe cruft, then later uninstall it along with Adobe Download Manager and a bunch of other crap that Adobe stuffs in along the way. Man, I hate Adobe these days.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  4. Re:Still I don't know by xie · · Score: 2, Informative

    You would have to be running pre-10.1 version of flash first. Then the exploit would have to force your system to execute code that was written for *nix. Since Windows is the majority of the market I doubt anyone has taken the time to write such code for this exploit. I think your safe. :)

  5. Re:I Uninstalled Adobe Reader by Skuld-Chan · · Score: 3, Informative

    It's not like Foxit is completely without security flaws either.

  6. Re:I Uninstalled Adobe Reader by Skuld-Chan · · Score: 4, Informative

    And doing just a bit of research - Foxit only fixed this exact same bug 2 weeks earlier than Adobe.

  7. MSP installer by darthservo · · Score: 4, Informative

    The MSP Installer is also available for those who may use Adobe Reader in silent installs/updates.

    Side rant: Why does Adobe still only offer the unpatched versions of Reader on their front page?

    --

    Prove it.

  8. Re:Still I don't know by lgw · · Score: 3, Informative

    Apparantly, the same vulnerability existed in both products (Flash was patched a couple of weeks ago). I'm not sure how that works - I thought this was the vulnerability inherent in the PDF spec (Foxit had a patch out the same week this was disclosed).

    --
    Socialism: a lie told by totalitarians and believed by fools.