New Adobe PDF Zero-Day Under Attack

← Back to Stories (view on slashdot.org)

New Adobe PDF Zero-Day Under Attack

Posted by CmdrTaco on Thursday September 9, 2010 @04:07AM from the duck-and-cover dept.

Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."

203 comments

No credibility to this story by symbolset · 2010-09-09 04:08 · Score: 5, Funny

Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

--
Help stamp out iliturcy.
1. Re:No credibility to this story by tlhIngan · 2010-09-09 04:13 · Score: 2, Informative
  
  Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.
  Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.
2. Re:No credibility to this story by docrmc · 2010-09-09 04:49 · Score: 1
  
  I would have been more skeptical had I not already been made aware, this morning, of an ongoing attack against my Pop's workplace, via a zero-day PDF vulnerability. Forgive me if i don't name-drop the company, but I'd definitely confirm any public statement they make at some later date...
  
  --
  "Moral indignation is just jealousy with a halo."
3. Re:No credibility to this story by BrokenHalo · 2010-09-09 05:19 · Score: 1
  
  There's a nice little glossing-over in TFA:
  
  Details on the vulnerability are not yet public [...] However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community...
  
  But obviously not thee or me. Guess it's just as well I'm not depending on Adobe for anything important.
4. Re:No credibility to this story by BrokenHalo · 2010-09-09 05:21 · Score: 1
  
  Just when I thought I didn't need to bother with a preview... :-|
5. Re:No credibility to this story by amicusNYCL · 2010-09-09 05:39 · Score: 1
  
  That's not a PDF... You can tell, because a PDF file ends with ".pdf".
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:No credibility to this story by camperslo · 2010-09-09 05:59 · Score: 1
  
  Those that don't trust zdnet can go to where Adobe mentions this issue (CVE-2010-2883).
7. Re:No credibility to this story by jonescb · 2010-09-09 06:06 · Score: 1
  
  File extensions aren't a reliable way to determine the file type. You can change the .pdf extension on a file to .xxx, but it's still a PDF file. Any decent PDF reader would read it.
8. Re:No credibility to this story by Dr_Barnowl · 2010-09-09 06:10 · Score: 1
  
  The .scr file extension (screensaver) is treated the same as .exe on Windows ; stupid isn't it.
  Unpacking the content of that file reveals a bunch of nasty VBScript that tries to worm it's way into your machine and anything else near it on the network, amongst other stuff, I'm sure. Nice.
9. Re:No credibility to this story by amicusNYCL · 2010-09-09 06:20 · Score: 1
  
  Right, a PDF reader isn't going to open that, and if it did then it wouldn't execute the VBScript. That's not a PDF exploit, that's basically a phishing attack to try to get someone to open something that's not what they think it is.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
10. Re:No credibility to this story by amicusNYCL · 2010-09-09 06:22 · Score: 1
  
  See my reply below to Dr Barnowl, this is not a PDF exploit.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
11. Re:No credibility to this story by lgw · 2010-09-09 06:27 · Score: 1
  
  Guess it's just as well I'm not depending on Adobe for anything important.
  The biggest payroll provider (ADP) has this brain-dead system where you can't see your paystub online unless you install Adobe reader. The adobe reader download is up to 200MB now, IIRC, and requires you to first download a download manager, and is just a pain in the ass to install. Every time I want to look at a paystub online, I have to install this crap, look at what I need, uninstall this crap, and reinstall Foxit.
  Never choose a partner who will force you to use Adobe for somehting important!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
12. Re:No credibility to this story by Tynin · 2010-09-09 06:35 · Score: 1
  
  We just started getting the same email a few minutes ago linking to the same place. That said, this isn't a pdf exploit.
13. Re:No credibility to this story by Svartalf · 2010-09-09 06:52 · Score: 1
  
  What's braindead is that many employers are going "paperless" with them- and you HAVE to view the stubs online.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
14. Re:No credibility to this story by zn0k · 2010-09-09 06:53 · Score: 1
  
  The current reader is under 30MB in size, and while they hide it a little bit you can absolutely download it without their download manager.
15. Re:No credibility to this story by Critical+Facilities · 2010-09-09 07:06 · Score: 1
  
  What's braindead is that many employers are going "paperless" with them- and you HAVE to view the stubs online.
  OK, I'll bite, why do you feel that this is "braindead". A lot of us like it.
16. Re:No credibility to this story by lwsimon · 2010-09-09 07:23 · Score: 1
  
  I wonder if we all work in the same place, and this is targetted? Look up my Employee ID - 1747226. Does my name come up?
  
  --
  Learn about Photography Basics.
17. Re:No credibility to this story by Sir_Lewk · 2010-09-09 07:34 · Score: 1
  
  Having the option is nice. Being forced to do it paperless is braindead. I hope you can see the difference there...
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
18. Re:No credibility to this story by gstoddart · 2010-09-09 07:38 · Score: 1
  
  Funny, the only PDF I can find is a link from the FA which demonstrates the attack. The article itself is a regular web page, and I can't seem to find a PDF of the full disclosure.
  Congratulations, you get a whoosh, he got a Funny mod.
  Bonus points if you can reason out the humor in his post.
  
  --
  Lost at C:>. Found at C.
19. Re:No credibility to this story by Critical+Facilities · 2010-09-09 07:41 · Score: 1
  
  Well, I guess I just don't get the significance. If, for some reason, you need to check your paystub every time and/or need a written record of it, is it really any harder to click a link and print it, if needed? I mean, to me, it's a bigger hassle to have to wait for it to arrive in the mail and hope it doesn't get lost by my postal carrier (which has happened), so it seems to me that having it electronically really gives you the option of how/when/if you want to check it.
20. Re:No credibility to this story by Sir_Lewk · 2010-09-09 08:01 · Score: 1
  
  I mean, to me...
  You make the mistake of assuming that everyone prefers things as you do.
  It's fine that you prefer an electronic version. I do as well, and many other people do too. However, the many other people who prefer otherwise should have that option as well. Not everyone uses, likes, or trusts computers. Not everyone has a job that requires the use of a computer (read: most people), and some people would rather avoid computers on their freetime as much as possible. You enjoy the options electronic paystubs give you. Other people want the option not to bother with electronic paystubs.
  The only reason not to offer hard-copy paystubs as an opt-in option is laziness and cheapness. Therefore, it is braindead.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
21. Re:No credibility to this story by aiht · 2010-09-09 15:45 · Score: 1
  
  Yes, but Windows wouldn't know that's what it was, so would not load the PDF reader when you double-click.
  Linux environments (in my experience) tend to trust the extension less, and detect a mime-type based on contents as well as (possibly) extension.
  That sort of scheme could correctly open a mis-named PDF.
22. Re:No credibility to this story by ozmanjusri · 2010-09-09 19:28 · Score: 1
  
  Forgive me if i don't name-drop the company
  Can you at least give us an idea of which OS they use?
  Most of these Adobe vulnerabilities only affect one Operating System...
  
  --
  "I've got more toys than Teruhisa Kitahara."
23. Re:No credibility to this story by docrmc · 2010-09-10 06:29 · Score: 1
  
  Their software requires Windows XP/Vista (probably x86). I put my father on 7 x64, at home, but he wasn't stupid enough to get infected for me to find out if 7 is vulnerable :P
  
  --
  "Moral indignation is just jealousy with a halo."
What is this stupidity??? by gweihir · 2010-09-09 04:11 · Score: 5, Insightful

PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:What is this stupidity??? by Darkness404 · 2010-09-09 04:19 · Score: 4, Insightful
  
  Because Adobe has decided to take what should be a basic document format and added scripting to it.
  
  --
  Taxation is legalized theft, no more, no less.
2. Re:What is this stupidity??? by martas · 2010-09-09 04:21 · Score: 2
  
  what alternatives? no, seriously?
  
  --
  weinersmith
3. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 04:24 · Score: 0
  
  I hear there's this markup language that supports linking between documents, a sort of "hypertext" if you will. Maybe people could move to that. If only I remembered what it was called...
4. Re:What is this stupidity??? by Lunix+Nutcase · 2010-09-09 04:24 · Score: 1
  
  You might have a point if not for the fact that the alternatives like FoxIt have had to patch their fair share of security holes as well (with a number of them being the exact same issue as spotted in Reader).
5. Re:What is this stupidity??? by Lunix+Nutcase · 2010-09-09 04:29 · Score: 1
  
  Because HTML rendering is exactly the same on every system in every browser? Oh wait, it's not and thus is not an alternative to PDF.
6. Re:What is this stupidity??? by MozeeToby · 2010-09-09 04:29 · Score: 4, Informative
  
  Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe and come up with a variety of alternatives yourself.
7. Re:What is this stupidity??? by MozeeToby · 2010-09-09 04:34 · Score: 1
  
  If you really need layout to be consistent (and really unless you're printing that seems like an obsolete idea to me) you could use TeX. Considering the original goal was "to provide a system that would give the exact same results on all computers, now and in the future" think it meets your requirements.
8. Re:What is this stupidity??? by 6031769 · 2010-09-09 04:37 · Score: 2, Informative
  
  xpdf.
  
  --
  Burns: We're building a casino!
  McAllister: Arrr. Give me 5 minutes.
9. Re:What is this stupidity??? by Pascal+Sartoretti · 2010-09-09 04:41 · Score: 5, Informative
  
  what alternatives? no, seriously?
  The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.
  
  Now, all we need is a PDF reader with an option "only open PDF/A documents"
10. Re:What is this stupidity??? by icebraining · 2010-09-09 04:43 · Score: 1
  
  Zathura, Evince, ePDFview, Okular...
  
  --
  Dilbert RSS feed
11. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 04:43 · Score: 1, Informative
  
  In Gnome use Evince, or in KDE use Okular or KPDF, instead of Adobe Reader (Evince and KPDF are also available for MS Windows, if you must use that buggy software). These GNU/Linux applications are simpler and safer when dealing with PDF files. They support reading PDF files, fillable PDF forms, etc. but not the more fancy stuff that opens security holes.
  I wish we had two document standards: PDF and something else, let's call it "PDM" for portable document - multimedia, where Adobe can stick all of the buggy crap they want.
12. Re:What is this stupidity??? by SQL+Error · 2010-09-09 04:48 · Score: 4, Interesting
  
  They took a document programming language and stripped out all the programming features to make a document description format.
  And then they added a programming language.
13. Re:What is this stupidity??? by drolli · 2010-09-09 05:04 · Score: 4, Interesting
  
  Let me add: They started from a programming language where security is *easy to implement*.
14. Re:What is this stupidity??? by amorsen · 2010-09-09 05:06 · Score: 1
  
  TeX is somewhat difficult as a render target. In the general case it degenerates to embedding PS or PDF images...
  
  --
  Finally! A year of moderation! Ready for 2019?
15. Re:What is this stupidity??? by sqlrob · 2010-09-09 05:06 · Score: 4, Insightful
  
  I've never heard a 700 page specification called "not highly complicated"
16. Re:What is this stupidity??? by carn1fex · 2010-09-09 05:18 · Score: 1
  
  It is total bullshit. I recall in years past one of the primary advantages for using PDFs was because you could trust them from random web links as if they were JPGs. I recall my professors saying not to send any homework in DOC format because of its silly security problems. Nowadays I IP get block notices from our admins the minute my PDF reader is outdated.. it is ridiculous.
  
  --
  ---------
  No matter how thin you slice it, its still baloney.
17. Re:What is this stupidity??? by Lennie · 2010-09-09 05:23 · Score: 2, Interesting
  
  Funny you should mention that one, the last non-scripting exploit for Adobe Acrobat Reader was also an exploit for Foxit Reader.
  
  --
  New things are always on the horizon
18. Re:What is this stupidity??? by MozeeToby · 2010-09-09 05:29 · Score: 5, Informative
  
  Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.
19. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 05:30 · Score: 0
  
  It was an exploitation of the format itself. The format called for the ability to run commands (like System.exec in Java or sys in c). It's hardly due to poor implementation that this can be exploited. It's entirely due to poor specification that this was exploited.
20. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 05:48 · Score: 0
  
  Let me finish by saying Adobe sucks.
21. Re:What is this stupidity??? by lahvak · 2010-09-09 06:03 · Score: 1
  
  Is this latest vulnerability related to scripting? The article is somewhat short on details.
  
  --
  AccountKiller
22. Re:What is this stupidity??? by nashv · 2010-09-09 06:09 · Score: 2, Informative
  
  How about XPS ? *ducks* But seriously, the major problem is to convert the tons of literature , especially academic/scientific that exists as PDF into something else...
  
  --
  Entia non sunt multiplicanda praeter necessitatem.
23. Re:What is this stupidity??? by The+Moof · 2010-09-09 06:09 · Score: 1
  
  PDF is not a highly complicated format
  Truly spoken like someone who has never looked over the full PDF format specification. Here's a link to all 980 pages of version 1.4. It's a little outdated, but you get the idea of how complex it actually is.
24. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 06:16 · Score: 0
  
  Simple, use a mac ..
25. Re:What is this stupidity??? by nashv · 2010-09-09 06:16 · Score: 1
  
  Or just go to the Acrobat settings for Javascript and the Trust Manager (which by default is set to require explicit permission to execute scripts), to set up according to how much paranoia you feel...
  
  --
  Entia non sunt multiplicanda praeter necessitatem.
26. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 06:24 · Score: 0
  
  I tried Foxit for a while. Too often it didn't play nice with .pdfs.
  An example is the monthly bill I get from the utility company. A password protected pdf form that I can fill out and pay my bill electronically with. Foxit wouldn't even open it.
  I tried it at the office for a while, but had many more complaints about pdf not opening (generated by other agencies). I finally removed it and re-installed Adobe. I haven't had a call about a pdf not opening since.
27. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 06:31 · Score: 0
  
  Is Sumatra susceptible as well? It's often not to things Acrobat and Foxit are.
28. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 06:34 · Score: 0
  
  Stupidity is not reading the actual URL and realizing it in NOT A PDF file... it is a .SCR file with some mumbo jumbo about PDF to play mental tricks....
  FOOLED every one of you who are bitching about Adobe. I for one love Adobe !
29. Re:What is this stupidity??? by drspliff · 2010-09-09 06:47 · Score: 1
  
  xpdf is *old*. You should be using Poppler, which is actively maintained and very fast.
30. Re:What is this stupidity??? by 0123456 · 2010-09-09 06:48 · Score: 1
  
  Stupidity is not reading the actual URL and realizing it in NOT A PDF file... it is a .SCR file with some mumbo jumbo about PDF to play mental tricks..
  These days I think I'd be more worried by a PDF file that pretends to be a screensaver than a screensaver that pretends to be a PDF file...
31. Re:What is this stupidity??? by hairyfeet · 2010-09-09 07:03 · Score: 2, Informative
  
  Foxit actively sandboxes and refuses to run ALL code embedded in a PDF unless you actively turn off safe reading, and they have been doing this for quite awhile now, since that last bug you mentioned.
  And for anybody dealing with clueless users that want a butt simple way to install Foxit or several other free PDF readers like Sumatra, or need a butt simple way to install most of the basics like chrome, Firefox, or Flash, I'd suggest Ninite which has fully automated installers for over 90 programs. simply tell them which boxes to check and then run the installer. That's it. No toolbars, no "clickly clicky next next next", it just installs the software and leaves a shortcut on the desktop. Sweet and simple.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
32. Re:What is this stupidity??? by gmuslera · 2010-09-09 07:31 · Score: 1
  
  That is ANOTHER reason to move to HTML (or another format that can flow the content to the way is being displayed), at least for the cases where is not strictly required that things look exactly the same in every device, even when it can't at a decent resolution. Is a format that is being abused. How many pdfs you have which content really requires that content don't flow or get reformated to better fit in your screen, of whatever device you have? We usually don't need a slideshow of the photos of the pages of a real book, we need its content in a computer in the way that makes it easier for us to read it.
33. Re:What is this stupidity??? by Mr+44 · 2010-09-09 07:35 · Score: 1
  
  PDF is not a complicated format? Are you kidding? It is an insanely complex format, with many many subtleties and variations. The PDF format was first defined in the mid 1980's, if that gives you any idea. And to the poster talking about PDF/A, that barely reduces the surface at all.
34. Re:What is this stupidity??? by hercubus · 2010-09-09 07:39 · Score: 1
  
  The alternative is a format called PDF/A...
  I'm sticking with the current Adobe-approved PDF/U
  
  --
  -- How I want a drink, alcoholic of course, after the heavy lectures involving quantum mechanics.
35. Re:What is this stupidity??? by bertok · 2010-09-09 08:12 · Score: 1
  
  Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.
  That needs a bit of clarification: Nearly every piece of popular, complex software, written in C or C++.
  It's much harder to attack 'user' mode software written in safe managed languages like C# or Java.
  Mind you, Adobe hires programmers who think it's a great idea to add "arbitrary code execution" to a document format not as a bug, but as an integral part of the spec! Sigh...
36. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 08:19 · Score: 0
  
  Mac OS 10? A new version of the classic OS?
37. Re:What is this stupidity??? by node_chomsky · 2010-09-09 09:01 · Score: 1
  
  I am with you on this, but the best part is that PDF is an ISO format, so we can keep using it, but without Adobe garbage.
38. Re:What is this stupidity??? by node_chomsky · 2010-09-09 09:04 · Score: 1
  
  Here! Here! Seriously though, TEX is great, and most TEX suites output in PDFs anyway. I like PDFs, but I cannot stand the direction Adobe has gone in recent years.
39. Re:What is this stupidity??? by 0111+1110 · 2010-09-09 09:22 · Score: 1
  
  what alternatives? no, seriously?
  Adobe Reader 5, 6, or 7. I have been using version 5 or 6 for many years. Only recently have I bothered installing 7. From the looks of things I will avoid installing 8 or 9 for as long as possible.
  
  --
  Quite an experience to live in fear, isn't it? That's what it is to be a slave.
40. Re:What is this stupidity??? by Anonymous Coward · 2010-09-09 09:24 · Score: 0
  
  On the contrary, it is quite complicated. It contains a JavaScript(-like) language and interpreter, database connectivity, it can access files on the computer, you can embed Flash, embed other documents etc.
  The PDF format is standardized in ISO 32000-1:2008 - see http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51502. Tellingly, it also says this:
  "ISO 32000-1:2008 does not specify the following: .....
  methods for validating the conformance of PDF files or readers".
  So no, it's not that easy to check that a PDF document is "safe" or even that it is well-formed. The days when PDF's could be considered safe are long gone, and it was probably just an illusion anyway! :)
41. Re:What is this stupidity??? by djh2400 · 2010-09-09 09:49 · Score: 1
  
  When in Windows, I use a portable version of Sumatra PDF.
42. Re:What is this stupidity??? by gweihir · 2010-09-09 12:26 · Score: 1
  
  I have read the spec. It is large, but _not_ complicated in the sense that it is hard to secure.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
43. Re:What is this stupidity??? by cbhacking · 2010-09-09 15:22 · Score: 1
  
  Not quite accurate. The rate of exploits for Foxit is lower, but the rate of vulnerabilities is far, far higher. However, much like OS X, just because it's a soft target doesn't make it worth the effort of exploiting. Adobe's historically had atrocious security, but, much like Microsoft, they've learned a few things from it all (although I'd say MS is further ahead). Unfortunately, as you pointed out, *all* software has flaws, and when the return on investment for an exploit in Adobe Reader (or Internet Explorer) is so high, people will continue to hunt no matter how elusive the vulnerabilities get, and a few will get lucky, and those few will make the news (and buckets of money).
  That said, I'm certainly not recommending using Adobe's software... but they at least show signs of *trying* to secure their stuff (for example, it's getting a lot harder to find exploitable crashes via fuzz testing, which means they've started fuzzing their own code). Neither Foxit nor Apple Preview are even remotely hardened. If you want to use them because you're less likely to be exploited, go right ahead. Just don't delude yourself into thinking that they're more secure.
  
  --
  There's no place I could be, since I've found Serenity...
44. Re:What is this stupidity??? by aiht · 2010-09-09 16:02 · Score: 1
  
  That needs a bit of clarification:
  
  Nearly every piece of popular, complex software, is written in C or C++.
  ... for better or for worse.
  Now, cue the people posting exceptions to that tendency under the misguided assumption that they are disproving my point...
45. Re:What is this stupidity??? by master_p · 2010-09-09 21:11 · Score: 1
  
  There is a common property in all the programs you have mentioned: they are programmed with a programming language that does not offer help in avoiding security problems.
46. Re:What is this stupidity??? by GravityStar · 2010-09-10 06:38 · Score: 1
  
  That depends. You can have a 700 page specification, signed, _understood_ and approved by all stakeholders. OTOH you can have a 40 page spec written in unbearable incomprehensible verbiage, with some of the stakeholders unaware of its existence, some other don't care what's in it, and yet others wildly misunderstand it.
  Just saying that the size of the specification has little to do with how complicated it is.
Fortunately... by mcgrew · 2010-09-09 04:12 · Score: 4, Insightful

"Unfortunately, there are no mitigations we can offer. "
I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?

--
Free Martian Whores!
1. Re:Fortunately... by codewarren · 2010-09-09 04:24 · Score: 2, Funny
  
  If the exploit affects spelling, you have cause for concern
2. Re:Fortunately... by Anonymous Coward · 2010-09-09 04:31 · Score: 0
  
  Having an antivirus with up-to-date definitions would help, but since Mac's don't get viruses you have nothing to worry about.
3. Re:Fortunately... by ShadowFalls · 2010-09-09 04:51 · Score: 1
  
  "Meanwhile, how do I know if I'm alreadt pwned?"
  
  When your computer wears the colors of the Machines and attempts to hack government computers to launch nuclear weapons.
4. Re:Fortunately... by wbhauck · 2010-09-09 05:14 · Score: 3, Funny
  
  Meanwhile, how do I know if I'm alreadt pwned?
  It's all explained in this FREE guide. Just download our convenient PDF for more information.
5. Re:Fortunately... by Anonymous Coward · 2010-09-09 05:35 · Score: 0
  
  You've been pwned....
  Thank you. Have a nice day.
6. Re:Fortunately... by ThatsNotPudding · 2010-09-09 05:51 · Score: 4, Funny
  
  Meanwhile, how do I know if I'm alreadt pwned?
  You start slurring your y's.
7. Re:Fortunately... by broken_chaos · 2010-09-09 07:24 · Score: 1
  
  Just don't use Acrobat Reader to view downloaded PDFs. Grab Foxit or Sumatra instead.
  Also, be certain to disable the browser plugin *always*. Using something like NoScript to block external plugins (it works like Flashblock, except with all plugins) also helps some. The largest danger isn't in someone sending you an infected PDF, it's in a webpage embedding an infected PDF that you can't see.
8. Re:Fortunately... by Svartalf · 2010-09-09 07:26 · Score: 1
  
  Explain how an antivirus program with up-to-date definitions would help against a "0-day" exploit? By definition, that means it's so damn new the antivirus/antimalware bunch don't have signatures, etc. to defend against attacks using the exploit.
  Relying on an antivirus program to protect you is like relying on closing the barn door to keep the horses in their stalls after they've gotten out of the barn.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
PDF by Vahokif · 2010-09-09 04:20 · Score: 1

How can they screw up a format designed to print the same everywhere so badly?
Can there be a 0-day that's not under attack? by danaris · 2010-09-09 04:21 · Score: 1, Informative

Correct me if I'm totally off base here, but...isn't part of the definition of "zero-day" that the flaw is being exploited? I mean, it's "zero-day" because it's being exploited on "day zero", right?
Dan Aris

--
Fun. Free. Online. RPG. BattleMaster.
1. Re:Can there be a 0-day that's not under attack? by tater86 · 2010-09-09 04:53 · Score: 2, Funny
  
  I'm pretty sure we have this argument every time someone mentions zero day. If we could have a zero day bricking, we could have the best thread ever.
2. Re:Can there be a 0-day that's not under attack? by Anonymous Coward · 2010-09-09 06:37 · Score: 0
  
  means the code is known and no patch exists..
  doesn't matter if you're the only one who knows the code, its still a zero day vuln until its patched.
3. Re:Can there be a 0-day that's not under attack? by danaris · 2010-09-09 09:07 · Score: 2, Informative
  
  means the code is known and no patch exists..
  doesn't matter if you're the only one who knows the code, its still a zero day vuln until its patched.
  No, it's just a known vulnerability with no patch. Zero day means it was exploited on day zero—that is, before anyone else knew the vulnerability existed.
  Dan Aris
  
  --
  Fun. Free. Online. RPG. BattleMaster.
What the hell by C_Kode · 2010-09-09 04:23 · Score: 1

Does Adobe employ the the worst programmers on the planet? Between Flash and Acrobat their critical bug count has to be racing up the charts of companies with the most critical bugs in their software.
1. Re:What the hell by spiffmastercow · 2010-09-09 04:29 · Score: 1
  
  Not only that, but how hard is it to develop a DOCUMENT FORMAT that doesn't allow arbitrary code to be executed?
2. Re:What the hell by MaWeiTao · 2010-09-09 04:49 · Score: 1
  
  Saying it's merely a document format doesn't mean much. You can do quite a lot with many document formats nowadays. PDFs aren't used only as a means is displaying text and images consistently. You can embed quite a lot of functionality into them. It could be argued that PDFs shouldn't permit that kind of functionality considering it opens up opportunities for exploits but then you could argue the same thing about any technological progress.
  The problem is that there are people working just as hard, and perhaps harder, to find and create exploits are there are people working to stop them. It's possible I'll be proven wrong some day but I expect we're never going to see truly and completely secure platforms and it's not because of any ineptitude on the part of the original developers.
3. Re:What the hell by Anonymous Coward · 2010-09-09 06:01 · Score: 0
  
  No.
  Microsoft's SQL-SMO library authors are the worst programmers on the planet.
  I'm convinced MS hired retards to write that for Americans With Disabilities Act compliance.
4. Re:What the hell by 0123456 · 2010-09-09 06:26 · Score: 1
  
  Does Adobe employ the the worst programmers on the planet?
  As someone who used to use Premiere on a regular basis, my assumption can only be 'yes'; that was the software that got me into the habit of saving my work after every change because the program would crash at least every couple of hours, and to make backups of old saves because it also had an amusing habit of corrupting new ones.
  I've never worked with any Adobe software that wasn't a bug-ridden mess. Maybe Photoshop is better (and I hear that Premiere has improved over the last few years since I stopped using it).
5. Re:What the hell by jack2000 · 2010-09-09 06:31 · Score: 1
  
  I wouldn't call what adobe has done the PDF a technological progress.
6. Re:What the hell by molecular · 2010-09-09 07:16 · Score: 1
  
  it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.
7. Re:What the hell by spiffmastercow · 2010-09-09 07:26 · Score: 1
  
  it's a buffer overflow vulnerability. so it has nothing to do with the scriptability of pdf this time.
  That's exactly what I'm talking about. How hard is it to code a damn strncpy?
Disable Javascript in PDF reader by Anonymous Coward · 2010-09-09 04:26 · Score: 3, Informative

A work around for end users is to disable javascript, such as this guide:
http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/
For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):
http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/
1. Re:Disable Javascript in PDF reader by swb · 2010-09-09 04:42 · Score: 1
  
  Why isn't this the default setting?
  Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?
2. Re:Disable Javascript in PDF reader by rsborg · 2010-09-09 05:15 · Score: 1
  
  Wouldn't they save themselves a fair amount of bad PR by making users turn it on for JS features?
  Adobe is a corporation.
  Whenever a corporation does something seemingly stupid or evil, you can always trace that back to some fool in the organization who convinced the others that the stupid/evil would lead to more profits (or kickbacks).
  If you follow the money you will 99.44% of the time get the right answer. It's all about the money.
  
  --
  Make sure everyone's vote counts: Verified Voting
3. Re:Disable Javascript in PDF reader by Anonymous Coward · 2010-09-09 06:02 · Score: 0
  
  That's a feature, not a bug.
  Corporations exist to maximize profits.
  It doesn't excuse stupidity or short-sightedness, and it doesn't explain it away either. Making a stupid decision for the right reasons is still a stupid decision.
Limited? by supernothing · 2010-09-09 04:30 · Score: 2, Informative

I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module

--
"All we have is logic and love on our side."
1. Re:Limited? by phantomfive · 2010-09-09 05:40 · Score: 2, Informative
  
  It's not a zero day, either. Check out what Wikipedia says (in case anyone is unclear what a zero-day is, since the submitter for one hasn't figured it out):
  
  A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.
  I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.
  
  --
  Qxe4
2. Re:Limited? by tepples · 2010-09-09 06:24 · Score: 1
  
  I guarantee that in the case the software developer knows about this vulnerability, since Adobe themselves made the announcement.
  But did Adobe learn of the vulnerability before exploits made it into the wild? If not, it's 0-day.
3. Re:Limited? by molecular · 2010-09-09 07:11 · Score: 1
  
  from the metasploit module code:
  
  Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',
  This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.
4. Re:Limited? by phantomfive · 2010-09-09 21:12 · Score: 1
  
  Not any more. It's a known exploit. People can defend themselves against it. 0-day exploits are valuable because no one knows about them (except the people who are exploiting them). Once they are known, they are no longer valuable, and once they are patched, they are mostly useless (except against people who don't update).
  
  --
  Qxe4
5. Re:Limited? by tepples · 2010-09-09 23:23 · Score: 1
  
  People can defend themselves against it.
  People in general can by turning off scripting. People who have to work with a supplier that uses PDF forms can't.
I work for Adobe and... by Anonymous Coward · 2010-09-09 04:37 · Score: 4, Funny

We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.
COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.
Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.
- the adobe1
1. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 04:48 · Score: 0
  
  32 hours? In a week? People work 40 hours per week minimum where I am from.
2. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 04:52 · Score: 0
  
  We invest a TON of $$ and hours into security.
  How much exactly does a ton of $$ weigh? How much does a ton of hours weigh?
3. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 04:56 · Score: 0
  
  Then it's about time you put the mess that you've created over the years into a sandbox. It's 2010, not 1990.
4. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 04:56 · Score: 1, Insightful
  
  And you wouldn't have to do that if Adobe Reader didn't have fucking scripts! The entire purpose of the format is to display printable pages. It doesn't need movies or sounds or any of that other shit.
5. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 04:58 · Score: 1, Insightful
  
  2000 lbs. That's the definition of a ton. It's like asking if a ton of bricks weighs more than a ton of feathers.
6. Re:I work for Adobe and... by Nursie · 2010-09-09 05:10 · Score: 2, Insightful
  
  Advice to you if you genuinely work for adobe - make a noscript option. Or even better - just cut out all the scripted elements.
  PDFs were and are awesome for one thing only, displaying documents the same everywhere. Active content is a mistake.
7. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 05:25 · Score: 0
  
  We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner.
  Given the US-ness of Adobe, I'll assume that is USD and a US ton. A US ton of US dollars in one cent coins is 3628 dollars. In corporate budget terms, that sounds like not much. In fact it sounds like fuck all, especially if spread over a whole team.
  And it shows in the shite products Adobe turn out. There's plenty of fans of things like Photoshop, but only because they tend to make a living using tools like PS. The reason why governments entrust their secrets to your products is because the people making decisions about what products a government should be using are either inept bureaucrats, or politicians taking backhanders from those who stand to profit from the government using said products.
8. Re:I work for Adobe and... by sjames · 2010-09-09 05:33 · Score: 2, Insightful
  
  What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.
9. Re:I work for Adobe and... by amicusNYCL · 2010-09-09 05:42 · Score: 1
  
  Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.
  Is that out of a 40-hour work week? Or are you based in France?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
10. Re:I work for Adobe and... by Dr_Barnowl · 2010-09-09 06:20 · Score: 1
  
  He said a 32-hour SESSION. As in, they programmed from 0900 until 1700 the next day
  Although that doesn't impress me. Rather it speaks of bad management - crunches to meet deadlines might be occasionally necessary for a small company trying to break into a market. For a company that essentially IS the market, it just sounds like a harsh taskmaster wringing as much as he can out of his team.
11. Re:I work for Adobe and... by nashv · 2010-09-09 06:21 · Score: 1
  
  a 32-hour SESSION...people work 40 hours over at least 5 sessions of 12 hours each. Do you see the point now ?
  
  --
  Entia non sunt multiplicanda praeter necessitatem.
12. Re:I work for Adobe and... by jimicus · 2010-09-09 06:25 · Score: 1
  
  Printers are seldom (but apparently not never) used as sources of spam.
13. Re:I work for Adobe and... by MarcoAtWork · 2010-09-09 06:26 · Score: 3, Insightful
  
  My team pulled a 32 hour session last week.
  I am not sure how you can be proud of working 32 hours in a row on difficult security issues, nothing against your team but I wouldn't want any (and security-sensitive especially) code written at the 31th hour of a caffeine-fueled marathon by an exhausted developer... I do understand that 'we worked 32 hours in a row, we need to go home' sounds good to managers, but every single metric shows pretty clearly that working normal (as in, 8 a day) hours leads to much higher quality code.
  
  --
  -- the cake is a lie
14. Re:I work for Adobe and... by hAckz0r · 2010-09-09 06:54 · Score: 1
  
  I'm just writing to add the appropriate html tag obviously left out by the parent poster...
  
  </SARCASM>
  
  When designing a "Portable Document Format" no API nor programming environment is needed or wanted by the users. Content providers on the other hand don't care about users of their documents?. Users just want a way to read published documents, not a way to dynamically reprogram their machine. If I want a program I will download one, but I expect that when I only intend to read something I only want to view it, not execute unknown/untrusted code I didn't ask for. Rhetorical Question: What kind of Idiot decided to put in a "powerful" (?) programming language with such poor user configuration and control, lack of modifiable permission attributes, and void of any such security compartmentalization into a general use document format? I am miffed why anyone would use it to publish anything given the security issues embedded in this general document format implementation.
15. Re:I work for Adobe and... by Svartalf · 2010-09-09 07:10 · Score: 1
  
  Uh...check your math there... A 40 hour work week comprises of an average of 5 8-hour sessions. You just described a 60 hour work week there. I'd rather not do that sort of thing. I'd rather be working the latter than the former (12 hour days doing programming tend to make for issues- at some point you break as much or more than you fix doing it.), or if you're needing to jam a bit more into something by a calendar date, I'd rather did 10 hour days (50 with 5, the 60 with saner hours over 6 days with at least one day off.).
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
16. Re:I work for Adobe and... by Svartalf · 2010-09-09 07:12 · Score: 1
  
  2000# for the ton of dollars.
  A ton of hours weighs heavily on the soul- perhaps worse than the ton of dollars would be on your body. But, if they pay you well...you can save up and go elsewhere when you burn out on the ton of hours...
  If they don't pay you well, though...heh...best look for work elsewhere when you can.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
17. Re:I work for Adobe and... by Svartalf · 2010-09-09 07:16 · Score: 1
  
  Either that or someone in management pooched things either because they mis-estimated the effort or resources, or took on something like Scrum without first being very aware that it won't speed up development (It might improve quality, but it won't speed up ANYTHING...adding process on top of things almost always slows down things...).
  As you point out, it typifies bad management to have that sort of thing or having people work weekends, etc. You need breaks from things to stay reasonably fresh- without them you start making more mistakes, which then need to be compensated for with more crunch time, etc.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
18. Re:I work for Adobe and... by Svartalf · 2010-09-09 07:23 · Score: 2, Insightful
  
  Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.
  32 hour session? Uh, dude... I'm less than impressed. That's not hard work, that's sadomasochism in the workplace, brought on by badly missed deadlines for some un-stated reason. And it tells us quite a bit about WHY the quality isn't as much there as we've expected out of the past Adobe products and releases- and shows a glimpse of why we're not seeing 64-bit anything out of your claimed employer.
  Going that long without breaks and sleep leads me to believe you're actually the CAUSE of some of this stuff we're talking to. You WILL make mistakes past that 12 hour wall- it's human nature, pure and simple. Will you catch them? Maybe, maybe not- test isn't there as a safety net for this kind of crap and if they're working as hard as the devs, they'll miss stuff too. I won't really work much past 10 hours for myself as I'm going to start making dumb mistakes in that last two hours before the hard limit for people. If it were me, even as an anon coward, I'd not be bragging about going nearly 3 times past the hard limit for humans for the tasks we're talking about here.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
19. Re:I work for Adobe and... by nashv · 2010-09-09 07:30 · Score: 1
  
  Sorry, I am a graduate student. We work on a different schedule and it also explains my disconnection with reality.
  
  --
  Entia non sunt multiplicanda praeter necessitatem.
20. Re:I work for Adobe and... by gstoddart · 2010-09-09 07:45 · Score: 1
  
  What's interesting is that PS is a full Forth like language in a VM and we never see crap like this attacking Postscript engines.
  That's because nobody cares. I mean, seriously, what kind of lame "4GL" can't even spell its own name right?
  Other than hearing the odd person lament that nobody else uses Forth, I have never encountered Forth in actual use. Do people actually use this anywhere? I've actually begun thinking it's a large hoax.
  
  --
  Lost at C:>. Found at C.
21. Re:I work for Adobe and... by b4dc0d3r · 2010-09-09 08:16 · Score: 1
  
  If you took security seriously, you'd make a READER that is READ_ONLY and does not do scripting, audio, video, URLs, or any other the other attack vectors.
  I know people will want the additional features, but for people who want to be able to read the existing PDF files without worrying about security, let's have a read-only reader that only reads.
  http://it.slashdot.org/comments.pl?sid=1782110&cid=33523718
  A PDF/A option would be an alternative, but there's no reason you can't make a fairly secure reader just by removing the features most people don't use.
22. Re:I work for Adobe and... by mevets · 2010-09-09 08:42 · Score: 1
  
  whoosh....
23. Re:I work for Adobe and... by sjames · 2010-09-09 09:15 · Score: 1
  
  True, but that doesn't involve breaking out of the VM, it just involves an authorized user doing something the VM is set to allow even though it shouldn't be and the user is unaware of it.
24. Re:I work for Adobe and... by sjames · 2010-09-09 09:18 · Score: 1
  
  You should probably consider how similar PDF is to PS (at least originally). Someone apparently bothered with PDF since there is an exploit.
25. Re:I work for Adobe and... by jimicus · 2010-09-09 09:46 · Score: 1
  
  Actually, I rather suspect it has more to do with printers running a known OS. Not that unusual with large printers.
26. Re:I work for Adobe and... by Anonymous Coward · 2010-09-09 10:21 · Score: 0
  
  Can I give a whoosh to everyone replying to this and not getting the "32 hour session last week" joke.
27. Re:I work for Adobe and... by drolli · 2010-09-09 11:25 · Score: 1
  
  Read the postscript description. Think about the operators available. Read gs manpage and hope -dSAFER is specified in one way or the other, in all sw using gs internally.
28. Re:I work for Adobe and... by Anonymous Coward · 2010-09-13 11:19 · Score: 0
  
  Many of these exploits have NOTHING to do with scripting. Often they exploit things like buffer overflows in libraries called by Acrobat, for example fonts and images.
  Only a gay homosexual like you would read a summary about a "PDF EXPLOIT" and immediately assume they used the scripting capabilities in Acrobat to do it.
  In fact, given that EMET blocks it, there's a reasonable indication that the exploit involved coercing Acrobat to call a Windows API in a way that can expose something; I'm certain it's not as simple as a script embedded in the file that says "Do something nasty."
  You are an idiot.
oops, missed one by ILuvRamen · 2010-09-09 04:57 · Score: 1

Unfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
Oops, they're so flustered that they forgot to tell people to uninstall Adobe Reader.

--
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Flashblock -- PDFblock? by MobyDisk · 2010-09-09 05:00 · Score: 1

Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)
1. Re:Flashblock -- PDFblock? by Xian97 · 2010-09-09 05:09 · Score: 1
  
  Where I work Adobe Reader is also installed and likewise I use Foxit at home. Just disable javascript in preferences. I have had it disabled for years and haven't had any issues displaying PDF files, though I do not fill out many PDF forms where it might be used. I guess I could always enable on a case by case basis if one actually required it but I haven't run into any yet.
2. Re:Flashblock -- PDFblock? by davidbrit2 · 2010-09-09 05:11 · Score: 1
  
  NoScript seems to block PDFs by default, which you can then click to load.
3. Re:Flashblock -- PDFblock? by denis-The-menace · 2010-09-09 05:13 · Score: 1
  
  It would just need to scan the PDF for non-document-like features being used and display a BIG warning to the user.
  
  --
  Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
4. Re:Flashblock -- PDFblock? by Prosthetic_Lips · 2010-09-09 05:20 · Score: 1
  
  I setup my browsers to not use the built-in PDF render within my browser, but force an external application launch. This way I always have the full Adobe Reader viewing the PDF, and not just whatever "fits" into my browser.
  So, does anyone who understands the vulnerability know if this setup is any more protected? Is the vulnerability based on being in the browser, or is it really independent?
  I ask this because I won't ever get to a webpage with an IFrame and a PDF within it, or some wierd construct like that, without knowing it is opening a PDF. So, in a way, this is *like* a PDFblock. With or without Firefox.
5. Re:Flashblock -- PDFblock? by Thelasko · 2010-09-09 06:15 · Score: 1
  
  Is there a PDFBlock for FireFox like there is a Flashblock? (At home I use Foxit Reader but at work Adobe Reader is installed.)
  Tools>Options>Applications change anything that says "Use Adobe Acrobat (in Firefox)" to "Always Ask"
  
  --
  One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
6. Re:Flashblock -- PDFblock? by Anonymous Coward · 2010-09-09 06:18 · Score: 0
  
  I doubt the exploit(s) are limited to the PDF plugin only, unless it wants to unnecessarily target the browser through the plugin (why?). In fact Acrobat is hypothetically -- but not in reality -- less secure than its browser plugin, as the plugin can be sandboxed with less difficulty. I think Google did this with their proprietary Chrome PDF plugin. Adobe doesn't have the inclination/ability to do the same. If you want better security for PDFs, load the document in a VMed Acrobat process... preferably on a separate machine with no network access.
7. Re:Flashblock -- PDFblock? by molecular · 2010-09-09 07:13 · Score: 1
  
  disabling javascript wont help if you open PDFs with acrobat reader
Re:PDF by ledow · 2010-09-09 05:03 · Score: 5, Insightful

1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)
Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.
Evince, Okular, xpdf? by bill_mcgonigle · 2010-09-09 05:06 · Score: 2, Interesting

So, are any of the viewers I use vulnerable?

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:Evince, Okular, xpdf? by Anonymous Coward · 2010-09-09 06:25 · Score: 0
  
  Probably not because literally no one cares about Linux.
2. Re:Evince, Okular, xpdf? by molecular · 2010-09-09 07:14 · Score: 1
  
  not to this particular exploit.
  wouldn't bet my life on there being no buffer overflow in these, though.
3. Re:Evince, Okular, xpdf? by internettoughguy · 2010-09-09 10:29 · Score: 1
  
  I use Evince on windows, it's lightning fast compared to Acrobat or Foxit, and has the added advantage of just displaying a basic document; and nothing more.
4. Re:Evince, Okular, xpdf? by Lanteran · 2010-09-09 10:29 · Score: 1
  
  I don't think any of those readers are vulnerable. Good thing nobody uses adobe reader on linux.....
  
  --
  "People don't want to learn linux" hasn't been a valid excuse since '03.
5. Re:Evince, Okular, xpdf? by Anonymous Coward · 2010-09-10 01:00 · Score: 0
  
  I use SumatraPDF for that.
A ton of money is... by Lead+Butthead · 2010-09-09 05:07 · Score: 1

US penny issued after 1984 weights 2.5g ~ 0.0881849049 oz.
2000 lbs ~ 362873.89589281056195820652293973 pennies = $3,628.74.
A ton of money indeed.

--
ELOI, ELOI, LAMA SABACHTHANI!?
1. Re:A ton of money is... by Lennie · 2010-09-09 05:25 · Score: 3, Funny
  
  Only on slashdot ?
  
  --
  New things are always on the horizon
2. Re:A ton of money is... by Akral · 2010-09-09 10:01 · Score: 1
  
  US penny issued after 1984 weights 2.5g ~ 0.0881849049 oz.
  2000 lbs ~ 362873.89589281056195820652293973 pennies = $3,628.74.
  A ton of money indeed.
  Funny how you had to convert from metric system to imperial twice because you could not multiply by one million (1t = 1000 kg = 1000 * 1000g).
  
  --
  Don't worry, be happy!
3. Re:A ton of money is... by heroid1a · 2010-09-10 03:46 · Score: 1
  
  pah! Mere small change!
What PDF bug? by MetricT · 2010-09-09 05:09 · Score: 1

I use Evince for Windows. Haven't had a problem yet.
http://live.gnome.org/Evince/Downloads
As soon as you move a new exploit will come by gsgriffin · 2010-09-09 05:11 · Score: 1

Seriously, as soon as any software becomes the primary program used, a new vulnerability would surface. Don't say that your pet program will not have any problems like Adobe does. As soon as a different program becomes the norm, it will be attacked and vulnerabilities will be found and exploited. Same would be true if Mac OS were to be 95% of the world's OS in use today. All the hackers in the world would be spending their every waking (and sleeping) moments finding the flaws and making havoc. Sure, this isn't fun to solve, but simply changing programs won't solve the real issue for everyone unless we want to flush away features or standards.

--
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
!Hackers by jgrahn · 2010-09-09 05:12 · Score: 3, Insightful
... warning that hackers are actively exploiting the vulnerability in-the-wild ...
Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
- ... warning that criminals are actively exploiting the vulnerability in-the-wild ...
- ... warning that crackers are actively exploiting the vulnerability in-the-wild ...
- ... warning that malware authors are actively exploiting the vulnerability in-the-wild ...
- ... warning that Men of Low Moral Fiber are actively exploiting the vulnerability in-the-wild ...
1. Re:!Hackers by Push+Latency · 2010-09-09 06:31 · Score: 1
  
  Hear! Hear! My thoughts exactly.
2. Re:!Hackers by Anonymous Coward · 2010-09-09 07:00 · Score: 0
  
  I'm concerned that the zero day is under attack, to my knowledge the zero day is an attack, not a vulnerability.
3. Re:!Hackers by Anonymous Coward · 2010-09-09 08:21 · Score: 0
  
  Argh, I can't take it anymore! Learn to write in English already: "in-the-wild" is an adjective. It only goes *before* nouns, e.g. "Many in-the-wild exploits exist." If you want to put it after a noun, take out the hyphens: "People who never went to school exploit the use of hyphens in the wild."
4. Re:!Hackers by aaaantoine · 2010-09-09 09:02 · Score: 1
  Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
  
  ... warning that crackers are actively exploiting the vulnerability in-the-wild ...
  You know, it's awfully telling that a box of saltines can exploit an Adobe vulnerability.
5. Re:!Hackers by GF678 · 2010-09-09 12:52 · Score: 1
  
  Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
  
  Languages change and evolve. The term "hackers" is used appropriately here because everyone knows what it means. Even the people who complain about how it should instead be "crackers" know what mainstream folks mean by the term "hackers", and so the meaning of "hackers" is at least correctly understood by everyone.
  The war between the meaning of one term over the other is ridiculous. Just because it was correct 30 years ago doesn't mean things haven't changed.
Insult to injury, the updater SUCKS by scorp1us · 2010-09-09 05:18 · Score: 2, Insightful

There is way too much manual intervention required in the Adobe updater.
1. It does not download updates automatically.
2. It requires a new EULA to be accepted.
3. It makes you wait as it downloads the update
4. It makes you wait as it installs.
Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.
This way, in no more than 1 click you'll updated.

--
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
1. Re:Insult to injury, the updater SUCKS by cyberfunkr · 2010-09-09 09:36 · Score: 1
  
  Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
  Oh good, so now I get to be exploited by the version I'm using AND the version waiting in the shadows.
  Adobe won't get rid of the EULA check because they need to cover their ass with each and every release. Which means it can't install/overwrite your current version until that happens and the downloaded/installed version can sit in the shadows for a while. Ripe for the malcontents.
  Also, since it has hooks in your browser, you need to close your browser to update the code too. And seriously, when DON'T you have a browser open?
2. Re:Insult to injury, the updater SUCKS by scorp1us · 2010-09-09 09:47 · Score: 1
  
  It is only loaded when you load a PDF the first time. Before that, it is fair game to be updated. And I don't do a lot of PDFing.
  
  --
  Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
3. Re:Insult to injury, the updater SUCKS by sxedog · 2010-09-09 10:18 · Score: 1
  
  You are forgetting #5: It requires you to restart after every update. As an ex-field tech, nothing frustrated me more than updating acrobat or reader several times with several restarts. Really? everytime???
  
  --
  If it ain't broke, DON'T fix it.
4. Re:Insult to injury, the updater SUCKS by kjhambrick · 2010-09-09 23:06 · Score: 1
  
  5. It should not make you reboot
5. Re:Insult to injury, the updater SUCKS by Anonymous Coward · 2010-09-14 03:19 · Score: 0
  
  i bet you suck at making toast
So... by MadGeek007 · 2010-09-09 05:22 · Score: 0, Redundant

What else is new...
What to know more? by slapout · 2010-09-09 05:25 · Score: 1

Click here to download a PDF that will tell you more about the vulnerability.

--
Coder's Stone: The programming language quick ref for iPad
1. Re:What to know more? by daveb1 · 2010-09-09 06:59 · Score: 0
  
  OH NOES CALC just opened on my pc what did you do!
Again??? by hesaigo999ca · 2010-09-09 05:26 · Score: 1

OMG, is there ever going to be 1 week, where we don't hear another adobe vulnerability has been found....can their programmers as this is just too much, no one is doing their job properly there, neither quality control, nor programmers, not even project team leads...
Poor management at Adobe? by Futurepower(R) · 2010-09-09 05:29 · Score: 1

Quote: "Guess it's just as well I'm not depending on Adobe for anything important."

It seems to me that there are many indications that Adobe is not managed well in recent years.
Instruction, meet data by Gothmolly · 2010-09-09 05:34 · Score: 1

If you separate executable code from data, this doesn't happen.

--
I want to delete my account but Slashdot doesn't allow it.
Re:PDF by gad_zuki! · 2010-09-09 05:38 · Score: 1

6) Do not provide an auto-update mechanism. Let users do it manually via help > update or the ignored tray icon and only in version 9.2 even allow a check box for "Download and install updates automatically."
Rocket Scientists... by Anonymous Coward · 2010-09-09 05:40 · Score: 1, Interesting

Yup... just hit NASA like 5 minutes ago (sent to all-agency minus JPL). The best part is that you can see who clicked on the link, because they immediately sent out another message!
Here is the e-mail (don't download the PDF obviosuly!):
Hello,
This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
1. Re:Rocket Scientists... by GigsVT · 2010-09-09 06:05 · Score: 2, Funny
  
  The link seems to be broken.
  
  --
  I've had enough abrasive sigs. Kittens are cute and fuzzy.
Switching between masters is not freedom. by jbn-o · 2010-09-09 05:57 · Score: 1

All computer users deserve software freedom. Switching from Adobe Acrobat to Foxit Reader is moving from one proprietor/monopolist to another hoping that the switch makes users more safe. Without software freedom one cannot inspect the program to see what it does (a spy program that has no bugs is still doing spying on users), change the program to make it better, or help one's community by distributing the improved version. Proprietary software is untrustworthy by default. We don't fully know what it does nor should we trust it does only what we want it to do.

--
Digital Citizen
1. Re:Switching between masters is not freedom. by Dr_Barnowl · 2010-09-09 06:15 · Score: 1
  
  I agree, but the chances of Joe Average User, and let's face it, most of us as well, inspecting the source code for the majority of the applications they use is low. Changing to Foxit still represents a vast improvement in security.
  That said, use SumatraPDF. It's probably not as polished as Foxit, but it suits my purposes for most things, and it's licensed GPLv3.
2. Re:Switching between masters is not freedom. by Svartalf · 2010-09-09 07:04 · Score: 2, Informative
  
  And it should be observed that Evince is also available for Windows and is under the GPLv2.
  Sumatra's minimalistic and lacks some functionality, if you want the honest appraisal- the dev site openly admits not everything renders correctly. Evince seems to be pretty solid when it comes to rendering content correctly. I've yet to find a document that didn't view and print as the author of the document had intended.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
3. Re:Switching between masters is not freedom. by jbn-o · 2010-09-10 06:13 · Score: 1
  
  How much source code they inspect or change is beside the point. Most Americans don't participate in anti-war rallys or march in the street protesting the trillions spent on killing, yet it would be foolish to argue that this means Americans should not value their freedom of speech for its own sake. Most car drivers aren't mechanics and most car drivers don't understand the details of how their car's engine works but they benefit from the freedom people have to share mechanic information. A comparable situation exists with software freedom: Freedoms are permissions to do something, and these freedoms should be valued for their own sake. You benefit from anyone inspecting, modifying, and sharing free software even if you're not a programmer. You can hire others to do it for you, learn to trust others who do it for free, or pick up some programming skills later. With software freedom we can treat one another as friends do by sharing and improving things (if we choose) at our own pace. To do any of this you need software freedom.
  Changing from one proprietary program to another is nothing more than changing from one black box to another.
  
  --
  Digital Citizen
Adobe and security by Beelzebud · 2010-09-09 06:00 · Score: 1

Is it just me, or is Adobe the King of Insecure programs?

What does Linux and Windows 7 have in common? Adobe makes both insecure and unstable!
Re:Incoming sockpuppet troll odies/sopssa/SquarePi by mark72005 · 2010-09-09 06:05 · Score: 0, Offtopic

Maybe a joke about how there's really no pain associated with an Adobe exploit, because Adobe's users are already used to installing updates 6 times a day anyway.
Attack under way by Maxo-Texas · 2010-09-09 06:17 · Score: 1

getting spammed by people who clicked on PDF's...

--
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
1. Re:Attack under way by BenJeremy · 2010-09-09 06:46 · Score: 1
  
  Yeah, this is spreading through our company exchange server. I never opened one of these PDF files, but people are getting mails spoofed using my e-mail (but other people's names). Extremely annoying, but our IT people seem to have this hammered down, as new attempts appear and disappear almost immediately from my inbox (and they don't go to delete or junk).
  I heartily approve the death penalty for the asshats pulling this sort of crap.
That's no moon. It's a space... by Mr.+Neutron · 2010-09-09 06:49 · Score: 1

I mean, that's no PDF, it's a VB worm. It's currently eating the Exchange servers of our Fortune 500 company alive. I think I got a couple thousand copies before someone pulled the ethernet cable.
The email has the following text:
Hello:
This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
LUser clickies, LUser gets infected, sends it off to company-wide list, more LUsers clicky. Clickiness asplode exponentially.

--
dinner: it's what's for beer
No rounding up. by Anonymous Coward · 2010-09-09 06:49 · Score: 0

In my country, 0.8958 of an actual penny is still worth nothing.
$3,628.73 is the correct answer.
Re:PDF by molecular · 2010-09-09 07:08 · Score: 1

how do you know it's not a buffer overflow or something like that in the reader? No scripting or execution of anything required for that to work.
I'm not saying they should have put all that shit into PDF, but not putting it in doesn't automatically make the reader secure.
Re:PDF by Svartalf · 2010-09-09 07:27 · Score: 1

Uh, that's as much a BAD idea as the one you're deriding there.
Updates CAN break machines or accidentally inject possibilities for other exploits.
You want to KNOW what in the heck you're updating and why before doing it. Seriously.

--
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
NOW ACTIVE IN THE WILD by Anonymous Coward · 2010-09-09 07:29 · Score: 1, Interesting

I can positively report this as an active threat. Our company just had someone click on an unknown link from a known sender in an email (yes users are dumb) and now they're infected. It has started sending emails to everyone in their contact list through outlook. I've received over 30 emails with a link to the infected document in less than 5 minutes.
's funny... by roc97007 · 2010-09-09 07:34 · Score: 1

I read this at 8:30 AM this morning and my work was nailed around 10:30. They're still cleaning up. The number of people who will click on any link without checking where it's coming from... yeesh.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Oh great... by rnturn · 2010-09-09 07:36 · Score: 1

Time for another critical, no-you-can't-wait-until-tomorrow patch that the corporate patch service will insist be loaded now! while I'm in the middle of performing a complex task on a remote system. (Yesterday it was while assisting on a critical ticket and it forced a reboot in the middle of that work.) It seems these are being discovered and emergency patches being forced onto our PCs with increasing frequency. If only I could convince the Powers That Be (tm) that letting me access the VPN using my Linux desktop would be a much better proposition. Especially if the goal is for me to get more work done without being interrupted. (Which, apparently, it isn't.)

--
CUR ALLOC 20195.....5804M
Re:PDF by gad_zuki! · 2010-09-09 07:45 · Score: 1

Users dont update. MS learned this 10 years ago. Adobe should do what MS does - default to autoupdates on. Power users and admins can manually adjust this, but home users should just sit back and let it update itself.
Mail Bombs Incomming! by Anonymous Coward · 2010-09-09 07:45 · Score: 0

Is this Adobe fuck up what's been mail bombing the hell out of us?
The subject is "Here you have", and it has a link to a fake .pdf, that is actually a .scr.
Here you have by CrAlt · 2010-09-09 08:04 · Score: 1

This must be related to the 200+ emails in my MS Exchange inbox that have the subject "Here you have" and a link in the body to a PDF file... ..in other news i just heard that apple is going to allow Adobe Flash on the iphone.. Im sure that will turn out great.

--
I have to return some videotapes...
Isn't Microsoft and Adobe a wonderful pair. by node_chomsky · 2010-09-09 08:51 · Score: 1

This exploit is currently melting the email servers at a (very) major corporation which I will leave unnamed. According to someone currently dealing with that, the virus can send 250k messages an hour. It's basically the Ebola Zaire of viruses. It's funny in all the hoopla about Apple vs. Microsoft, people seem to not fathom that their is a real advantage in not having to worry about Microsoft security holes. I am not even vaguely worried about this, my computer doesn't have that problem, or any that I know of. Headache free operation is severely underrated.
Why is anybody still using Adobe Reader? by Animats · 2010-09-09 09:14 · Score: 1

I have only Sumatra PDF on my machine. Sumatra PDF is too dumb to offer much attack surface - no Javascript, no WebBuy, no phoning home, no updater, no embedding in browsers.
When I bought my most recent computer, I put on the sales order "No preloaded crapware", and the supplier (which is in Silicon Valley, they have a clue) complied. No Adobe Reader.
Convert it, stupid! by Anonymous Coward · 2010-09-09 11:52 · Score: 0

Option 1: Convert it on-line for free
Sites like http://view.samurajdata.se/
will convert most on-line PDFs for free, while Adobe's page
which handles on-line convertion of on-line PDF files often
fails and is mostly useless if you're behind proxies and/or
using Tor with javascript disabled and NoScript loaded.
Option 2: Convert it with local tools
Programs like pdftohtml convert PDF files for free
With the number of PDF exploits rising, it's logical
to employ option 1 rather than download any PDF file
to your local drive.
Funny! by Anonymous Coward · 2010-09-09 18:43 · Score: 0

Seriously mods!
Patch please by GerryHattrick · 2010-09-09 20:33 · Score: 1

Every pdf security warning, I update and tell all friends to. Every time, I have to tell them what Adobe default options to untick, and what extra bloat can be instantly uninstalled. Please provide a way to patch just the affected bits. Or to respect current choices.
Glad to see Adobe helping Apples customers by Anonymous Coward · 2010-09-09 22:21 · Score: 0

Finally we have a company who really tries to ease jailbreaking for Apples customers. Much praise!.