Slashdot Mirror
New Adobe PDF Zero-Day Under Attack
Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."
Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.
Help stamp out iliturcy.
PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"Unfortunately, there are no mitigations we can offer. "
I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?
Free Martian Whores!
A work around for end users is to disable javascript, such as this guide:
http://praetorianprefect.com/archives/2009/12/disabling-javascript-on-adobe-acrobat/
For the enterprise you can disable it through group policy (which at this point seems like a good plan long term):
http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/
I guarantee that its exploitation isn't limited anymore: an initial exploit module was added to Metasploit last night.
Metasploit module
"All we have is logic and love on our side."
We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.
COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.
Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.
- the adobe1
I'm pretty sure we have this argument every time someone mentions zero day. If we could have a zero day bricking, we could have the best thread ever.
1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)
Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.
So, are any of the viewers I use vulnerable?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Dudes, this is Slashdot. Can't you just for once use a term which *doesn't* have a positive second meaning to a majority of your readers? Try one of these:
There is way too much manual intervention required in the Adobe updater.
1. It does not download updates automatically.
2. It requires a new EULA to be accepted.
3. It makes you wait as it downloads the update
4. It makes you wait as it installs.
Ideally, the reader should download the update, install it in a shadow directory an as soon as that is ready, install the update.
If Reader is running, wait for it, or display a message to the user that they need to shut down the offending software before it will update. Give the user an option to close the software from the message box.
This way, in no more than 1 click you'll updated.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Only on slashdot ?
New things are always on the horizon
The link seems to be broken.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
And it should be observed that Evince is also available for Windows and is under the GPLv2.
Sumatra's minimalistic and lacks some functionality, if you want the honest appraisal- the dev site openly admits not everything renders correctly. Evince seems to be pretty solid when it comes to rendering content correctly. I've yet to find a document that didn't view and print as the author of the document had intended.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
means the code is known and no patch exists..
doesn't matter if you're the only one who knows the code, its still a zero day vuln until its patched.
No, it's just a known vulnerability with no patch. Zero day means it was exploited on day zero—that is, before anyone else knew the vulnerability existed.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.