Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Adobe PDF Zero-Day Under Attack

Posted by CmdrTaco on from the duck-and-cover dept.

Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."

13 of 203 comments (clear)

  1. No credibility to this story by symbolset · · Score: 5, Funny

    Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

    --
    Help stamp out iliturcy.
  2. What is this stupidity??? by gweihir · · Score: 5, Insightful

    PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:What is this stupidity??? by Darkness404 · · Score: 4, Insightful

      Because Adobe has decided to take what should be a basic document format and added scripting to it.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:What is this stupidity??? by MozeeToby · · Score: 4, Informative

      Foxit Reader is a nice alternative. It opens quickly, doesn't feel the need to update every other day or keep an updater service running all the time, and it doesn't have as nearly as many security issues. Alternatively, you could just do a search for pdf reader -adobe and come up with a variety of alternatives yourself.

    3. Re:What is this stupidity??? by Pascal+Sartoretti · · Score: 5, Informative

      what alternatives? no, seriously?

      The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.

      Now, all we need is a PDF reader with an option "only open PDF/A documents"

    4. Re:What is this stupidity??? by SQL+Error · · Score: 4, Interesting

      They took a document programming language and stripped out all the programming features to make a document description format.

      And then they added a programming language.

    5. Re:What is this stupidity??? by drolli · · Score: 4, Interesting

      Let me add: They started from a programming language where security is *easy to implement*.

    6. Re:What is this stupidity??? by sqlrob · · Score: 4, Insightful

      I've never heard a 700 page specification called "not highly complicated"

    7. Re:What is this stupidity??? by MozeeToby · · Score: 5, Informative

      Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.

  3. Fortunately... by mcgrew · · Score: 4, Insightful

    "Unfortunately, there are no mitigations we can offer. "

    I can offer one -- uninstall the Adobe reader until they patch the vuln. Meanwhile, how do I know if I'm alreadt pwned?

    --
    Free Martian Whores!
    1. Re:Fortunately... by ThatsNotPudding · · Score: 4, Funny

      Meanwhile, how do I know if I'm alreadt pwned?

      You start slurring your y's.

  4. I work for Adobe and... by Anonymous Coward · · Score: 4, Funny

    We invest a TON of $$ and hours into security. In fact, our security team pulls themselves inside out to fix things in a timely manner. Adobe takes security VERY seriously as we have governments all over the world trusting secrets to us. Nevertheless, as hackers focus shifts away from O/S exploits towards application level, there will likely be further attempts to compromise PDF readers. We will be vigilant and we will rise to meet future threats as they happen.

    COS based PDF is also incredibly complicated if you adopt the entire ISO 32000 specification and expose the scripting and coding API's developers want. When you can write code to pinpoint the quads and move a point of one UTF 16 character within a book, that is powerful. Enough said on that.

    Oh - and we are not lazy as some have suggested. My team pulled a 32 hour session last week.

    - the adobe1

  5. Re:PDF by ledow · · Score: 5, Insightful

    1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
    2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
    3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
    4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
    5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)

    Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.