Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Adobe PDF Zero-Day Under Attack

Posted by CmdrTaco on from the duck-and-cover dept.

Rahmmp writes "Adobe has sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild. An Adobe spokeswoman described the attacks as 'limited' but warned that that could change with the availability of public samples and exploit code."

5 of 203 comments (clear)

  1. No credibility to this story by symbolset · · Score: 5, Funny

    Whenever we have a credible PDF exploit story, the slashdot fine summary always links to a reliable PDF document that explains the exploit in detail. Sorry, not buying this one.

    --
    Help stamp out iliturcy.
  2. What is this stupidity??? by gweihir · · Score: 5, Insightful

    PDF is not a highly complicated format. It should be easy to interpret it safely. I strongly suspect that Adobe has invested exactly nothing into Acrobat Reader security over the years. Stupid. Incredibly stupid. Anybody that can should move to the alternatives right now.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:What is this stupidity??? by Pascal+Sartoretti · · Score: 5, Informative

      what alternatives? no, seriously?

      The alternative is a format called PDF/A (see http://en.wikipedia.org/wiki/PDF/A), which happens to be exactly what you are looking for : a subset of PDF excluding (among others) scripting, video or audio.

      Now, all we need is a PDF reader with an option "only open PDF/A documents"

    2. Re:What is this stupidity??? by MozeeToby · · Score: 5, Informative

      Yep, and Firefox and Chrome have had exploits too. So have Linux, the iOS, and Mac OS 10. So has nearly every piece of popular, complex software. The rate of exploits found that affect Foxit is trivial compared to the number found in Adobe Reader.

  3. Re:PDF by ledow · · Score: 5, Insightful

    1) Include a programming language that's not directly related to the task at hand and/or allows execution of dangerous statements. (Javascript in Adobe, VBA in Office, etc.)
    2) Execute said code whenever and wherever you see it (VBScript / Javascript viewed in IE, ability to execute CScript, Adobe running Javascript and Flash content found inside PDF)
    3) Use native code execution as part of your file format (WMF vulnerability - not relevant to PDF as far as I know but I couldn't be certain myself).
    4) Bundle your program so that it integrates into everything (web browser, printer list, startup list, etc.) so there are as many avenues of accidental execution as possible open to an attacker targeting a large user-base program.
    5) Introduce more and more levels of crap into the format, way beyond its original design (Font embedding, Javascript execution, form submission, JPEG, PNG, SVG, Flash, etc. direct embedding rather than converting to your supposedly "portable" document format etc.)

    Pretty much, if you see a program do any of the above, it's likely to fall on its arse at some point, security-wise.