Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Helps Adobe Block PDF Zero-Day Exploit

Posted by Soulskill on from the damage-control dept.

CWmike writes "Microsoft has urged Windows users to block ongoing attacks against Adobe's popular PDF viewer by deploying one of Microsoft's enterprise tools. Adobe echoed Microsoft's advice, saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat. Called 'scary' and 'clever,' the in-the-wild exploit went public last week when security researcher Mila Parkour reported it to Adobe after analyzing a rogue PDF document attached to spam. Adobe first warned users Wednesday of the threat, but at the time gave users no advice on how to protect themselves until a patch was ready. Microsoft stepped in on Friday. 'The good news is that if you have EMET enabled ... it blocks this exploit,' said Fermin Serna and Andrew Roths, two engineers with the Microsoft Security Response Center in an entry on the group's blog." A Symantec blog post suggests the people exploiting this vulnerability may be the 'Aurora' group responsible for the attacks on Google late last year.

15 of 93 comments (clear)

  1. I already fixed mine by mcgrew · · Score: 4, Insightful

    I ununstalled Adobe Reader and installed Foxit. Problem solved!

    --
    Free Martian Whores!
    1. Re:I already fixed mine by VGPowerlord · · Score: 3, Insightful

      As long as you don't assume it's a panacea... Foxit has had its own security exploits in the past.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    2. Re:I already fixed mine by revlayle · · Score: 3, Informative

      Foxit insists on installing toolbars and special search engines these days... don't like it one bit.

    3. Re:I already fixed mine by Eudeyrn · · Score: 2, Informative

      Sumatra is my PDF reader of choice now. The program consists of a single executable, it's open source and GPL'ed. As long as you all you need to do is load and read PDFs (imagine that, a PDF reader that just reads PDFs), it gets the job done beautifully.

    4. Re:I already fixed mine by vux984 · · Score: 3, Insightful

      Toolbars? Search engines? Are we talking about the same program here?

      Yes.
      It wants to install the Foxit Search Bar powered by Ask (opt-out)
      It wants to set ask.com as your home page (also opt-out)

      I just downloaded the most recent zipped version for Windows last night, and it didn't even need an installer.

      Right. That's hardly how most people install the software.

      Past versions that I've used the installer version of, had a rather obvious checkbox that you could use to opt out of installing a toolbar.

      Oh, so you know all about the toolbar crap, and you are just being disingenuous. Classy.

      Bottom line this sort of behaviour is skirting the border of being malware. What percentage of users appreciate another toolbar being crammed into their browser? What percentage of users appreciate their home page being changed? When both are pretty close to zero, you don't make it OPT-OUT in your installation wizard. Its especially obnoxious when users have to keep opting out each time they install an update.

      Having an opt out toolbar or home page change as part of the default install is obnoxious enough for me to avoid recommending foxit. Too many people will end up with them and none of them will appreciate it.

    5. Re:I already fixed mine by hairyfeet · · Score: 2, Informative

      Well let the old Hairyfeet add some helpful wisdom to those out here that have clueless relatives. Tell them to uninstall Adobe, then send them to Ninite and tell them which boxes to check. Ninite has fully automated installers for all the popular apps, including FF and Chrome, Songbird and Winamp, and of course Foxit and Sumatra PDF reader. Oh and ZERO toolbars from those companies that give you crap like Oracle Java.

      So trust your old pal Hairyfeet. You got clueless user/relatives, maybe that live many miles away? One phone call and Ninite can make a lot of those problems go away. Hell getting folks away from Adobe and IE seems to have cut down repeat infections by a good 80%. Thanks Ninite!

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Re:Its not zero day ... by mcgrew · · Score: 4, Informative

    When you're well past a week old, why the fuck do you keep calling it 0 day?

    Because it was exploitable on day zero. It's a week old zero day exploit.

    --
    Free Martian Whores!
  3. Re:Its not zero day ... by Culture20 · · Score: 2, Funny

    hope "bacon" doesn't come to mean something else

    Do you mean regular bacon or Canadian (which is really ham)?

  4. Adobe's perspective by alvinrod · · Score: 4, Insightful

    What does it say about your company when another company has to clean up your mess while you stand around, thumb up ass, not appearing to be doing anything meaningful?

    This has nothing to do about MS being good or evil. They've got a solution to the problem and it's much welcomed. Hopefully Adobe gets this fixed shortly so that people who can't make use of Microsoft's solution don't have to worry about the vulnerability either.

  5. Re:What does it say about your company... by just_another_sean · · Score: 4, Insightful

    This is /. Anything related to computer security is news. Especially when it effectivaly targets most, if not, all the users/customers we have to help all day (and night, and weekends!).

    Not every story about Microsoft is posted just because it's about Microsoft.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  6. Re:Publicity is publicity by b4dc0d3r · · Score: 3, Interesting

    Every time a news article says there's a flaw in Acrobat Reader and that everyone is vulnerable, it reinforces the idea that everyone uses Acrobat and there is no other option.

    No such thing as bad publicity, bandwagon propaganda, and all that. They might as well put flaws in on purpose for the free monthly advertising. All it takes is a tiny portion of flaws to appear in Foxit, which does happen sometimes, and Adobe gets to claim that no reader is flaw-free.

  7. ASLR by js3 · · Score: 4, Informative

    According to the article..

      "Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on."

    So enable ASLR on the effing DLL and release a patch, problem solved? Nothing would make me work overtime and on the weekend than a highly visible level 1 bug. Adobe developers must have it good!

    --
    did you forget to take your meds?
  8. Re:Its not zero day ... by toadlife · · Score: 2, Funny

    -1 day exploit.

    You mean the user?

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  9. 'I'm smug and condescending just to be an asshat!' by rts008 · · Score: 2, Informative

    What's your point?

    At least 'mcgrew' offered a possible solution...so, where's your 'help the rest of the world' solution?

    Put up, or shut up, you hypocrite.
    You are actively working against your implied cause.

    I also use Foxit, and learned about it years ago right here on /., from someone like 'mcgrew', making a similar comment.

    The only benefit I got from your comment is you are an asshat, just for the sake of being an asshat.

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  10. Re:How is this a real solution? by gad_zuki! · · Score: 2, Informative

    You know, Foxit does this. It enables 'secure reading mode' when you open a PDF from the browser. Adobe should copy this feature, but instead they keep talking about a complex sandboxing scheme for their app.

    I'd rather they put in a mode like this, but they won't. Why? Because all those features it disables have been engineered by Adobe and as such they have performed a defacto extension of the PDF spec. Disabling this feature is admission that Adobe is incompetent and that people can live without js/flash embedding and mailable forms.

    So Adobe's management is all about promoting their features and they don't care much about security. They figure the update process will take care of it, but it doesn't. Heck, Reader doesn't even auto-update itself. You need to manually run the updater once and then it lives in your tray asking you to do the update. End users don't update typically. MS learned that the only way to get them to do it is to enable auto-update by default and they've been doing this since XP SP2.

    So now everything is hinged on this sandbox mode that lets them have their cake and eat it too. They want all sorts of insecure features and security. They think they can continue business as usual and the sandboxing will protect everyone. Dunno, this seems to be a pretty big gamble to me. Instead of a simple secure reading mode and setting auto-update to default, they're going the sandbox route. I suspect this really won't help and malware writers will find ways outside the sandbox.