Adobe's Reader X Spoils New PDF Attack

CWmike writes "Gregg Keizer reports that Adobe's Reader X stymied a recent attack campaign, researchers said Thursday. But they're not sure why. 'I don't want to take anything away from Adobe — after all, a win is a win — but this particular exploit appears to be designed with previous versions of Reader in mind,' said Chris Greamo, who heads the security research lab at Invincea. 'What appears to have happened is that the exploit breaks, but we don't have a good sense if the sandbox was able to contain it.' Reader X, an upgrade issued last year, features a 'sandbox' designed to protect users from PDF exploits. Adobe claimed that a recently-addressed bug in Chrome that lets attackers escape the browser's sandbox was not present in Reader X's sandbox code. Google patched that bug, the first to earn the company's top bug bounty of $3,133, three weeks ago. Adobe said Thursday it will would ship its next regular update for Reader on Tuesday, Feb. 8."

Upgrade

[Nuno+Sa]

We only have to wait for the upgrades :-)
Ehehehe

[Shrug] Portability is hard

The same holds true for malware.

That's just sad.

[ChrisMP1]

PDF reader... sandbox...

A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

Re:That's just sad.

[ChrisMP1]

Better question, though off topic - why is Adobe's PDF viewer over 10 MB?

$ du -h /usr/bin/xpdf.bin
1.3M /usr/bin/xpdf.bin
$ du -sh /usr/share/xpdf
76K /usr/share/xpdf

Re:That's just sad.

[rudy_wayne]

PDF reader... sandbox...

A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

The problem is Adobe Acrobat Professional, or whatever they call their expensive software for creating PDFs. In order to get people to keep buying new versions they have to keep adding more and more features. Which means that Adobe Reader has to be constantly updated so that it can read PDFs with all those new features. New features equals new bugs and security exploits.

Re:That's just sad.

[Stregano]

So we can make documents. We can set them to be editable or not editable and add stuff that make these work as webpages. So, tell me again why you would pay for that instead of just making a web page (sorry, I think it is the web developer in my not understanding why you would pay so much for something you could get for free legally)?

Re:That's just sad.

[icebraining]

I don't have a sandbox around (...) my PNG viewer

Microsoft Security Bulletin MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution

(...) nor my MP3 player

Winamp MP3 Player Lets Malicious MP3 Files Control the Winamp Mini-browser and Cause Arbitrary HTML Scripts to Be Executed

Re:That's just sad.

[ChrisMP1]

Well, a PDF is supposed to portably appear exactly as it will print. Pretty sure that's not possible with HTML.

Re:That's just sad.

[ChrisMP1]

Sure. Everything has bugs now and then. Adobe Reader has so many that they added a sandbox. We're just starting to do that with web browsers, and they're supposed to run "programs" of a sort. We're always reading about some new PDF code execution problem. You're not seriously claiming PNG and MP3 have as many exploits as PDF...?

Re:That's just sad.

[icebraining]

PNG and MP3 don't have exploits, programs do. I've never heard about any exploit in my PDF reader, and while lack of user base is a reason for it, supporting only a reasonable subset of the full spec is important.

TL;DR: PDF is fine, just don't use Adobe Reader.

Re:That's just sad.

You know what's sad? My iPhone opens PDFs faster than Acrobat. How about when you have a network printer setup and you're not connected to that network Acrobat hangs the entire machine while trying to connect to it?

Tell me again why we need our applications to be bloated and buggy when they're run on desktops?

Re:That's just sad.

Indians paid by the line.

Re:That's just sad.

[tepples]

So, tell me again why you would pay for that instead of just making a web page

Because popular web browsers' CSS engines still have crap support for paged media, or at least they have such a reputation.

Re:That's just sad.

[diegocg]

Another good question is why a document viewer needs to add a preloader to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Re:That's just sad.

[v1]

A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

Any program that interprets untrusted information could benefit from a sandbox. While directly it prevents the interpreted code from explicitly accessing outside its bounds, it also protects the system from bugs in the interpreter that could cause the interpreter itself to perform actions outside its environment.

Since you mention PNG, I have seen examples of security patches for PNG and TIFF viewers that addressed security problems because it was possible to execute arbitrary code based on a bug in the viewer's interpretation of the picture data. (usually through overflows)

This came as a surprise to me with TIFF because I thought TIFF was raw uncompressed picture data and that would be immune to interpretation, but that was not the case.

Re:That's just sad.

PDF reader... sandbox...

A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

Image formats or even MP3 you mentioned can be a viable transport for malicious code too. If you think it over well enough, even text files can be used to exploit e.g. your text editor's buff overflow vulnerabilities...

Re:That's just sad.

[sankyuu]

And this isn't just applicable to Windows software; FOSS has its share as well: http://www.kb.cert.org/vuls/id/643140

For that matter, any platform that accesses code and data from the same memory (i.e. Von Neumann Architecture) is susceptible to this, as is typical of all general purpose OSes.

Re:That's just sad.

[ChunderDownunder]

Bells and Whistles take up space.

Also, you're comparing apples and oranges. xpdf is ugly and, last I checked, lacking features. A fairer comparison would be with the flagship open source pdf reader, namely Okular. The file size may still be smaller but remember the Qt/KDE shared libraries it loads.

Re:That's just sad.

[larry+bagina]

unless the QT/KDE libs supply PDF functionality (as OS X does), it's no fairer to include them than it is to include C:\WINDOWS.

Re:That's just sad.

[ChunderDownunder]

I think okular uses a fork of xpdf.

Does acrobat reader use the native toolkit in c:\windows? If not then I think it is fair. Gnome doesn't include Qt either, so if I want to use Okular... :)

Re:That's just sad.

Because you have this notion that you're going to take your current paper forms, scan them all in, and you will handle the electronic versions exactly the way the paper ones worked.

It makes no sense whatsoever. It is absolutely insane to do this instead of going straight to a database-backed webapp, but people do it anyway. I guess part of it is legality, but most of it is managers who think visually.

Re:That's just sad.

I'm curious how something like Sandboxie really works
http://www.sandboxie.com/

Re:That's just sad.

You probably haven't heard of any because you don't strictly need to target PDF. You just target something it supports. Like packaged fonts. Then you can exploit FreeType, which exists on virtually every platform (it must as a prerequisite to PDF).

Oh yeah... and that example actually happened. All readers were vulnerable, even Okular.

Re:That's just sad.

One more would be, why does the PDF format support embeded video files and javascript.

Re:That's just sad.

[Zan+Lynx]

Really, all our applications should be in sandboxes.

Why does a word processor need access to music files? Why give a music player access to anything but music files?

There have been hacks of MP3 players through corrupt ID3 info, hacks of image viewers through the JPG parser.

Just lock it down. Lock it all down.

Re:That's just sad.

[Grishnakh]

No, it's not fair.

First, if you're using Gnome, you'll probably use evince instead of okular. Just as okular uses the same toolkit as KDE, evince uses the same toolkit as Gnome.

Secondly, why wouldn't Adobe Reader use the native Windows toolkit? You're supposed to use the native toolkit of an OS (or DE), not only because it's more efficient, but also because it results in a consistent look and feel. So if Adobe is using their own toolkit, then that's their own stupid fault, it's not something to give them a pass on.

Re:That's just sad.

[hairyfeet]

Sadly the same reason why my MS Office 2K is a nice light word processor and 2K7 is a little piggy, it is called feature creep. You see bug fixes aren't sexy and don't sell copies of software, whereas whiz bang new features do. Every year you have some PHB saying "Where's my new bullet point list of goodies to hand to the salesmen?" and you had damned well better have that bullet point done son!

Of course the fact that we have truly insane amounts of hardware don't help either. I remember during the days of Win 3.x if you would have put out a 10Mb+ reader that sucked memory like a drunk sucking whiskey your company would have been gone quicker than you can say DBase 4. But coding tightly written apps cost money and thanks to our ever going race to the bottom the answer is usually "Ehh just throw more (insert RAM, HDD, CPU) at it".

So we had just better get used to it, because to allow interoperability the FOSS guys have to jump on the bandwagon too, just compare OO.o 1.1 Vs the latest to see the bloat. Nobody writes slim tight code anymore, sadly it has gone the way of the floppy and the 486.

Re:That's just sad.

[Grishnakh]

There's lots of good reasons to make and use PDFs. For instance, suppose you're a magazine publisher, and you want to make your magazines available on the internet (or on DVD-ROM) for reading electronically. Not only your newest issues either, but also all your old issues, going back decades. With PDF, that's easy: the old issues you can scan into a PDF from your archive copies, and the new issues can probably be directly exported to PDF from whatever publishing software you use, yielding much higher quality than a scan. Now, you can put all these PDFs on a DVD-ROM and sell it to your readers for $29.99, or make available on your website to paying subscribers. (And then it'll show up on BitTorrent for people to download for free, but that's another subject...)

With these PDFs, your readers will be able to look at old back issues, and see them exactly how they appeared on the printed version. Moreover, they can print selected pages, and those will come out exactly as they appeared in the print version (except for the printer's margins, of course). This isn't something you can do in HTML, nor is it something you'd want to. HTML totally sucks as an archival format, since browsers render things so differently, and even the same browser will render differently based on window/screen size, and also because it doesn't include the fonts or images.

If you need something that's basically "digital paper", PDF is it. There's also DjVu, which has much better compression, but it never caught on for some reason.

Now, as for things like fillable forms, yeah, it's kinda stupid. It makes sense in a small way; I've filed my taxes using fillable forms for quite a while, for instance, but obviously it'd make more sense just to do it directly on the web and submit it that way, without messing around with a format that tries to emulate paper. But if you want to download a form, fill it in electronically, then print that out and submit it by snail mail, PDFs are the ticket. Now you're probably thinking, "why would you do that, instead of just submitting online?" Good question. The answer is that the IRS is stupid. If you want to submit your taxes without paying an additional fee for the luxury of doing it paperless, then the ONLY way is with paper (there is one free website for it now, but it's only allowed for certain filers, not everyone, like if you have a complex return with a lot of forms, a business, etc.). If you want to submit electronically, which actually makes things easier for the IRS, then you have to pay extra, to some third party! Does this make any sense? No, not at all, but that's the way it is. If this were some other country, essential government services and functions like this would be done by the government, so if they want people to submit electronically to save them money, they'd build this service into their organization and offer it for free to taxpayers. However, in America, we're big believers in fascism, so instead of just letting the government do things, we contract it out to a private corporation or two (who probably gave a politician a nice "campaign donation") and make them the gatekeepers, so that you can't do business with the government without working through (and paying) their corporate partners.

Re:That's just sad.

[ChunderDownunder]

I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.

On Windows, plenty of applications don't using the native Win32 toolkit. As an example, develop using Visual C++, with a toolkit such as MFC? A bunch of libraries need to be distributed with your app, even if the installer hides them under c:\windows. No, they don't come with XP SP3.

Xpdf uses primitive X11 widgets, not even Gtk+ or the abovementioned Qt. No surprise that it has a small binary size but don't expect it to run natively on wayland! I can think of a number of reasons why Adobe Reader might be considered bloated but comparing its binary size to Xpdf is way down on the list.

Re:That's just sad.

[Grishnakh]

I use Gnome (haven't been back to KDE since 3.5) but I think Okular is a better document reader. I don't complain about the download size because I accept that a more sophisticated, polished UI brings in a bunch of dependencies that just using X won't provide.

This is only because of the ongoing fragmentation between Gnome and KDE. If they ever merge them into a single DE for Linux (and other free *nixes), then this will no longer be a problem.

<i>On Windows, plenty of applications don't using the native Win32 toolkit. As an example, develop using Visual C++, with a toolkit such as MFC? A bunch of libraries need to be distributed with your app, even if the installer hides them under c:\windows. No, they don't come with XP SP3.</i>

Then MS is doing something wrong. As I understand it, on Mac OSX, there's one main toolkit provided by the OS (and another one for legacy apps), and apps are all supposed to use that, instead of reinventing the wheel. That's the way it should be on any OS.

<i>Xpdf uses primitive X11 widgets, not even Gtk+ or the abovementioned Qt. No surprise that it has a small binary size but don't expect it to run natively on wayland! I can think of a number of reasons why Adobe Reader might be considered bloated but comparing its binary size to Xpdf is way down on the list.</i>

Actually, that makes xpdf even more impressive, since they have to do a bunch of things themselves instead of "outsourcing" them to the toolkit.

However, back to the toolkits, adding in the entire size of a toolkit to an app isn't fair in another way: the whole toolkit isn't used by a given app, only a portion of it (whichever portions it's calling). When you don't use a system-provided toolkit, then you get to trim out all the things you don't need, and only include the things you do need. So (app wi/ builtin toolkit) < (app) + (system-provided toolkit). So if Adobe is using their own toolkit, and their binary size is still huge, that's even worse.

As for Wayland, I don't think that's going to change anything. X11 will still be there, it'll just now be a level higher, and feed into Wayland, so all the X11 apps will still work, and you'll still be able to do X over a network, but local applications will theoretically be faster. TIme will tell.

Re:That's just sad.

[ChunderDownunder]

Gnome and KDE merge? unlikely, they're chalk and cheese.

"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.

Re:That's just sad.

[Grishnakh]

"X11 will still be there"? Nope, the idea of wayland is X11 won't need to be included at all by default. Gnome and KDE will be wayland native via their respective GTK+ and Qt backends. Adding Xpdf will seem bloated because you'll have to start an X11 process on top of wayland - whereas today that comes for free.

That's not my understanding at all, according to what I've read about the plans for Wayland. Yes, in a more minimalist distro, X11 could be eliminated. However, most distros will probably keep it around for a while, for a couple of reasons: 1) apps that haven't been converted yet, and 2) network transparency. Wayland doesn't have network transparency yet (though I'm not sure, but I thought it was planned to add that later), so you need X11 on top of Wayland to do that. After all, tons of people use "ssh -X" to run stuff remotely.

Re:That's just sad.

[Bruce+Cran]

It appears it's a useful feature because many applications allow commands to be embedded in documents - even ones you might not expect, like vim. From FreeBSD's pkg-message for editors/vim:

SECURITY NOTE: The VIM software has had several remote vulnerabilities
discovered within VIM's modeline support. It allowed remote attackers to
execute arbitrary code as the user running VIM. All known problems
have been fixed, but the FreeBSD Security Team advises that VIM users
use 'set nomodeline' in ~/.vimrc to avoid the possibility of trojaned
text files.

Re:That's just sad.

[ChunderDownunder]

The point is X will be an *optional* service that runs on top of wayland. Qt and Gtk+ will support wayland from day one by the time Ubuntu ships it. Those who "ssh -X" can download a bunch of optional packages. I won't miss it on my home desktop and won't bother to install and run X just to load up xpdf when wayland-native alternatives such as Okular exist.

Naturally distros will include X for the reasons you mention. Once wayland is sufficiently mature, don't expect a consumer oriented distro like Ubuntu to turn it on by default when equally as many people as you cite won't even notice it's gone.

Re:That's just sad.

[Grishnakh]

"Gnome and KDE merge? unlikely, they're chalk and cheese."

I forgot to reply to this. What's so different between these two anyway, except for Gnome having less configurability (which could easily be emulated in KDE by just specifying certain config options and removing some stuff in the system setup menus)? Essentially, they both do pretty much the same thing: provide a similarly-functioning desktop environment, with a "start" menu button which brings up a menu with applications installed (and I believe the method they have for keeping track of installed apps is actually the same, for compatibility), a clock, and all the other things you expect on a panel, multiple workspaces, things like volume control, device manager/notifier, etc. They're based on underlying libraries/toolkits, which provide additional functions to programs, like the widgets, print dialog, etc.

Maybe I'm missing something, but it seems entirely technically feasible to, for instance, replace Gtk+ and large parts of Gnome's libraries with Qt and some KDE libraries, create a new theme that looks like today's Gnome's, and no one would be able to tell the difference.

I can understand why at the highest levels (the desktop that the user sees, the panel, the stuff in the control panel that users can configure, etc.), the two projects have philosophical differences and would prefer to go in separate directions. However, it seems to me that most of the underlying libraries are trying to do the exact same thing, so it's really quite redundant to have both of them actively developed. After all, they're both running on the Linux kernel and userspace (usually), the Glibc libraries, and X11 (soon Wayland), so obviously they don't feel the need to reinvent the wheel in those places. I think it'd be more productive if they tried to consolidate a lot of the underlying architecture that operates mostly the same between the two.

Re:That's just sad.

[ChunderDownunder]

it seems entirely technically feasible to, for instance, replace Gtk+ and large parts of Gnome's libraries with Qt and some KDE libraries, create a new theme that looks like today's Gnome's

It was announced nearly 3 years ago. Still no word on a release date!
Anyway, they do collaborate on various projects at freedesktop.org

Re:That's just sad.

[plover]

You know what's sad? My iPhone opens PDFs faster than Acrobat. How about when you have a network printer setup and you're not connected to that network Acrobat hangs the entire machine while trying to connect to it?

Tell me again why we need our applications to be bloated and buggy when they're run on desktops?

You may feel the need to have a bloated and buggy Acrobat, but I found that it's actually optional.

By removing most of the plug-ins that it installs by default, it avoids a lot of the security holes. Do I give a damn if a PDF on my box can execute javascript, send an email, play a media stream, or be translated into a voice reader for the blind? No. So I yanked probably a dozen default plug-ins, and my Windows version of PDF reader has a much reduced attack surface as a result. As a side benefit, it opens documents almost instantly.

Is my desktop box more secure than yours? Judged solely on that basis, I'd say yes. For every Acrobat Reader exploit out there, less than 10% would impact my installation. Something people are quick to forget is that security is never 100%, and they decry the 90% solution as "useless", but it's not. It's a numbers game. I'm willing to accept the risk of some possible vulnerabilities in Reader in exchange for being able to read most PDFs. And I'm willing to accept the loss of some content (media streams, javascript) in exchange for higher security.

Re:That's just sad.

[Celarent+Darii]

Disk usage of the wrapper is hardly a fair measure. Link the size of the dynamic libraries loaded as well. You will see that the amount of memory to run xpdf is much larger than 76k.

Depends on your system of course.

Re:That's just sad.

[WarmNoodles]

We don't need them to evaluate or run code. The first thing I do on any PDF reader, is turn OFF java script support. No reason the average user will ever ever ever need it.

Feature bloat, small corporate interests which damage non corporate general use. Laziness to make a separate safer user version and costs of splitting the source trunk into many trees.

The reason to sand box over validating all inputs is simple. The golden code syndrome.
Programmers with inflated egos and the PM's which deflect crap away from them both of which just get enraged at the mere mention that their golden code or golden boy/girl might have written buffer overflows, supported design with trust model violations, or just plain ignored input validation.

As for the user, they need to understand that if they don't want to be hacked, never install a PDF reader on the same machine that runs email and never do banking on a machine you also browse with or read email on.

Re:That's just sad.

[dkf]

PNG and MP3 don't have exploits, programs do.

That's because there's no standard scripting section for those container formats, as far as I'm aware. Without some way to package in code that can be executed in a way that the target will understand at all, the exploit isn't going anywhere.

If you work for Microsoft and are reading this, please, for the love of all that's holy, do not define such a thing, even as a vendor extension. Even if it lets you do something you think is neat. Such a change could only ever cause grief and pain, which would be redoubled when a battalion of computer security catch up with you in person after having had to suffer through years of dealing with the resulting vulnerabilities. (Hey, I'm just trying to head this off at the pass right now. Some ideas really are that awful.)

Just Windows?

The sandbox is only on Windows, so what about the other platforms with Reader X?

Re:Just Windows?

[lseltzer]

The attacks are on Windows so that's where they put the effort. Note that the sandbox is also only on Reader and not Acrobat for the same reason

Re:Just Windows?

[AmberBlackCat]

They'll just do as they always do and assume they're invulnerable.

X?

[markdavis]

X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

Re:X?

Why not X.I?

Re:X?

[treeves]

It's funny that Reader X reminds me of Racer X, the mysterious nemesis of Speed Racer.

Re:X?

[Audacitor]

Mac OS X is the name. 10.x.x is the version number. You kinda have to do something when you get to version 10, because after that things start to sound awkward. I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?

Re:X?

My computer has Emacs 23 installed. By that logic it should be Emacs X: 23.2 -- or even worse, Emacs XX: 23.2

Re:X?

[larry+bagina]

Emacs 23.2 is really 1.23.2. They dropped the 1. at 1.13 or so.

Re:X?

[markdavis]

Before MacOS 10 there was MacOS 9. MacOS X = MacOS 10. Saying "MacOS X 10.4.2" is redundant. Really, "MacOS 10.4.2" OR "MacOS X 4.2" will do fine.

Re:X?

[David_W]

I mean, doesn't Photoshop CS5 sound so much better than Photoshop 12?

No?

Re:X?

[Culture20]

X? OMG, how original, exciting, and mysterious calling it "X" instead of 10. I guess it wasn't enough for MacOS 10. So I wonder if they will be able to let go of "X" when it is time for "XI"? Will version 10.1 be "X.1" or "10.1"? Or perhaps they will go redundant like Apple and call it X 10.1?

Even funnier that they call the latest Apple operating system "Mac OS Intel 10.5.6 - 10.6.4" in their pulldown menu.

Five hours since you posted, and no one has thought of the obvious?
"[Mac OS / Adobe Reader] goes to Eleven!" That's the actual version number: "goes to Eleven!" After that, you count the exclamation points. "goes to Eleven!!!!!!!" is 7 versions after OS X.

Re:X?

[LordLimecat]

No, its not. The operating system is "OSX". The version is 10.4.2. That doesnt mean "tenth version of OSX" any more than Ubuntu 11.04 means "eleventh version of ubuntu"; the vendor chooses how to name and version their product. You are of course free to disagree with me, Apple, and whoever else you like, but you would be wrong-- as the vendor, all of this is their prerogative. I might suggest checking the wikipedia page for OSX if you want some clarification on the matter.

Stop being pedantic (and wrong, for that matter).

Re:X?

[markdavis]

WIkipedia: http://en.wikipedia.org/wiki/Macos

"Mac OS X is the newest of Apple Inc.'s Mac OS line of operating systems. Although it is officially designated as simply "version 10"...

" The operating system is the successor to Mac OS 9 "

"(pronounced /Ëmæk ËOEoÊS ËOEÉs ËtÉn/ mak oh es ten)"

"Mac OS X, whose X is the Roman numeral for 10"

"Mac OS X is the tenth major version of Apple's operating system"

"The letter X in Mac OS X's name refers to the number 10, a Roman numeral. It is therefore correctly pronounced "ten" (/ËtÉn/)"

Strange, sounds almost exactly like what I was saying. It is, indeed, most certainly, version 10 (X) of MacOS. Saying it is "MacOS ten version ten dot four dot two", is redundant, because it is not version ten of ten, it is just version ten. But, whatever.

Iron users beware of other adobe-exploits

[vlueboy]

SRW Iron (Chrome alt on windows) tends to be behind, and somehow I forgot to replace it w/Chromium on this PC, so I had no built-in autoupdate. A megavideo on-click-to-play-flash-movie event on that site always triggers some "benign" FLASH pop-up to reelhd.com and today the latter came with a payload. The usual site lie says I need to click to download *their own* xvid player. Except it the browser prompts me if I really want to DL the triggered installer's exe ... and even though I scoffed and cancelled THAT it had already ran invisibly behind a decoy --no Java needed. MS security essentials log says it blocked Win32/ClickPotato adware for trying to run once, and a second time from my having tried to close the tab.

It seems I'll be adding reelhd and browserdl.com to my hostfile's blocked sites. I'll also hate to reconsider my usual stance of browser promiscuity.

Re:Iron users beware of other adobe-exploits

[LordLimecat]

All those security concerns and yet you still:
A) Run the completely unvetted (and by their own admission, modified) SRWare Iron
-->Which lacks autoupdate
-->Which you for some reason trust more than googles official version, or the Chromium nightlies (despite this exploit, lol?)
-->not to mention that you cant exactly get the source code to SRWare, can you?
B) Use hosts files as some kind of attempt at security
C) (based on remark about promiscuity) believe that the websites you visit has anything to do with your level of securrity?

I used to be on the SRWare bandwagon, but the idea that I should for some reason trust this no-name company for no other reason than that they claimed to do "optimizations", use the latest webkit, and strip out googles spyware from the software-- all without access to their source-- and that whats more, I should trust their software more than the completely open Chromium.... yea, kind of hard to justify.

Brilliant Adobe Developers

[billcopc]

the exploit breaks, but we don't have a good sense if the sandbox was able to contain it

Plain English Translation: We have no idea how our own code even works, but hey we dodged this one, HIGH FIVE!

Re:Brilliant Adobe Developers

It's not Adobe that was wondering why, it was the researchers at Invincea.

At least that's what the summary says.

and people wonder why Flash is Evil

[Salvo]

The problem is homogeny of the market.
If every user has the same version of the same PDF reader, an exploit can spread to everyone.
If an exploit won't affect people using Chrome PDF Viewer, Foxit Reader, gPDF or XPDF or Mac OS X Preview, it severely restricts the effectiveness of the exploit.
If everyone uses Adobe Reader on Windows, Mac OS X, Linux and mobile devices, an exploit like this can affect everyone.

While there are 3rd Party implementations of Flash Players, Adobe Flash Player is still ubiquitous. Adobe evolve the "standard" for commercial reasons with every version, leaving 3rd Party implementations behind and incompatible with new versions of the "standard".

Re:and people wonder why Flash is Evil

[Draek]

Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash, and the other half doesn't give technophiles a stiffy.

And technophiles are, by the way, the main reason we're stuck with Flash in the first place: Adobe has tried to do the same with Adobe Reader, but since almost nobody uses all the random scripting crap they've added to it and only uses the baseline standard, alternative PDF viewers are able to display 99% of documents out there perfectly in spite of not catching up to Adobe's reader. Alas, that's too much to ask for video and animation, and since the nerds *must* use the latest codec and features, we are where we are.

Re:and people wonder why Flash is Evil

[Grishnakh]

Well, hard to do anything about it, half the proposed alternatives are even worse evils than Flash

The problem isn't so much the Flash format, as the fact that the official Adobe player is the only one that really works well, precisely because the spec is a moving target. Basically, they add in some stuff to their spec (which they don't share with anyone yet), then implement it in their viewer and authoring software, and then release it (and at this time, release the updated spec). So, the free/alternative implementations now have to try to implement these new changes, which takes significant time, but website authors are already using this new version of the spec, so anyone using the alternative viewers won't be able to use a lot of websites.

If Adobe released the new version of the spec to the writers of alternative Flash viewers early on, at the same time they started implementing the changes in their official viewer, this problem wouldn't exist.

The only reason it works so well with PDF is because the PDF standard is pretty stable at this point, and the alternative viewers probably don't bother with a lot of the stupid changes in recent years, and most PDF authors don't use these features because they're simply not necessary (like videos inside a PDF... WTF?). The problem of having a digital document that emulates a printed page has been a solved problem for a very long time now (since around 1995 IIRC), and there just isn't a good reason to make any substantial changes to such a standard. Adobe only does so to try to get people to "upgrade" to their latest version of tools, but no one really uses these stupid new features, and the free viewers just ignore them, because they know that no one needs JavaScript to describe a printed page.

Re:and people wonder why Flash is Evil

[adolf]

My local municipality collects income tax. It's a simple tax: 1%. It usually fits onto a simple, one-page form. But there's still some data entry and calculations for exemptions and crap and so, like anything else more complicated than taking a leak, it could be improved.

For the 1999 tax year, they issued a PDF tax form that automagically did the simple math for me, just by filling out the values in Adobe Reader/Acrobat/X/whatever it was then.

It worked well. My brain already hurt from filing Federal and State taxes that evening, and it was refreshing and very surprising to have something easy to work with for the city by the time I got down to them. I filled in a couple of fields, printed the resultant form, dropped it off at the local tax office, and it was fast and simple and done.

For 2010, they use the same form, with a different tax rate (1.25%), but they dropped the code that does the math (they must have downsized the one clever person who figured it out for 2009). All it is for 2010 is a simple PDF that one can print and then fill out by hand.

I'll reiterate: By hand. It is dumb.

Yes, it's a corner-case. Yes, it would perhaps be better-solved with an online form on a web site (eliminating both paper and physical delivery). But yes, it was useful.

It's improper to say things like "nobody uses this," when some people do.

Now, if you ask me if such things belong in a Portable Document Format file to begin with, I guess I'd have to say "no." And if you ask me if it's a terrible burden to write this stuff out by hand in this instance, I'd also say "no." But it was handy, and it did work well.

On the other hand, I'm not aware of any other cross-platform semi-open system that can handle document layout, user entry on forms, and math, all from a single concise file.

Re:and people wonder why Flash is Evil

The problem is homogeny of the market.
If every user has the same version of the same PDF reader, an exploit can spread to everyone.
If an exploit won't affect people using Chrome PDF Viewer, Foxit Reader, gPDF or XPDF or Mac OS X Preview, it severely restricts the effectiveness of the exploit.
If everyone uses Adobe Reader on Windows, Mac OS X, Linux and mobile devices, an exploit like this can affect everyone.

While there are 3rd Party implementations of Flash Players, Adobe Flash Player is still ubiquitous. Adobe evolve the "standard" for commercial reasons with every version, leaving 3rd Party implementations behind and incompatible with new versions of the "standard".

But HERE'S all the good stuff!!! http://zackyfarmsdenise.wetpaint.com

Google Chrome as a PDF reader/viewer?

Googles Chrome browser now reads/displays PDFs natively... I have been using it since that version was released a couple weeks ago as my default PDF viewer on the several Windows boxes I have to use at work.

Seems to work well, and loads/displays much MUCH faster than Adobes reader. (any version)
Has some missing features vs. Reader (or Ocular under Linux) but is quite servicable.

Under Linux there's no speed advantage vs. Ocular etc AFAICT.

Well, it's secure, but...

Just when you think Adobe couldn't possibly make Reader suck any more, out comes v10, er, X...whatever. It used to be just insecure, bloated and slow. Now it's bloated, slow, buggy, probably still insecure, and the user interface has been horribly dumbed down, even further than in v8 and 9.

Alternatives are starting to look pretty nice.

Yes

Well, yes. Adobe Reader X is the most Secure since it has been released. People who don't know better keep recommending Foxit or whatever, even though they don't have half the protections Reader X has. I will be very surprised when an exploit makes it past the Reader X protections.

Why not a normal update via URL?

[Max_W]

I do not appreciate fancy updates which pop up on my desktop from icons in the right lower corner. I had a virus attack from such an update. It was masqueraded as a Java update. I removed Java from my computer completely after that.

I am seriously considering removing the Adobe Reader and Flash too.

Why just not inform us that an update is available and give the clear URL link to an update file on the Adobe website? Or at least update when I open the Reader and asked for an update or confirmed an offer to update.

Adobe problem

[Msdose]

I downloaded a PDF at the library to print it. No problem. Then I couldn't delete the document from the library's system. They had to uninstall Adobe to get it to stop displaying my document. I'm wondering if the document will still appear if someone re-installs Adobe. Assholes.

Re:Adobe problem

That sounds like a misconfigured and clueless sysadmin Windows problem. You should not place all blame on Adobe, save some blame for MS...

Re:Adobe problem

[LordLimecat]

Sounds like the library has odd permissions issues-- allowing "create file" and "append data" but not "delete file". Not adobes fault at all.

Protected Mode Bug

[wasabii]

I had to disable this sandbox (protected mode) across my network. Makes it impossible to open PDF files from DFS shares. Boo.

still does not make up for...

[hesaigo999ca]

Ok, let's all rally a hurray for you (seeing you pat yourself on the back here) for doing something you should have done from day one...
i say, we still haven't forgiven you for all the other exploits out there that are still very functional, and lead to many millions of dollars damages....let's remember this point too....and keep the back patting to a minimum....mmmkay.