Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Warns of Critical Zero Day Vulnerability

Posted by Soulskill on from the might-want-to-just-trademark-that-term dept.

wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."

31 of 236 comments (clear)

  1. Listed mitigation: Adobe Reader X Protected Mode by Anonymous Coward · · Score: 5, Insightful

    Why on earth isn't "Adobe Reader X Protected Mode" the default?

  2. Oh adobe... by mirix · · Score: 4, Informative

    You can pretty well set your watch by adobe exploits. Get it together, guys...

    --
    Sent from my PDP-11
    1. Re:Oh adobe... by fuzzyfuzzyfungus · · Score: 4, Funny

      You can pretty well set your watch by adobe exploits. Get it together, guys...

      You actually have several options: If you want it to run fast, set by exploits. If you want it to run slow, set by fixes.

  3. Patched when? by binaryhat · · Score: 5, Insightful

    Jan. 10, 2012? Why not immediately? Do Adobe coders suck that bad... Honestly I think when a major vulnerability is found, companies should fix it immediately or face penalties.

    1. Re:Patched when? by DERoss · · Score: 5, Informative

      If you follow the "exploited to cause a crash ..." link in the initial Slashdot item, you will see that a fix to Acrobat Reader 9 will be available by this coming Monday. You will also see that, unless you disable Protected View in Acrobat Reader 10, you are not vulnerable and thus can wait a month.

  4. Re:Listed mitigation: Adobe Reader X Protected Mod by Jeremiah+Cornelius · · Score: 4, Funny

    Good I stopped using that blob...

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  5. A lack of diversity... by jenningsthecat · · Score: 5, Insightful

    ...leads to increased vulnerability, whether in biology or in software.

    Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.

    On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:A lack of diversity... by enoz · · Score: 5, Informative

      I recall the Adobe loading screens on older Acrobat versions. One time while waiting for Acrobat to load its bloated carcass into memory I actually paid attention to the loading messages and noticed "movie.api" among others being loaded. That was the nail in the coffin.

      While switching to non-Adobe PDF software may not be in the power of everyone, you can blacklist the Adobe PDF plugin from running in your web-browser. Apart from improving your internet experience it may also help prevent some drive-by PDF exploits.

    2. Re:A lack of diversity... by mirix · · Score: 5, Interesting

      Evince (gtk) and Okular (ex-kpdf, iirc, Qt) both seem pretty usable to me.

      At work, I'm stuck with windows, and the Evince win32 port seems to work quite well there too. Only issue I ran into was that be default it tried to print things in landscape mode or something like that, and I didn't notice.
      A nice feature is that it does djvu and postscript as well, instead of having multiple readers (although I seem to think ps might not work with windows in default, probably relies on ghostscript or so..?).

      --
      Sent from my PDP-11
    3. Re:A lack of diversity... by Carnildo · · Score: 4, Informative

      Exactly, both Gnome and KDE environments have very good PDF readers built in, OSX is exactly the same if not better. The only OS that's behind is Windows. But then if the PDF viewer was programmed by MS it wouldn't change a thing from security perspective...

      If you look under the hood, Linux has the same lack of diversity in PDF viewers that Windows does: almost everything is just a frontend for the Poppler library. If a security hole is found in eg. kpdf, it's a good bet that the hole is also present in epdfview or xpdf.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    4. Re:A lack of diversity... by Mad+Merlin · · Score: 4, Insightful

      Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share.

      Are you kidding me? Acrobat is such a steaming pile of crap that it has bred a completely misplaced hatred of PDF in most Windows users. Ever seen a Slashdot summary with a "(warning, PDF)" note after a link? Only Acrobat can manage to bog down a brand new system opening a 1 page PDF, every other PDF reader in the world will open it instantaneously.

      If anything, Acrobat has single handedly painted PDF into the very niche corner that it's in now. PDF is a good format hobbled by a hopelessly lousy reference implementation.

      --
      Game! - Where the stick is mightier than the sword!
  6. Look at the credits for Adobe Reader. by Anonymous Coward · · Score: 5, Insightful

    If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.

    1. Re:Look at the credits for Adobe Reader. by Anonymous Coward · · Score: 5, Insightful

      Because anytime you single out a creed, religion, race, or other general status, anyone belonging to said group interprets it as a personal attack and employs all possible methods to censor the shit out of said perceived attacker. It's like a biological kill-switch.

    2. Re:Look at the credits for Adobe Reader. by Anonymous Coward · · Score: 5, Informative

      Why is the parent modded flamebait? S/he's telling the truth. We just discussed this very issue: Does Outsourcing Programming Really Save Money?.

      Somebody please mod the parent up. Sometimes the truth isn't pretty, but it's still the truth. I don't care if feelings get hurt by it. It's still the truth.

    3. Re:Look at the credits for Adobe Reader. by hipp5 · · Score: 4, Insightful

      Because there is an assumption implicit in his post that that Indian names = outsourced, two-bit programmers in an Indian code sweatshop. The statement that names in the credits are Indian is indeed true. The broad assumption that follows is wild conjecturing with weak evidence and is thus deserving of a down mod.

    4. Re:Look at the credits for Adobe Reader. by hairyfeet · · Score: 4, Insightful

      Exactly. Nobody is saying the Indians are shit, they are saying that companies that take the lowest priced shit get shit for their money and when we see Indian coders that is EXACTLY what we are seeing, why try to hide it? Good Indian coders cost good money, same as good coders anywhere. These companies don't go to India because they want to hire top notch Indians at a decent wage, these corps want as close to sweatshop as they can possibly get. you know this, i know this, hell didn't anybody watch "How NOT to hire an American"? These corps don't give a shit about quality, its all about cost. This is why our landfills are overflowing with cheap plastic garbage and people are being poisoned in China melting circuit boards for the metals, cheap ass bottom of the line shit. this is just cheap ass bottom of the line software instead of hardware and India is where you go to get a programmer for a price lower than dinner at Mickey D.

      As for TFA this is why i'm so glad i haven't included Adobe Reader on a build of mine since Adobe 6. There are several excellent alternative readers like foxit and sumatra and foxit comes with safe reading on by default, so why would you want the risk that Reader causes? With Flash sandboxed in low rights mode and no reader i don't have to worry about Adobe bugs, which is nice. You'd have to be nuts to want Reader unless you simply have no other choice.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Look at the credits for Adobe Reader. by EdIII · · Score: 5, Insightful

      You'd have to be nuts to want Reader unless you simply have no other choice.

      Acrobat 10. Production environment. Multiple servers for remote desktop sessions. Have to have it. Receive secure documents all the time for markup and endorsements and Foxit can't even open it. Let's not even talk about 3rd party PDF support for electronic signatures from capture pads.

      The NERVE of those fuckers to announce a zero-day exploit in the wild with an expected fix date in a quarterly update.

      What the fuck are they smoking? It's the 6th of December you sadistic moronic fucktards. This is the dark side of vendor lock-in. Till that update I have to wonder about the thousands of PDF documents flowing through into the system and from emails. Believe me, there are some workers that will open anything in an email. So it is a real risk already.

      Not that I don't normally, but there is a big difference between a possible threat and a known one.

      It's just amazing for them to announce that with all the business customers they have. The unmitigated gall of those bastards.

    6. Re:Look at the credits for Adobe Reader. by shuttah · · Score: 4, Insightful

      I agree 110%.

      It's a blatant and inexcusable display of negligence on Adobe's part to schedule an update over a month after telling us that a REMOTE EXECUTION EXPLOIT is confirmed, and is being exploited in the wild. Again, with confirmation. To add to that, this isn't even something where you can advise everyone to turn off javascript and pray everyone follows your instructions while keeping an eye on traffic. It's nothing short of nightmare to be honest. The fact that this software is installed on everything from a consumer's new laptop or desktop, to a hell of a lot of government agencies doesn't sit well with me either.

    7. Re:Look at the credits for Adobe Reader. by FooAtWFU · · Score: 4, Insightful

      I'm going to agree mostly, but differentiate a little. I have actually worked with a couple of very talented Indian software engineers - more talented and experienced than myself, sometimes. They weren't working for an outsourcing company, though; they were full-time hires. Good Indian software engineers have a tendency to go the same places good American software engineers do: companies that value their talent and who are willing to pay for it. They just have a marginally harder time doing it due to US immigration law. (Myself, I'd rather have them fully naturalized as soon as reasonable - I can compete with them better when their wages haven't artificially depressed by the monopsonistic exploitation of their labor associated with the immigration game).

      Anyway. It's already a lot easier to find a lousy software developer than to find a good one here in the US. Outsourcing to India as part of a management-driven process? Yeah, I'm going to laugh at the quality of the results in advance, please. As for Adobe employees working on Acrobat... let's just say their product doesn't do too much to promote the idea that they're competent.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  7. FYI: U3D = Universal 3D by Anonymous Coward · · Score: 5, Informative

    According to the Wikipedia article on Universal 3D:

    The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).

    and

    There are four editions to date.

    The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.

    The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.

    The fourth edition provides definitions for higher order primitives - curved surfaces.

    I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.

    1. Re:FYI: U3D = Universal 3D by Mojo66 · · Score: 5, Insightful

      Why do we need support for 3D files, embedded file attachments, JavaScript and all that crap in a file format that was originally intended to print documents? I'm glad that there are alternativs to Adobe Reader that just support the old idea of a printable document file format and nothing more, for example Preview on OS X, for other OS see this list. The crazy thing is that Adobe Reader is promoted by a lot of companies that use PDFs to send out bills electronically, i.e. to open the attachment, you need to download Acrobat Reader. Which is not only a wrong statement, but also a suggestion to install an application that has been plagued with security faults.

  8. Re:Listed mitigation: Adobe Reader X Protected Mod by Calos · · Score: 4, Informative

    In my experience it can (or used to) break things when interacting with other programs.

    It broke my LaTeX editor. Couldn't compile a document and automatically have it open in Reader. After some fighting, I think I got it to open, but if you make some edits and recompile... it quickly errors out if you don't manually and completely exit out of Reader first. It's really annoying. Spent far too long reading up on how Reader is supposed to interact with other software and setting my editor to try different commands invoking Reader. No dice, and it looked like the documentation wasn't up to date for all the changes in X yet. But turn off protected mode, and it worked just fine.

    Granted, they might have fixed that in the mean time, I've not used it in a couple months, and don't even have Reader installed any more...

    --
    I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
  9. Too late by Natales · · Score: 4, Informative

    This type of vulnerability is serious enough that I find rather appalling that Adobe is pushing this to their regular "scheduled" quarterly update. If they are serious on being considered as a credible platform, they absolutely need to address these kind of issue with more sense of urgency.

  10. Sumatra by HBI · · Score: 4, Informative

    It doesn't do everything Acrobat does, but it reads PDFs. Which is enough for me.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  11. Be careful of "fixes" Adobe sends you by email. by Rakarra · · Score: 4, Informative

    I and a bunch of others received emails today claiming to be from Adobe (it wasn't, as mail headers showed) that included an attachment, an .exe in a zip file.

    Of course, you should never run attachments sent via email, even if the source appears trusted.

  12. Re:Listed mitigation: Adobe Reader X Protected Mod by capnkr · · Score: 5, Insightful
    "Blob" is very apt terminology, yet "(Unecessarily) Giant Blob" might be even more accurate. Not sure if these are exact numbers, but they are probably close. From Wikipedia, re: Sumatra PDF:

    It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.

    Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

    What more could you ask for?

    --
    "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
  13. Attack surface by WD · · Score: 4, Insightful

    I wrote it years ago, but it's still quite relevant:
    http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html

    Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.

  14. Re:Listed mitigation: Adobe Reader X Protected Mod by FatdogHaiku · · Score: 5, Funny

    Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!

    What more could you ask for?

    Ummm, could you maybe toss in an eternally running updater?
    And if the same people could come up with a useless "download manager", well that would just be peachy!

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  15. Re:Listed mitigation: Adobe Reader X Protected Mod by Anonymous Coward · · Score: 5, Informative

    That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature). I used to work for Adobe and I am not here to defend them but in all fairness, you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing.

    Duane

  16. I *prefer* non-conforming by Mathinker · · Score: 5, Insightful

    > you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing

    Your point is valid, however, how much of that ISO standard is, itself, "ooooh, shiny"-ness which is one of the reasons why Reader has so many more possible places of failure? Before discovering better alternatives for reading PDFs under Windows, the first thing I would do to Adobe Reader was to disable scripting support inside PDF documents.

    In other words, I prefer the non-conforming, because that means that (there is a chance that) the implementers might actually be ignoring stupid things which Adobe pushed into the PDF standard which shouldn't be there.

  17. Re:Listed mitigation: Adobe Reader X Protected Mod by Anonymous Coward · · Score: 5, Informative

    Don't forget the shell extension in windows, that enables those zero-day vulns to take effect by just hovering over the file! And unlike the updater and preloader, you can't turn this off without manually meddling with the registry.