Slashdot Mirror
Google Employees Find 60 Security Holes In Adobe Reader
sl4shd0rk writes "Upon examining the PDF Engine behind Google Chrome, Google employees Mateusz Jurczyk and Gynvael Coldwind discovered numerous holes. This led them to also test Adobe Reader, which turned up around 60 holes which could crash the PDF reader, 40 of them being potential attack vectors. The duo notified Adobe, who promised fixes, but as of the latest updates (Tuesday of this week) for Windows and Macintosh, 16 of the reported flaws are still present (the Linux version has been ignored). To prove it, Mateusz and Gynvael obfuscated the info and released it, saying the unpatched holes could easily be found. The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader."
This makes me cry. :(
PDFs have been a security headache for decades now. It originally started as an evolution of PostScript, but has since morphed into a "document solution". Adobe, like so many tech businesses, can't simply create a tool and then be finished. They always have to add more features, more code, more bloat. And surprise surprise, problems arise.
When I go to work on my car, I know my ratchets will work on any bolt on it; I just need to figure out what size it is and maybe an extender and I'm in business. My tools just work; they rarely break, and they don't stop working with next year's model... or the next decade's. Or the last. My ratchets will work on 1950s model cars, and I'm sure they'll still be useful on a 2050 model car.
Linux is more like my ratcheting set. Sed, awk, bash scripts... they don't change. They were there 5 years ago. They'll be there 5 years from now. They're simple, dependable, and "just work". What the fuck is so hard about making a read-only flat document that does the job of being easily readable and printable well? Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.
Be like the ratchet.
#fuckbeta #iamslashdot #dicemustdie
I'd like to see them include some of the alternative readers (Foxit, etc.) included in their testing since they are somewhat popular among people who have thought that Adobe Reader was bloated and slow for quite a while.
Google announces a new initiative: Google Document Format, for all your document sharing needs.
"Engineering is the art of making what you want from things you can get" - Jerry Avins
>Adobe in charge of security.
Adobe essentially has the userbase by the balls here, and would much rather focus on making more money than paying some self-righteous developers for a few weeks to fix 'security flaws.'
I can imagine a management meeting at Adobe now:
"Those damn programmers put more flaws in Reader!"
Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.
Give me Classic Slashdot or give me death!
Those fucking slackers could only find 60 holes in that Swiss cheese? And, they couldn't even bother looking at Flash!
Oops, I have to go. My PC needs to reboot after the third Flash and Reader update today.
I can't tell if the news is that there are security holes, or that these people are Google employees. Why does this article emphasize that point so much? Why is it so important that they are Google employees? And why do we all capitalize Google like we capitalize God?
I guess they just Googled it...
The name of the researcher "Gynvael Coldwind".
Too cool, in more ways than one. :D
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
I've never had the Adobe plugin and avoided plugins by Foxit and SumatraPDF in favour of just opening them in the standalone viewers.
Now I hope the same security audit of pdf.js in Firefox is done before it's released.
Has Adobe ever released anything that wasn't total sh*t? Ever? Seriously.
30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.
I just removed it from my browser a while ago after I finally got sick of it crashing. I now use Okular to read PDFs and life is much better that way. I don't know why anyone would tolerate such a miserable plug-in.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The summary muddles two distinct PDF readers, the PDF reader built into the current version of Chrome (purely Google) and the PDF reader from Adobe that's completely separate. The Google reader is relevant only because the vulnerabilities in the Adobe reader were discovered using the tools developed to find vulnerabilities in Chrome.
Why not just use a free one?
$30 for a pdf reader is pretty steep.
30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.
The 30EUR product is their Pro version (more like Adobe Acrobat Standard), they also have a free version which does everything Adobe Reader does and more.
Don't use Adobe Acrobat Reader.
Unfortunately, some PDF documents can only be opened with Adobe Acrobat. See http://www.quickpdflibrary.com/faq/if-this-message-is-not-eventually-replaced-by-the-proper-contents-of-the-document.php
Ahem
It's got commenting features without watermarking and even does OCR which I have been very impressed by.
of vulnerability? Wouldn't that be Adobe? Two product of their's Flash and Reader and they don't fix them.
I smell capitulation with the enemy.
Third party clients also have exploits.
I had Reader on my Mac because I had to cryptographically sign something. Is there something out there that does both forms and cryptographic signing?
Also, I forgot about Reader until something asked me to update it. I promptly deleted it, but where did the updater spawn from? Id love to remove all adobe code from my machine.
Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.
The Full Disclosure folks say that vulnerabilities should be disclose immediately. Their arguments have some merits. The Responsible Disclosure folks say that the vendor should have n number of weeks to get a patch out, then it goes to Full Disclosure. That has some merits as well, but the trouble is the public doesn't know there's a problem during the n weeks. The calculation is a balance of how many people will be protected vs. how many people will be harmed.
It occurs to me that a third way, call it 'Informed Disclosure' for now, would be to:
as a way to avoid the problem with Responsible Disclosure but still give the vendor reasonable time to react. e.g. 'Informed Disclosure' may say:
and then send Adobe the exploit code, which will be published in 45 days. This also removes the illusion of potential blackmail from security researchers, because the public has on-record information that the disclosure will be published, regardless of the action or inaction by the vendor.
Surely others have taken this approach, but I can't find a name attached to it -- anybody?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Got 5000 employees? 30*5000 is 150k every year. or 1.5 million dollars over 10 years. Or the salary of 3 employees. Brilliant!
that they provide links to against these attack vectors?
Don't use Adobe Acrobat Reader.
Everybody in my small office uses PDF XChange Viewer.
Or just use Google Chrome. It reads PDF with no plugin. It still lacks a few features but I assume they're working on that in between fixing the holes for Adobe.
No sig today...
Adobe management should have attacked these issues for PDF and Flash like Microsoft did for many years. It takes time, but Microsoft actually has gotten much better.
Adobe management has not learned. They've basically ignored security in all their programs for years. Back in 2008, many started calling on us all to avoid Adobe for our own safety. They were right. I was late in calling for this boycot - it was 2010.
Nobody should be using Adobe products unless they make a living using them. For everyone else, there are alternatives - alternatives to flash, alternatives to PDF and alternatives to all those other Adobe video and image tools. Only the extreme hard-core users of Adobe should continue.
Adobe management has not shown that they understand the issues still. They don't care about security and if the last 4 yrs hasn't gotten them to change, they never will.
PDFs have been a security headache for decades now.
PDFs have been no problem. PDF readers that can execute scripts and code are the issue.
Fortunately, most Mac users don't need Reader at all. Preview handles PDF viewing very well and is amazingly fast.
I have Acrobat Pro installed out of necessity (for work), but all of its auto stuff is turned off - I really only need it once or twice a year. But still... I consider Acrobat a malignant tumor on my hard drive. I may have it walled off, but it's still there, patiently waiting for a chance to spread its poison...
Really, the world would be a better place if people used alternatives to Adobe software whenever possible.
#DeleteChrome
Adobe has a well documented lack of interest in fixing its bugs without charging its customers. For years now, Photoshop has ignored its placebo settings panel and attached itself to storage volumes despite the wishes of users (After three years, I can only assume the purpose is nefarious, and probably related to terrorism and or a desire to harm small animals). A spokesman claims the company has finally fixed the bug in CS6, but have told users they must http://feedback.photoshop.com/photoshop_family/topics/disk_could_not_be_ejected_because_photoshop_is_using_itpony up $800+ for the antidote. Most of us will never know whether it's fixed or not.
I'm aware of Preview, doesn't do cryptographic signing. Im asking if something does everything, Preview doesn't cut it.
PDF-XChange Viewer opens those PDF's without any problems (the free version atleast).
Setting up Google Chrome as the default PDF reader is more secure, and it's one less program to update. To do so in Windows 7 just right click on a PDF file, click "open with", click "choose default program", click Browse, and Browse to the following file:
C:\Users\\AppData\Local\Google\Chrome\Application\Chrome.exe
Adobe Reader does have some features that Chrome lacks, but 95% of users will be perfectly fine with just Chrome.
The javascript you can add to the PDF through a GUI or the javascript that you can embed into hex strings when writing a PDF file? The files are a hacky mix of text and binary. Some data types define their length, others have insane rules for end markers and escaping. Hex strings were originally pretty easy, but then they decided that they'd add javascript support into the parsing so you can constants that vary conditionally on the PDF version number. On top of that, you practically have to build a run time to render the PDF because of the complexity of its nested viewport stacks and viewport modifications that can be executed at any time in the PDF.
If that wasn't enough, they made it way more complicated when they hacked in support for JetForms (now known as LiveCycle), which is an XML language with poorly thought out data types and full of rendering hints that would be really useful if the documentation said more than "ignore these if you're not Adobe". If you want to save a PDF created with LiveCycle that a reader other than Acrobat can read, it's saved in both forms, resulting in a file that's 3x the size of a PDF.
Use free open source software instead:
http://pdfreaders.org/
Notepad specialist & FAT administrator, group training available
You forgot to add:
-- insecure (like Adobe Reader, uses Javascript)
Any system that sends arbitrary 3rd party code to be executed on users' machine is a security nightmare by definition. We've known and taught that principle to youngsters for 30 years ... but the current generation of clueless webbies has forgotten it.
The reader is free at PDF Xchange and it does much much more than Adobe Reader.
nt
they act like adobe is bad, but knowing well that big companies work with structured development where everything has to be planned. it's almost only 1.5 month AFTER they notified adobe about the problems and they're already bitching at adobe.. It's not like all the reported (security) bugs about chrome are fixed within one month.. So I find it very irresponsible of them to publish the information so soon, to me it more seems them trying to blackball adobe...
..all PS interpreters seem to be as buggy as hell. One exploit is enough to own your printer.
Are you serious? Chrome? NO-WAY! Don't run it.
The only thing worse than Adobe management's complete failure at handling this is how Google will take advantage of all that data they've been collecting from Chrome users. It might not happen this year, but we are learning more and more about google collecting data and keeping it for sometimes-creepy things. They have the data, you can't get it back.
Best to use Chromium if you like that sort of browser. Chromium is the F/LOSS on which project that Chrome browser is based.
Most (all ?) open-source PDF viewers are based on libpoppler. So if that lib has issues, all (except ghostview-based) viewers will have the same issues. Libpoppler does not look exactly nice to me as a C++ developer, as they use void* pointers liberally without a real need IMO.
If libpoppler has issues they will certainly be different to Adobe. Adobe gives a rats a$$ about security and proper coding, which has been concluded by many security researchers. Normal people cannot inspect their code. Libpoppler can be inspected by everyone, which means it is almost certainly much more secure than Adobe stuff.
The problem is not PDF per se, but Adobe products. They have moved R&D to India in an attempt to boost profitability and with that they have destroyed their ability to fix these issues. Their reputation is on the bottom of the crap reservoir and they will die a deserved death quite soon, if the Chinese do not prop them up financially, as Adobe products are their most important Intrusion API.
Adobe has a well documented lack of interest in fixing its bugs without charging its customers. For years now, Photoshop has ignored its placebo settings panel and attached itself to storage volumes despite the wishes of users (After three years, I can only assume the purpose is nefarious, and probably related to terrorism and or a desire to harm small animals). A spokesman claims the company has finally fixed the bug in CS6, but have told users they must http://feedback.photoshop.com/photoshop_family/topics/disk_could_not_be_ejected_because_photoshop_is_using_itpony up $800+ for the antidote. Most of us will never know whether it's fixed or not.
So they fix that particular bug, ignore the 100+ other bugs that have been hanging out since version 5 and create new bugs.
Hey, it's one way to make money.
Faster! Faster! Faster would be better!
True, but I don't think any clients have as bad of a track record as Adobe. Adobe is very bad at security.
This is my signature. There are many like it, but this one is mine.
don't need for my Ubuntu but it is fine for pdf on windows. Adobe has perpetrated a lot of dysfunctional and restrictive software, perhaps just say no to adobe. Sumatra pdf viewer has given me no grief at all. Also MS Office 2013 will enable Word to read/edit pdf files...
LaTeX or OpenOffice + pdflatex + GnuPG. That is a rock-solid solution and actually secure as opposed to the security theater of Ado$e.
YOU. Or are you Chinese intelligence and being pissed off all your nice exploits won't work anymore because Google did a modest amount of serious testing ?
Depending on how big foo() is, simply indicating where the vulnerability is may be enough to allow black hats to find it.
Why do you need a binary interface rather than a programming interface?
PDF-XChange Viewer opens those PDF's without any problems (the free version atleast).
I don't see any support for Dynamic XFA Forms on their feature list at
http://tracker-software.com/pdf-xchange-products-comparison-chart
Can you supply any evidence for your claim?
Does Scribus provide adequate encryption for you?
Nothing here is new. I bet even the security findings
This is all a chrome advertisement.
"how to make people use our plugin instead of the free reader with lots of features?"
They only failed to realize that people that even uses pdf probably use "secret" for their email password
For saving my time, my sanity and the health of my PC, I've tried to avoid dealing with Adobe bloatware as much as I could. Under Windows most PDF can be opened instantly with Foxit. It's free, it's fast and it works for 99% of the files. I keep Acrobat Reader on my PC "just in case". I never open PDF files with the browser plugin (I disabled it), I prefer to download the file to the desktop and view it offline. It's faster and safer. I'm using an old version of Foxit with no builtin javascript support and which is blocked with the firewall. If it complains, that indicates the presence of a script, and most often it's malware (doing this way saved my skin a few times), or at least a script used for nefarious purpose like trying silently to report to headquarters. For creating PDF files from documents, PDFCreator is very easy to use and satisfy most of my needs, and to create PDF documents from scans I use WinScan2pdf. My last tool for manipulating PDFs is PDFTK (for which a GUI can be found). All these tools are free and easy to use.
Right, I should've been more clear. It doesn't help people like you - but for most users, Preview does everything they need.
#DeleteChrome
Also, I forgot about Reader until something asked me to update it. I promptly deleted it, but where did the updater spawn from?
I fired up Reader yesterday and it popped up that there was an update, so I told it to go ahead. Then a dialog came that that it needed to restart to finish the update. I clicked 'Restart' thinking that Reader was going to restart. No, it restarted my fscking PC! Reader needs to DIAF! And it's updater!
Free yourself instead: http://pdfreaders.org/
The problem IMHO with Adobe is that their tool is flawed and they don't care. For example, their encryption, which they actually had someone put in jail for presenting a paper on, was identical to that used by Julius Caesar and a number of cut out codewheels for entertainment on the back of cereal boxes. It was a substitution code where each letter was replaced by a letter a set number of letters later in the alphabet - so solvable in under a minute by an average ten year old with one of those cereal box code wheels.
So that was one of their big secrets that Adobe insisted a man should be imprisoned for reverse engineering (Dmitry Sklyarov was held for several weeks before bail was granted). Of course a judge let him be released and go home to Russia a year before the full case over the suggested DMCA violation came to court, but it just shows how little Adobe really care about producing any sort of quality product and how much they care about their false front. They just care about milking their portion of a captive market instead of improving their products and, like Cisco last year, are not above abusing the legal system in a truly excessive way to hide their flaws.
If you're stuck on windows and are sick of Adobe and FoxIt (yes that's bloated now too), I recommend Sumatra. It's gotten really fast with launching and rendering now, and as a bonus will open your e-book formats which I find is a logical addition to a document viewer. As long as you don't actually need the Adobe magic forms, Sumatra is the better, sane solution to just view pdf's and similar.
https://dalgamotor.wordpress.com/ - Elektronik beyinlere ozgurluk asisi (Turkish)
Mozilla Firefox has a built-in PDF reader as well.
http://www.h-online.com/open/news/item/Google-warns-of-using-Adobe-Reader-particularly-on-Linux-1668153.html
http://h-online.com/-1668153
"Google warns of using Adobe Reader - particularly on Linux
On its August Patch Day, Adobe has fixed numerous critical memory-related bugs in Reader for Windows and Mac OS X â" but has chosen to overlook Linux users. The researchers who discovered the holes now fear that potential attackers could find enough clues to build an exploit by comparing the current Windows version of Reader with the previous one. This would leave Linux users defenceless. On top of that, even the patched versions still contain a total of 16 open security holes.
Google employees Mateusz Jurczyk and Gynvael Coldwind initially examined the PDF engine of the Chrome browser and discovered numerous holes. They then tested Adobe Reader and found about 60 issues that triggered crashes, 40 of which are potential attack vectors. When the two researchers reported their discoveries to Adobe, the company promised to provide fixes â" but also indicated that not all the holes would be closed on Patch Day in August.
On Tuesday, that is exactly what happened. Versions 10.1.4 and 9.5.2 were released for Windows and Mac OS X only. Even these patched versions are still vulnerable to 16 of the reported issues that affect Windows, Mac OS X or both systems. To prove this, the Google employees have released obfuscated information concerning the crashes. The security experts say that the unpatched holes could potentially be identified by third parties because they were found by modifying publicly available PDF documents.
Apparently, the researchers' threat to publish all vulnerability details online in accordance with "responsible disclosure" did not worry Adobe. The deadline is set for 60 days after the day on which the researchers informed Adobe about the holes: 27 August. However, Adobe told the researchers that no further updates are planned in that timeframe.
The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader. Those who use a browser other than Chrome can protect themselves by disabling the Reader's browser extension. The extension allows the holes to be exploited with a simple visit to a specially crafted web page.
Windows users who still use version 9 of Reader have been advised to upgrade to Adobe Reader X, because this version contains a sandbox that makes exploiting the holes more difficult. While Linux users can fix two of the holes by deleting the annots.api and PPKLite.api plug-ins from the /path/to/Adobe/Reader9/Reader/intellinux/plug_ins directory, this seems like a drop in the ocean when considering the total number of holes that riddle Reader for Linux."
Here you go:
http://www.tracker-software.com/PDFXV_history.html
And when in doubt, give it a try.