Google Employees Find 60 Security Holes In Adobe Reader

sl4shd0rk writes "Upon examining the PDF Engine behind Google Chrome, Google employees Mateusz Jurczyk and Gynvael Coldwind discovered numerous holes. This led them to also test Adobe Reader, which turned up around 60 holes which could crash the PDF reader, 40 of them being potential attack vectors. The duo notified Adobe, who promised fixes, but as of the latest updates (Tuesday of this week) for Windows and Macintosh, 16 of the reported flaws are still present (the Linux version has been ignored). To prove it, Mateusz and Gynvael obfuscated the info and released it, saying the unpatched holes could easily be found. The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader."

PDFs

[girlintraining]

PDFs have been a security headache for decades now. It originally started as an evolution of PostScript, but has since morphed into a "document solution". Adobe, like so many tech businesses, can't simply create a tool and then be finished. They always have to add more features, more code, more bloat. And surprise surprise, problems arise.

When I go to work on my car, I know my ratchets will work on any bolt on it; I just need to figure out what size it is and maybe an extender and I'm in business. My tools just work; they rarely break, and they don't stop working with next year's model... or the next decade's. Or the last. My ratchets will work on 1950s model cars, and I'm sure they'll still be useful on a 2050 model car.

Linux is more like my ratcheting set. Sed, awk, bash scripts... they don't change. They were there 5 years ago. They'll be there 5 years from now. They're simple, dependable, and "just work". What the fuck is so hard about making a read-only flat document that does the job of being easily readable and printable well? Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.

Be like the ratchet.

Re:PDFs

[Eponymous+Hero]

imho it got out of control when they added executable javascript.

Re:PDFs

[Meshach]

Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.

Be like the ratchet.

That works for an open source project where the ultimate goal is to provide a usable product. If the project is already usable then do not add more features. Adobe though is a commercial product. They have to constantly change things and add new features so that their customers will need to upgrade to the latest version. This constant upgrading inevitably introduces instability.

Re:PDFs

[Forty+Two+Tenfold]

This constant upgrading inevitably introduces instability.

No wonder if you're trying to build a skyscraper from this.

Re:PDFs

[fm6]

Lots of products get "improvements" that are anything but. The point of making stuff is to sell it, and you can't sell new stuff unless you can convince folks that their old stuff is obsolete. You can see that any time you visit a car dealer.

Ratchet design isn't static because their makers woke up one day and said, "It's perfect! Let's stop trying to improve it!" They just don't have any design improvements that will convince you to throw out your old ratchets and buy new ones. If they could, they would.

Re:PDFs

[Jeremiah+Cornelius]

Postscript - integral to PDF internals - is itself a Turing-complete language, derived from Forth.

It will always be a problem.

Re:PDFs

[cant_get_a_good_nick]

I'm in a devils' advocate mood today... I don't particularly like Adobe (nor do I hate them particularly), and I think reader is a bloated piece of crap.

But Reader changed not because Adobe has a PDF agenda to rule the world, but because Adobe economically needed it to change. To make money, gain market share, whatever.

A ratchet is a simple tool, one whose expectations won't change. But software (and cars) are much more fluid. Your ratchets may work on your 1950's car, but you won't like driving it. Engines are better now, tires are better, handling is better. You'll hate the boaty-ness of your 50's era driving, the gallons-per-mile you pay for driving it, the lack of safety features, the lack of DVD player dropping from the roofline for your kid in the back seat. I wonder simply how many safety regulations that would prohibit a "new" 50's tech car being sold. Adobe finds it difficult to get money out of a non-bloated Reader the same as any car company would go out of business if it sold nothing but 50's tech in cars.

What Adobe should have done is let some group without a profit motive - or a need to bloat it to hell - take over development. Such groups do exist - Apache being the best example. Adobe wants PDF to both be a universal utility, and a tool to bind you exclusively to Adobe. Those goals conflict.

Re:PDFs

That's true, but PDF is a subset of Postscript rather than a generalized programming language. For example, the control structures are removed (if, loops, etc.) It should have been possible to put many more limitations on it. Instead, they added back even more ways to shoot yourself in the foot (e.g., Javascript). That's just nuts, and explains why Adobe Reader has been a bloated, ever-expanding program since... well, forever.

What they need is a "Lean PDF" that is strictly limited to describing the page content, with no internal programmability. It would make for simpler parsers that can be checked more easily for security flaws. The "kitchen sink" approach of the current PDF standard makes it fiendishly difficult to support without leaving opportunities for all sorts of mischief.

Re:PDFs

[JDG1980]

Adobe Reader is freeware. Why would Adobe want their "customers" (who pay nothing for the software) to constantly upgrade to new versions?

Adobe Reader is a marketing tool used to sell upgrades to Acrobat. They want to be able to ship new features in new versions of Acrobat, and to do this, they consider it helpful to be able to ensure buyers that "everyone" will be able to use their new whiz-bang documents/forms/whatever.

Re:PDFs

[ColdWetDog]

Oh this has been going on for years. Even before the 1980's - SAAB, Volvo - I'm looking at you with your weird little engine tools. British stuff didn't need anything special (other than Whitworth wrenches) - a hammer and a screwdriver would disassemble pretty much any Triumph, Spitfire or Land Rover engine ever made. Of course, they couldn't hold a quart of oil for more than 48 hours, but you never had to actually change the oil, you just replaced it.

Re:PDFs

[Burning1]

Ratchet design isn't static because their makers woke up one day and said, "It's perfect! Let's stop trying to improve it!" They just don't have any design improvements that will convince you to throw out your old ratchets and buy new ones. If they could, they would.

Not to be pedantic, but they have made many improvements to ratchets over the last 50 years.

- Ergonomic handle shapes
- Fine tooth ratcheting mechanisms (helps work in small spaces)
- Low profile designs
- Flex heads
- Different reversing mechanisms
- Different release mechanisms

Even now, you can go to hadware stores and see new and improved designs being marketed.

There are a couple keys with ratchet sets... The ratchet to socket interface is standardized; ball placement, shape, diameter, etc. This is much like API design in software. Because the interface between ratchet and socket is standardized, any attempts to introduce an incompatible ratchet will more or less fail, because no one wants to throw out perfectly good sockets. (To be fair there are a few specialty ratchets that are useful in situations where a deep socket isn't deep enough.)

Because the interfaces are all standardized, ratchet manufacturers have no way of creating compatibility issues that would force users happy with their existing ratchets to throw out all their ratchets and upgrade. Compare and contrast to Microsoft Office, where you pretty much have to upgrade with every new release, or you will be unable to open documents created by newer software.

Re:PDFs

[Alex+Zepeda]

What, you mean metric spanners and sockets (and before that SAE)? Seriously Volvo put perhaps more thought in how things come apart than most other manufacturers. With 80s Volvos if you've got a bolt and a nut, they're typically different sizes (ex 17mm + 18mm instead of 2x 17mm). The bonus here is you can use one set of tools.

Whitworth... now that's weird (unless you're Australian).

Re:PDFs

[JDG1980]

What they need is a "Lean PDF" that is strictly limited to describing the page content, with no internal programmability.

This subset already exists, and is known as PDF/A.

Re:PDFs

[bcrowell]

Postscript - integral to PDF internals - is itself a Turing-complete language, derived from Forth.

It will always be a problem.

No, because PDF, unlike PS, was intentionally designed to be Turing-incomplete. That was a good design decision, which was then unfortunately screwed with when they added javascript.

And in other news...

[kootsoop]

Google announces a new initiative: Google Document Format, for all your document sharing needs.

Lets get this started...

[nighthawk243]

>Adobe in charge of security.

Irresponsible disclosure

[Hatta]

Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.

Re:Irresponsible disclosure

[bill_mcgonigle]

maybe they were busy exploiting these holes by sending their competitors PDFs?

Nah, they just used them to bypass Safari tracking protections.

Fucking Slackers!

Those fucking slackers could only find 60 holes in that Swiss cheese? And, they couldn't even bother looking at Flash!

Oops, I have to go. My PC needs to reboot after the third Flash and Reader update today.

How hard is it to find security holes in Adobe?

I guess they just Googled it...

Re:Easy enough

[itsme1234]

30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.

Re:Very sad

[Forty+Two+Tenfold]

Adobe is good ... at what the name suggests.

The Acrobat Plug-In Is Garbage

[damn_registrars]

I just removed it from my browser a while ago after I finally got sick of it crashing. I now use Okular to read PDFs and life is much better that way. I don't know why anyone would tolerate such a miserable plug-in.

*Very* Sloppy Summary

[fm6]

The summary muddles two distinct PDF readers, the PDF reader built into the current version of Chrome (purely Google) and the PDF reader from Adobe that's completely separate. The Google reader is relevant only because the vulnerabilities in the Adobe reader were discovered using the tools developed to find vulnerabilities in Chrome.

Re:Easy enough

30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.

The 30EUR product is their Pro version (more like Adobe Acrobat Standard), they also have a free version which does everything Adobe Reader does and more.

Re:Easy enough

Ahem

The FREE PDF viewer download of the PDF-XChange Viewer may be used without limitation for Private, Commercial, Government and all uses, provided it is not -: incorporated or distributed for profit/commercial gain with other software or media distribution of any type - without first gaining permission.

It's got commenting features without watermarking and even does OCR which I have been very impressed by.

Re:Google.

[Fwipp]

Because it's a proper noun.

Re:Alternative readers?

[gmuslera]

In Ubuntu (and probably other distributions and gnome based desktops) the default viewer is Evince, in KDE ones is Okular, and you have embedded viewers in other apps, like in google chrome. There is no need to install Adobe's unless you need some special added feature. A list of software that works with PDF can be found in Wikipedia

Informed disclosure?

[bill_mcgonigle]

Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.

The Full Disclosure folks say that vulnerabilities should be disclose immediately. Their arguments have some merits. The Responsible Disclosure folks say that the vendor should have n number of weeks to get a patch out, then it goes to Full Disclosure. That has some merits as well, but the trouble is the public doesn't know there's a problem during the n weeks. The calculation is a balance of how many people will be protected vs. how many people will be harmed.

It occurs to me that a third way, call it 'Informed Disclosure' for now, would be to:

1. Make an announcement that x number of vulnerabilities have been discovered in the foo function of bar
2. Wait the n number of weeks
3. move to Full Disclosure

as a way to avoid the problem with Responsible Disclosure but still give the vendor reasonable time to react. e.g. 'Informed Disclosure' may say:

ISSUE-001: Acrobat Reader has a vulnerability with JavaScript objects embedded in documents that can cause a smashed stack. Disable JavaScript in Acrobat Reader to avoid this problem.

and then send Adobe the exploit code, which will be published in 45 days. This also removes the illusion of potential blackmail from security researchers, because the public has on-record information that the disclosure will be published, regardless of the action or inaction by the vendor.

Surely others have taken this approach, but I can't find a name attached to it -- anybody?

Re:Bad Adobe. Bad!

[oldmac31310]

Not in recent years, in my experience.

Which javascript?

[bigtrike]

The javascript you can add to the PDF through a GUI or the javascript that you can embed into hex strings when writing a PDF file? The files are a hacky mix of text and binary. Some data types define their length, others have insane rules for end markers and escaping. Hex strings were originally pretty easy, but then they decided that they'd add javascript support into the parsing so you can constants that vary conditionally on the PDF version number. On top of that, you practically have to build a run time to render the PDF because of the complexity of its nested viewport stacks and viewport modifications that can be executed at any time in the PDF.

If that wasn't enough, they made it way more complicated when they hacked in support for JetForms (now known as LiveCycle), which is an XML language with poorly thought out data types and full of rendering hints that would be really useful if the documentation said more than "ignore these if you're not Adobe". If you want to save a PDF created with LiveCycle that a reader other than Acrobat can read, it's saved in both forms, resulting in a file that's 3x the size of a PDF.

Re:Which javascript?

[Eponymous+Hero]

pdfs are supposed to be rich formatted text documents that can embed images, nothing more. by allowing document creators to embed javascript, they open this medium up to many of the same, and some unique, attack vectors. here's just one example that made the news: http://www.zdnet.com/blog/security/adobe-confirms-pdf-zero-day-attacks-disable-javascript-now/5119. the same poisoned pdfs when rendered through a pdf reader without javascript execution capabilities are harmless. it doesn't really matter how the bad javascript code got there (just that it can be executed if it is there), but your info about livecycle-produced pdfs is interesting.

just a chrome ad

[nazsco]

Nothing here is new. I bet even the security findings

This is all a chrome advertisement.

"how to make people use our plugin instead of the free reader with lots of features?"

They only failed to realize that people that even uses pdf probably use "secret" for their email password

How to deal with PDF files(Windows)

[Fantasio]

For saving my time, my sanity and the health of my PC, I've tried to avoid dealing with Adobe bloatware as much as I could. Under Windows most PDF can be opened instantly with Foxit. It's free, it's fast and it works for 99% of the files. I keep Acrobat Reader on my PC "just in case". I never open PDF files with the browser plugin (I disabled it), I prefer to download the file to the desktop and view it offline. It's faster and safer. I'm using an old version of Foxit with no builtin javascript support and which is blocked with the firewall. If it complains, that indicates the presence of a script, and most often it's malware (doing this way saved my skin a few times), or at least a script used for nefarious purpose like trying silently to report to headquarters. For creating PDF files from documents, PDFCreator is very easy to use and satisfy most of my needs, and to create PDF documents from scans I use WinScan2pdf. My last tool for manipulating PDFs is PDFTK (for which a GUI can be found). All these tools are free and easy to use.

The "useful tool" analogy doesn't really work

[dbIII]

The problem IMHO with Adobe is that their tool is flawed and they don't care. For example, their encryption, which they actually had someone put in jail for presenting a paper on, was identical to that used by Julius Caesar and a number of cut out codewheels for entertainment on the back of cereal boxes. It was a substitution code where each letter was replaced by a letter a set number of letters later in the alphabet - so solvable in under a minute by an average ten year old with one of those cereal box code wheels.
So that was one of their big secrets that Adobe insisted a man should be imprisoned for reverse engineering (Dmitry Sklyarov was held for several weeks before bail was granted). Of course a judge let him be released and go home to Russia a year before the full case over the suggested DMCA violation came to court, but it just shows how little Adobe really care about producing any sort of quality product and how much they care about their false front. They just care about milking their portion of a captive market instead of improving their products and, like Cisco last year, are not above abusing the legal system in a truly excessive way to hide their flaws.

Sumatra PDF for Windows folks

[SD-Arcadia]

If you're stuck on windows and are sick of Adobe and FoxIt (yes that's bloated now too), I recommend Sumatra. It's gotten really fast with launching and rendering now, and as a bonus will open your e-book formats which I find is a logical addition to a document viewer. As long as you don't actually need the Adobe magic forms, Sumatra is the better, sane solution to just view pdf's and similar.