Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

Posted by Soulskill on from the go-big-or-go-home dept.

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].

8 of 117 comments (clear)

  1. PDF link to PDF exploit by Carewolf · · Score: 5, Funny

    Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.

    1. Re:PDF link to PDF exploit by Anonymous Coward · · Score: 2, Funny

      Thank God I'm using Firefox. Had I accidentally clicked on that link, I'm sure I would have had a good 2 to 3 minutes to realize my mistake and to close the browser window, since that's just about how long it takes for Firefox's shitty builtin PDF.js PDF viewer to kick in and render even the smallest of PDFs.

    2. Re: PDF link to PDF exploit by adolf · · Score: 1, Funny

      How can you let your browser view pdfs by itself? It will open malicious pdfs automatically, adding a big security hole without much use.

      How can you let your browser view [GIF/JPEG/CSS/HTML] by itself? It will open malicious [user-requested content] automatically, adding a big security hole without much use.

      (When you get your head out of the sand, we'll talk about security.)

      --
      Kid-proof tablet..
    3. Re:PDF link to PDF exploit by drinkypoo · · Score: 3, Funny

      I dropped Firefox because it is built on the carcass of an ancient browser

      And Chrome sprang fully-formed from the brow of its creator when they spake the word?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:Drops? by belthize · · Score: 5, Funny

    He held the exploits palm down before dropping them and then simply walked away exclaiming "Mateusz out".

  3. Re:Drops? by Anonymous Coward · · Score: 2, Funny

    It's just Dice trying to sound "hip" and "with it". I can't wait for Nerval's Lobster to use that in his next sponsored submission.

  4. Re:Drops? by drinkypoo · · Score: 4, Funny

    Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

    If you're not a slashdot subscriber, who cares what you think? If you are a slashdot subscriber, that goes double.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Hmmm ... by gstoddart · · Score: 3, Funny

    So, if I assume there's been at least one monthly major security issue attributable to Adobe (maybe twice monthly, once for Reader and once for Flash) ... and if we extend that over the last decade or, it becomes pretty obvious that Adobe writes some shitty code.

    I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.

    Pity we couldn't bill them for all the wasted time and resources.

    --
    Lost at C:>. Found at C.