Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

← Back to Stories (view on slashdot.org)

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader

Posted by Soulskill on Wednesday June 24, 2015 @05:17AM from the go-big-or-go-home dept.

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].

20 of 117 comments (clear)

Min score:

Reason:

Sort:

PDF link to PDF exploit by Carewolf · 2015-06-24 05:19 · Score: 5, Funny

Sorry, I am not clicking on a PDF link that demonstrates a PDF attack.
1. Re:PDF link to PDF exploit by Anonymous Coward · 2015-06-24 05:28 · Score: 2, Funny
  
  Thank God I'm using Firefox. Had I accidentally clicked on that link, I'm sure I would have had a good 2 to 3 minutes to realize my mistake and to close the browser window, since that's just about how long it takes for Firefox's shitty builtin PDF.js PDF viewer to kick in and render even the smallest of PDFs.
2. Re:PDF link to PDF exploit by drinkypoo · 2015-06-24 05:56 · Score: 3, Interesting
  
  Chrome does a fantastic job rendering pdfs very quickly.
  Why do you continue to use that pathetic browser?
  I use both browsers. I use Chrome mostly for google sites, and anything that won't load in Firefox. I use Firefox mostly because I want Chrome to have competition, but also because noscript is still better on FF than on Chrome. And also because chrome's built-in cookie control is total shit which breaks sites so you either don't use it or you have a hard time with many websites, but cookiesafe works great all the time.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:PDF link to PDF exploit by ttucker · 2015-06-24 06:36 · Score: 2
  
  I dropped Firefox because it is built on the carcass of an ancient browser, and its developers are more worried about playing tech specification hardball than implementing features that are/will be needed.
4. Re:PDF link to PDF exploit by drinkypoo · 2015-06-24 07:22 · Score: 3, Funny
  
  I dropped Firefox because it is built on the carcass of an ancient browser
  And Chrome sprang fully-formed from the brow of its creator when they spake the word?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:PDF link to PDF exploit by preflex · 2015-06-24 07:28 · Score: 3, Informative
  
  You still use NoScript?
  uMatrix is available for Firefox now.
  Goodbye NoScript. Goodbye RequestPolicy. Goodbye CookieSafe. uMatrix does it all and does it better.
  Your web browser is a dog. uMatrix is its leash.
  It's available for Chrome as well.
6. Re:PDF link to PDF exploit by MyFirstNameIsPaul · 2015-06-24 08:24 · Score: 2
  
  How does it do with handling XSS attacks? NoScript has been out in front on this for a long time.
  
  --
  I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Drops? by thechemic · 2015-06-24 05:22 · Score: 5, Insightful

He dropped them from his to do list?
He was carrying them around and dropped them?
Slang for "He published them" ?
He dropped them from his research list?
He dropped the vulnerabilities from his own systems?
Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?

--
Let's make like a bird... and get the flock outta here.
1. Re:Drops? by belthize · 2015-06-24 05:28 · Score: 5, Funny
  
  He held the exploits palm down before dropping them and then simply walked away exclaiming "Mateusz out".
2. Re:Drops? by Anonymous Coward · 2015-06-24 05:35 · Score: 2, Funny
  
  It's just Dice trying to sound "hip" and "with it". I can't wait for Nerval's Lobster to use that in his next sponsored submission.
3. Re:Drops? by drinkypoo · 2015-06-24 06:01 · Score: 4, Funny
  
  Apparently "Slashdot" means to "Slash" the English language with slang. Can we please "DROP" the amateur reporting styles?
  If you're not a slashdot subscriber, who cares what you think? If you are a slashdot subscriber, that goes double.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Drops? by jabberw0k · 2015-06-24 06:12 · Score: 2
  
  When a publisher drops a title, that means it is no longer in publication. Original headline is complete confusion.
5. Re:Drops? by Fortran+IV · 2015-06-24 07:03 · Score: 2
  
  Not Dice's fault (this time); the summary just quotes The Register's opening hook.
  
  --
  I figure by 2030 or so my 6-digit UID will be something to brag about.
Hmmm ... by gstoddart · 2015-06-24 06:13 · Score: 3, Funny

So, if I assume there's been at least one monthly major security issue attributable to Adobe (maybe twice monthly, once for Reader and once for Flash) ... and if we extend that over the last decade or, it becomes pretty obvious that Adobe writes some shitty code.
I'm not sure a single software vendor on the planet, except Microsoft, has caused so much security holes in all of the history of computers.
Pity we couldn't bill them for all the wasted time and resources.

--
Lost at C:>. Found at C.
Re:"Curses! Foiled again!" says NSA. by Bob+the+Super+Hamste · 2015-06-24 06:18 · Score: 4, Insightful

The NSA is an offensive organization
You could have just stopped there.

--
Time to offend someone
Re:I wish I could quit you, Adobe Reader. by thechemic · 2015-06-24 06:27 · Score: 4, Informative

We installed Foxit Enterprise Reader and disabled in-browser PDF viewing for all browsers. This forces PDF downloads and everything displays wonderfully. It's lightning fast too!

--
Let's make like a bird... and get the flock outta here.
Re:"Curses! Foiled again!" says NSA. by ShaunC · 2015-06-24 06:29 · Score: 2

Why in the heck aren't they doing this research again?
They are, but when they find something, they add it to their arsenal and use it themselves instead of alerting anyone to the vulnerability. This fact was the subject of some hand-waving from the White House earlier in the year. There's a good chance NSA has known about several of these for a long time, which is a little disconcerting since the Adobe Type Manager exploit may date back to 1998.

--
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Re:Getting tired... by drinkypoo · 2015-06-24 07:00 · Score: 4, Interesting

I use SumatraPDF. AFAIK it's the smallest windows PDF reader which is worth using, I believe it's smaller than Foxit. But it's been a while since I installed Foxit, so a comparison would take effort.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:No surprises there by Fortran+IV · 2015-06-24 07:00 · Score: 4, Informative

It would have been nice if The Register's somewhat hysterical FA (much less the Slashdot summary) had made clear up front that Microsoft patched most of the Windows vulnerabilities all the way back in March (MS15-021), and the last one in May (MS15-044). According to j00ru's blog post, Adobe patched their holes in May as well.

j00ru was clear enough in his blog post, but El Reg decided to stick in one line: "Microsoft and Adobe issued patches in three updates."—six paragraphs down, looking more like an image caption than part of the article. Sheesh.

--
I figure by 2030 or so my 6-digit UID will be something to brag about.
images aren't a programming language by raymorris · 2015-06-24 09:50 · Score: 3, Informative

Pdf is a subset of PostScript, a turing complete programming language. It's most often used for rendering documents, but is in no way limited to that. You can program an emulator in ps and run Linux inside your pdf. Gif and jpeg are not executable code. They are just (compressed) color VALUES).
There was one security hole in one specific executable LIBRARY which processes jpegs, but jpegs themselves are not executable and therefore essentially safe. Not so for pdf.
It is hoped that pdf is slightly safer than pure PostScript, but it's not FUNDAMENTALLY safer.