Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 05, 2016, 06:40:10 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Vuln. Alert: Malformed URLs Crash Acrobat 9  (Read 7787 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Vuln. Alert: Malformed URLs Crash Acrobat 9
« on: September 14, 2008, 05:03:07 AM »
Adobe Acrobat can suffer a denial of service or crash after being served a malformed URL.

Screenshot - 14_09_2008 , 8_04_38 PM_thumb.png


Quote
Certain URLs can cause Adobe Acrobat 9 to suffer a denial of service or crash, says a researcher.

According to an alert from the SecuriTeam mailing list, "a vulnerability in Adobe Acrobat 9 allow attackers to cause the program to crash by providing it with a malformed URL."

Full Story

Ehtyar.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,406
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #1 on: September 14, 2008, 07:38:09 AM »
Um.. what *doesn't* cause adobe acrobat to crash?  :P

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,395
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #2 on: September 14, 2008, 07:39:57 AM »
Are you kidding mousey? Acrobat is one of the BETTER applications I use. People will continue to complain that it is "bloated" but what does that really mean in this day and age? They add features which someone somewhere HAS requested and incorporate it into the bigger picture. That said, Adobe Acrobat is far easier to use and works better than most PDF solutions I have used to include BlueBeam.

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #3 on: September 14, 2008, 08:43:00 AM »
Yeah, acrobat doesn't handle urls very well, and I hate the "adobe speedup", or whatever it's called.
But other than that, I agree with Josh, it's a great program, the best pdf reader I've tried - that's for sure.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #4 on: September 14, 2008, 09:43:46 AM »
Um.. what *doesn't* cause adobe acrobat to crash?  :P
ROFL - Amen!

I'm with you on this one Acrobat is a regular nightmare for IT departments. Sure the original PDF (Portable Document Format) open on any platform was a delightfully handy idea, but it's become too many thing to too many people at this point as 90% if its "Features" are nothing more than pointless, useless, bloated weight which drag down the app, the browser, and the machine it's (trying) to run on. It has become precisely the type of Swiss Army Knife type of application that I abhor.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #5 on: September 14, 2008, 12:51:00 PM »
I have to say since installing version 9 Pro I have never had any issues with Acrobat at all.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,521
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #6 on: September 14, 2008, 02:01:11 PM »
I'm at a loss as to how this can be called a "denial of service" vulnerability.  Sure, it's a bug in Acrobat, but from the description all it does is cause it to crash when you open a document with the malformed URL.  What service is being denied?  The ability to open documents that are intended to crash the program?

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #7 on: September 14, 2008, 03:49:36 PM »
I'm at a loss as to how this can be called a "denial of service" vulnerability.  Sure, it's a bug in Acrobat, but from the description all it does is cause it to crash when you open a document with the malformed URL.  What service is being denied?  The ability to open documents that are intended to crash the program?
When a program is referred to as undergoing denial of service, it means the application is not functioning, for example its main thread may be processing an infinite loop, or using a blocking function that won't return etc.

Ehtyar.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,521
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #8 on: September 14, 2008, 05:02:13 PM »
In his case it sounds like the term "denial of service" is being used to sensationalize this.  There's no resource or service that's being denied access to - the URL is bogus. Is it an inconvenience? Irritating?

Sure.

But it's just something that crashes a program due to a bug.

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,395
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #9 on: September 14, 2008, 05:10:36 PM »
OMG! Everyone remember this day, this is like the THIRD time Carol and I have agreed on ANYTHING here on this forum!

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #10 on: September 14, 2008, 05:12:15 PM »
Use of "denial of service" in this case is entirely legitimate, unless they're blatantly lying, which I am yet to see any evidence of, unless you have any...?

Ehtyar.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,713
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #11 on: September 14, 2008, 05:43:20 PM »
Ehtyar, I think the issue here with using "denial of service" is that we usually hear it in terms of DOS or DDOS attacks, and not just bugs. The way it's used here sounds like if I wrote a program that sometimes ended up going into an infinite loop without an escape and locked up the program, that would be considered a "Denial of Service." And while that may technically be true (I don't know if it is or not), we've always just called those "bugs" or "infinite loops" or "locking up" or something similar.

In other words, "Denial of Service" has a very negative, malicious connotation associated with it because of how it's frequently used by "bad guys" to do bad things. Kind of like how the general population thinks the word "hacker" means a malicious person trying to do bad things with computers/electronics.

And I agree with mouser and others: Whenever Acrobat opens in the browser is practically denies my browser service because it freezes it up or takes forever to initialize or whatever. Acrobat opened up independently of the browser is okay--usually--but whoever decided Acrobat should be a browser plugin needs to be punished!


mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,521
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #12 on: September 14, 2008, 06:09:59 PM »
Use of "denial of service" in this case is entirely legitimate, unless they're blatantly lying, which I am yet to see any evidence of, unless you have any...?
I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #13 on: September 14, 2008, 06:21:25 PM »
OMG! Everyone remember this day, this is like the THIRD time Carol and I have agreed on ANYTHING here on this forum!

I deny that emphatically - cut off his service immediately  :P

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #14 on: September 14, 2008, 06:21:46 PM »
Ehtyar, I think the issue here with using "denial of service" is that we usually hear it in terms of DOS or DDOS attacks, and not just bugs.
I understand. Perhaps a quick Google or two might help clear up any misconception before people post on a thread they're confused about. Denial of service is the technical term, regardless of any connotations associated with the phrase.
I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.
How so, given that their use of this phrase is entirely legitimate?

Ehtyar.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #15 on: September 14, 2008, 06:24:20 PM »
And I agree with mouser and others: Whenever Acrobat opens in the browser is practically denies my browser service because it freezes it up or takes forever to initialize or whatever. Acrobat opened up independently of the browser is okay--usually--but whoever decided Acrobat should be a browser plugin needs to be punished!

I think there is something wrong with your set up - I don't have that problem in Firefox or Internet Explorer. Maybe it is a reader issue (I am using the Pro version).

One of the thing Adobe always say is that leaving behind older versions of Acrobat when you upgrade causes problems. Old versions should be removed completely before installing a new major version. Maybe you should try a clear out of all Acrobat software and then reboot and reinstall the latest version.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #16 on: September 14, 2008, 06:28:26 PM »
One of the thing Adobe always say is that leaving behind older versions of Acrobat when you upgrade causes problems. Old versions should be removed completely before installing a new major version. Maybe you should try a clear out of all Acrobat software and then reboot and reinstall the latest version.
Clearly they take great care to ensure their applications function optimally *cough* *splutter*

Ehtyar.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,521
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #17 on: September 14, 2008, 09:20:54 PM »
Denial of service is the technical term, regardless of any connotations associated with the phrase.
I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.
How so, given that their use of this phrase is entirely legitimate?
It may be a technical term, but apparently there is still some difference of opinion on it.  In my opinion it's a stretch to call this a denial of service - what service is being blocked/prevented/denied?

Since you suggested using Google to clear up any  misconception, here's what I get on the first results page for the search '"denial of service" definition', listing only the results that don't discuss only distributed denial of service attacks, which I think everyone can agree this is not:

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.
A type of crack attack that makes it difficult, if not impossible, for valid system users to access their computer or particular services?such as Web applications?on a computer.
A condition in which a system can no longer respond to normal requests.

I still don't think this meets these definitions. If you do, that's fine.


Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #18 on: September 14, 2008, 09:34:49 PM »
Denial of service is the technical term, regardless of any connotations associated with the phrase.
I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.
How so, given that their use of this phrase is entirely legitimate?
It may be a technical term, but apparently there is still some difference of opinion on it.  In my opinion it's a stretch to call this a denial of service - what service is being blocked/prevented/denied?

Since you suggested using Google to clear up any  misconception, here's what I get on the first results page for the search '"denial of service" definition', listing only the results that don't discuss only distributed denial of service attacks, which I think everyone can agree this is not:

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.
A type of crack attack that makes it difficult, if not impossible, for valid system users to access their computer or particular services?such as Web applications?on a computer.
A condition in which a system can no longer respond to normal requests.

I still don't think this meets these definitions. If you do, that's fine.


Are you suggesting Acrobat provides no service? In any case, were it an infinite loop scenario you're probably looking at high CPU usage, which may conform to your definition.
Notice how each of your definitions is followed by the word 'attack'? The article never mentioned a 'denial of service attack', it simply refers to Acrobat freezing as 'denial of service'. You can find some examples of its usage here.

Ehtyar.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,713
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #19 on: September 14, 2008, 09:52:32 PM »
So now we all know. The first Denial of Service Condition was in 1968 (or 2001, depending on how you look at it):

"I'm sorry Dave, I'm afraid I can't do that."


Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #20 on: September 14, 2008, 10:10:04 PM »
Hahaha, awesome post Deo, thanks :)

Ehtyar.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 7,986
    • View Profile
    • Dales Computer Services
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #21 on: September 15, 2008, 04:34:08 AM »
Your definition of "Denial of Service" is basically anything that stops something from working! Would a blown fuse be a denial of service? How about over heating?

How would you deal with rodents nibbling at your cables? Presumably shout at them "Stop denying my my service" before you drop something heavy on them  :mad:

Denial of Service is generally understood to be a deliberate act - i.e. a DENIAL of service. The most common kind is flooding a server with requests so that no one else can use the server.

A bug isn't a denial that is just crappy programming and testing - or are you saying Adobe deliberately sell software that is designed to frustrate you. (I know Mouser would take this attitude  :-*).

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #22 on: September 15, 2008, 07:32:37 AM »
I refuse to continue debating this subject. Those of you unfamiliar with IT security terminology should consider withholding your comments unless you're certain what you're talking about.

Ehtyar.

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #23 on: September 15, 2008, 08:17:11 AM »
In short, if someone asks, Adobe locks or crashes. Just like it used to do in previous versions when closing the browser with the plugin loaded :D

At least it's not a serious vulnerability (unless I'm missing something), and otherwise Acrobat 9 is pretty nice, fast and everything (I thought it would never happen).

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
« Reply #24 on: September 15, 2008, 08:33:20 AM »
...
At least it's not a serious vulnerability
...
Correct.

Ehtyar.