Dangerous Adobe Reader Vulnerability In the Wild

[mouser]

how many times is this going to happen with adobe before we start rebelling against this software?

Bad news for anyone that utilizes Adobe's Acrobat software, or Adobe reader to view PDF files. A critical vulnerability has been identified that can cause the applications to crash and allow an attacker to control the affected system. All versions from 7 forward on all operating systems are suspected to be at risk.

According to the announcement from Adobe, this isn't just a possibility, it's actually happening. Reports have already been made of the buffer overflow exploit being used in this type of attack. Adobe is also working with antivirus vendors to patch the holes, and patches to update the vulnerable apps are in the works. The bad news: patches aren't likely to be ready until March 11th, 2009.

http://www.adobe.com...ories/apsa09-01.html

from http://www.downloads...y-in-reader-acrobat/

[gexecuter]

I don't care because i use Foxit reader for my PDF viewing needs, works pretty well.

[Josh]

Why are you going to rebel mouser? ALL software will eventually have a security hole. The fact of the matter is that people look down on the larger companies because their product is far more popular and more widely utilized. FoxIT is what I use as well, but again if it shared the popularity that adobe reader enjoys then I am sure it's security holes would be found out. As long as a company patches it's holes, I am fine and will not lose one iota of sleep over a security hole. Thus especially given that most of them really have little to no effect on much of the population, ala many of the windows security vulnerabilities. I am not saying be lax on testing and security, but get off the high horse of "Let's boycott this company because they have security issues".

[Stoic Joker]

And on the other side of the coin...

(As a comparison) How many times has any systems been penetrated/crashed because of .txt file misuse?!?

PDF Stands for Portable Document Format, it supposed to be read & editable on any platform (Hence the portable part). That's all it was supposed to be, and it should have stayed that way. It was generally never a problem, until Adobe decided to try and make it all things to all people for all reasons. Which was stupid. It's turned into a multidimensional "display" vortex that will suck-up and run anything anyone cares to embed in it ... and it's the anything part that's biting us in the ass now.

You can not put that much potential in one application with out taking some responsibility for what might happen. It was only supposed to be a document reader ... now its turned into the elbbubmug that ate Chicago.

I'm all for boycotting Acrobat, and the nightmare that flash has turned into until they nail the damn things down (/shut) so they quit causing problems that never should have existed in the first place.

Hay nobody had a problem riding Microsoft's ass when Word or Excel had/caused/came up with holes ... why should Adobe get a free pass for making a huge mess.

[app103]

I don't care because i use Foxit reader for my PDF viewing needs, works pretty well.

-gexecuter (February 20, 2009, 11:22 AM)

I use Foxit Reader too, but it could be just as easily prone to lots of Javascript exploits unless you turn that off in the preferences. If you don't see the option to turn it off, you are probably running an older version of Foxit and should upgrade.

[Josh]

Acrobat is all about security of your documents. That is it's primary purpose. It's not designed for editing, you do that in the original program used to create the document. That is why the number one thing people request is a way to edit a PDF file and it's contents. I get this all the time in my work and I always have to explain to people you don't edit PDF files, you edit the source. A PDF is created when you either want to send out a final product or a form. The only editable PDF file's I've ever seen are forms and those are designed to allow edits. PDF was meant to be READ on any platform, not EDITED.

[app103]

And on the other side of the coin...

(As a comparison) How many times has any systems been penetrated/crashed because of .txt file misuse?!?

-Stoic Joker (February 20, 2009, 06:06 PM)

Plenty of times!

One can open notepad and type up various vbs, js, hta, and bat scripts in plain text. They can even be malicious ones.

If saved as .txt they are more or less harmless and open as text.

But if you name the file something like "funny joke.txt        [insert lots of spaces here]       .vbs" and can manage to get it onto a user's system, they might not see that .vbs part in Explorer if you add enough spaces, or if they have their settings set to hide known file extensions. (and if you write up a .hta you can even disguise the icon as the default .txt icon)

I think that would qualify as .txt file misuse.

I have seen plenty of cases over the years of people having their systems messed up by text files like this. Some got them through emails, some sent through instant messenger clients, lots of them downloaded over P2P.

And yes, technically they are still just plain old text files. But the change of file extension tells the OS to treat them differently. And the right change of file extension can turn them into executable scripts.

[lanux128]

Downloadsquad reports that a new vulnerability has been discovered in versions 8.14 and 9.1 which affects Linux and "could also affect other versions of the program on other operating systems." will Foxit prosper from this new discovery?

• Yet another security flaw surfaces in Adobe Reader

[Stoic Joker]

And on the other side of the coin...

(As a comparison) How many times has any systems been penetrated/crashed because of .txt file misuse?!?

-Stoic Joker (February 20, 2009, 06:06 PM)

Plenty of times!

One can open notepad and type up various vbs, js, hta, and bat scripts in plain text. They can even be malicious ones.

If saved as .txt they are more or less harmless and open as text.

But if you name the file something like "funny joke.txt        [insert lots of spaces here]       .vbs" and can manage to get it onto a user's system, they might not see that .vbs part in Explorer if you add enough spaces, or if they have their settings set to hide known file extensions. (and if you write up a .hta you can even disguise the icon as the default .txt icon)

I think that would qualify as .txt file misuse.

I have seen plenty of cases over the years of people having their systems messed up by text files like this. Some got them through emails, some sent through instant messenger clients, lots of them downloaded over P2P.

And yes, technically they are still just plain old text files. But the change of file extension tells the OS to treat them differently. And the right change of file extension can turn them into executable scripts.

-app103 (February 20, 2009, 06:38 PM)

Um... no.

If you change the file extension, to a different file type, it's a different file type. e.g. not the same thing.

Apples to Apples compairison is:
PDF -> Adobe reader (boom...)
TXT -> Notepad (...?)

...Now if you gan get Notepad to make a txt file go boom... you win.

Tricking some dolt user with hidden file extensions (dumb on MS's part) or an 80' file name is Social Engineering ... Which is not the same as turning sombody's comp into a smoking hole when they run a file in it's native application. PDF's are just to "Feature Rich" for their own good.

[Gothi[c]]

I don't care because i use Foxit reader for my PDF viewing needs, works pretty well.

Every time there is a thread on an adobe vulnerability, everyone is always quick to say that foxit is better or safer etc...

I hate to break it to you, but it's not. It's just more obscure.

In fact, foxit is implementing JBIG in the same was as adobe, and is also listed as vulnerable.

This nice video explains (and mentions foxit): http://www.dojosec.com/?p=92

Use text-only browsers, email, etc... ! the only way! (And even then there is risk (there have been vulnerabilities in vim, for example)

[housetier]

Use text-only browsers, email, etc... ! the only way!

-Gothi[c] (April 30, 2009, 02:35 PM)

Hmm I wonder if I could read my email with lynx using a web interface that does server-side pdf2txt... That would be very difficult to exploit I assume.

[f0dder]

Gothi[c]: it actually is safer - while it was affected by the JBIG2 issue (used same rerefrence library, I betcha) the crash wasn't code-executable exploitable as with Adobe. You could call this "by obscurity" if you insist, but nobody has shown that FR is exploitable through this bug, afaik. And for basically all the other AR exploits, Foxit hasn't been vulnerable - that would would simply be because of less bugs.

On top of that, Adobe has been extremely slow in dealing with bugs; Foxit have fixed them a lot faster (that, or my memory is way wrong. Could be, could be ).

[Lashiec]

Suggestion to Adobe: Disable JavaScript BY DEFAULT. So far I just encountered a single PDF that requires it (interactive forms) and IIRC it asked me to enable JavaScript just for the document. Peace of mind for the users, and a certain peace of mind for Adobe while they work in a fix. Besides, they already ask if you want to open a mere URL contained in a PDF, why not doing it for something less common like JS in a PDF?

[f0dder]

Lashiec: JS isn't the only exploit in AR, though - afaik the JBIG2 exploit worked fine even with JS turned off?

[Lashiec]

Umm, yeah, according to Adobe it would only mitigate it. The new unpatched vulnerability also urges the user to disable JavaScript to mitigate the attack. Mitigation is always a good thing, anyway

[Gothi[c]]

Gothi[c]: it actually is safer - while it was affected by the JBIG2 issue (used same rerefrence library, I betcha) the crash wasn't code-executable exploitable as with Adobe. You could call this "by obscurity" if you insist, but nobody has shown that FR is exploitable through this bug, afaik. And for basically all the other AR exploits, Foxit hasn't been vulnerable - that would would simply be because of less bugs.

-f0dder (April 30, 2009, 04:40 PM)

Yes, I call that obscurity The only reason nobody has shown foxit isn't vulnerable is because it's not as big a target as acrobat, not because the software is not exploitable.

That said, I would have to agree that adobe has indeed shown incompetence with their slow response times etc.
I can't say they practice bad coding habits (though it may be likely) since the software is closed source. It's not because a piece of software has many heap overflows, that the developers are incompetent. All complex software has those. What is incompetent is their slow patch time and unresponsiveness, but whether or not that is to blame on the coding team or internal politics/management is a different issue.
I don't know what's going on there, and as it's closed source, I can't judge the quality of it, and definitively not the people that have been writing it.

Foxit may have less bugs because it's less bloated and simpler. Which is only natural. I'm not bashing foxit here. I'm just trying to point out the fact that when people say less used application x is more secure because it has less discovered bugs/vulnerabilities than popular application y, they are advocating obscurity, not security, and the fact that the vulnerability is present in both applications is a good reminder of that.