DonationCoder.com Forum

Main Area and Open Discussion => Living Room => Topic started by: Ehtyar on September 14, 2008, 05:03 AM

Title: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 05:03 AM

Adobe Acrobat can suffer a denial of service or crash after being served a malformed URL.

[ You are not allowed to view attachments ]
 (http://news.cnet.com/8301-1009_3-10039532-83.html?part=rss&tag=feed&subj=News-Security)

Certain URLs can cause Adobe Acrobat 9 to suffer a denial of service or crash, says a researcher.

According to an alert from the SecuriTeam mailing list, "a vulnerability in Adobe Acrobat 9 allow attackers to cause the program to crash by providing it with a malformed URL."

Full Story (http://news.cnet.com/8301-1009_3-10039532-83.html?part=rss&tag=feed&subj=News-Security)

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: mouser on September 14, 2008, 07:38 AM

Um.. what *doesn't* cause adobe acrobat to crash?  :P

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Josh on September 14, 2008, 07:39 AM

Are you kidding mousey? Acrobat is one of the BETTER applications I use. People will continue to complain that it is "bloated" but what does that really mean in this day and age? They add features which someone somewhere HAS requested and incorporate it into the bigger picture. That said, Adobe Acrobat is far easier to use and works better than most PDF solutions I have used to include BlueBeam.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: jgpaiva on September 14, 2008, 08:43 AM

Yeah, acrobat doesn't handle urls very well, and I hate the "adobe speedup", or whatever it's called.
But other than that, I agree with Josh, it's a great program, the best pdf reader I've tried - that's for sure.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Stoic Joker on September 14, 2008, 09:43 AM

Um.. what *doesn't* cause adobe acrobat to crash?  :P

-mouser (September 14, 2008, 07:38 AM)

ROFL - Amen!

I'm with you on this one Acrobat is a regular nightmare for IT departments. Sure the original PDF (Portable Document Format) open on any platform was a delightfully handy idea, but it's become too many thing to too many people at this point as 90% if its "Features" are nothing more than pointless, useless, bloated weight which drag down the app, the browser, and the machine it's (trying) to run on. It has become precisely the type of Swiss Army Knife type of application that I abhor.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Carol Haynes on September 14, 2008, 12:51 PM

I have to say since installing version 9 Pro I have never had any issues with Acrobat at all.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: mwb1100 on September 14, 2008, 02:01 PM

I'm at a loss as to how this can be called a "denial of service" vulnerability.  Sure, it's a bug in Acrobat, but from the description all it does is cause it to crash when you open a document with the malformed URL.  What service is being denied?  The ability to open documents that are intended to crash the program?

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 03:49 PM

I'm at a loss as to how this can be called a "denial of service" vulnerability.  Sure, it's a bug in Acrobat, but from the description all it does is cause it to crash when you open a document with the malformed URL.  What service is being denied?  The ability to open documents that are intended to crash the program?

-mwb1100 (September 14, 2008, 02:01 PM)

When a program is referred to as undergoing denial of service, it means the application is not functioning, for example its main thread may be processing an infinite loop, or using a blocking function that won't return etc.

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: mwb1100 on September 14, 2008, 05:02 PM

In his case it sounds like the term "denial of service" is being used to sensationalize this.  There's no resource or service that's being denied access to - the URL is bogus. Is it an inconvenience? Irritating?

Sure.

But it's just something that crashes a program due to a bug.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Josh on September 14, 2008, 05:10 PM

OMG! Everyone remember this day, this is like the THIRD time Carol and I have agreed on ANYTHING here on this forum!

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 05:12 PM

Use of "denial of service" in this case is entirely legitimate, unless they're blatantly lying, which I am yet to see any evidence of, unless you have any...?

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Deozaan on September 14, 2008, 05:43 PM

Ehtyar, I think the issue here with using "denial of service" is that we usually hear it in terms of DOS or DDOS attacks, and not just bugs. The way it's used here sounds like if I wrote a program that sometimes ended up going into an infinite loop without an escape and locked up the program, that would be considered a "Denial of Service." And while that may technically be true (I don't know if it is or not), we've always just called those "bugs" or "infinite loops" or "locking up" or something similar.

In other words, "Denial of Service" has a very negative, malicious connotation associated with it because of how it's frequently used by "bad guys" to do bad things. Kind of like how the general population thinks the word "hacker" means a malicious person trying to do bad things with computers/electronics.

And I agree with mouser and others: Whenever Acrobat opens in the browser is practically denies my browser service because it freezes it up or takes forever to initialize or whatever. Acrobat opened up independently of the browser is okay--usually--but whoever decided Acrobat should be a browser plugin needs to be punished!

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: mwb1100 on September 14, 2008, 06:09 PM

Use of "denial of service" in this case is entirely legitimate, unless they're blatantly lying, which I am yet to see any evidence of, unless you have any...?

-Ehtyar (September 14, 2008, 05:12 PM)

I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Carol Haynes on September 14, 2008, 06:21 PM

OMG! Everyone remember this day, this is like the THIRD time Carol and I have agreed on ANYTHING here on this forum!

-Josh (September 14, 2008, 05:10 PM)

I deny that emphatically - cut off his service immediately  :P

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 06:21 PM

Ehtyar, I think the issue here with using "denial of service" is that we usually hear it in terms of DOS or DDOS attacks, and not just bugs.

-Deozaan (September 14, 2008, 05:43 PM)

I understand. Perhaps a quick Google or two might help clear up any misconception before people post on a thread they're confused about. Denial of service is the technical term, regardless of any connotations associated with the phrase.

I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.

-mwb1100 (September 14, 2008, 06:09 PM)

How so, given that their use of this phrase is entirely legitimate?

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Carol Haynes on September 14, 2008, 06:24 PM

And I agree with mouser and others: Whenever Acrobat opens in the browser is practically denies my browser service because it freezes it up or takes forever to initialize or whatever. Acrobat opened up independently of the browser is okay--usually--but whoever decided Acrobat should be a browser plugin needs to be punished!

-Deozaan (September 14, 2008, 05:43 PM)

I think there is something wrong with your set up - I don't have that problem in Firefox or Internet Explorer. Maybe it is a reader issue (I am using the Pro version).

One of the thing Adobe always say is that leaving behind older versions of Acrobat when you upgrade causes problems. Old versions should be removed completely before installing a new major version. Maybe you should try a clear out of all Acrobat software and then reboot and reinstall the latest version.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 06:28 PM

One of the thing Adobe always say is that leaving behind older versions of Acrobat when you upgrade causes problems. Old versions should be removed completely before installing a new major version. Maybe you should try a clear out of all Acrobat software and then reboot and reinstall the latest version.

-Carol Haynes (September 14, 2008, 06:24 PM)

Clearly they take great care to ensure their applications function optimally *cough* *splutter*

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: mwb1100 on September 14, 2008, 09:20 PM

Denial of service is the technical term, regardless of any connotations associated with the phrase.

I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.

-mwb1100 (September 14, 2008, 06:09 PM)

How so, given that their use of this phrase is entirely legitimate?

-Ehtyar (September 14, 2008, 06:21 PM)

It may be a technical term, but apparently there is still some difference of opinion on it.  In my opinion it's a stretch to call this a denial of service - what service is being blocked/prevented/denied?

Since you suggested using Google to clear up any  misconception, here's what I get on the first results page for the search '"denial of service" definition', listing only the results that don't discuss only distributed denial of service attacks, which I think everyone can agree this is not:

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.

-http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213591,00.html

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

-http://en.wikipedia.org/wiki/Denial-of-service_attack

A type of crack attack that makes it difficult, if not impossible, for valid system users to access their computer or particular services?such as Web applications?on a computer.

-http://www.yourdictionary.com/denial-of-service

A condition in which a system can no longer respond to normal requests.

-http://www.pcmag.com/encyclopedia_term/0,2542,t=denial+of+service&i=41128,00.asp

I still don't think this meets these definitions. If you do, that's fine.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 09:34 PM

Denial of service is the technical term, regardless of any connotations associated with the phrase.

I wouldn't say they're blatantly lying, just exaggerating or sensationalizing the scope of the problem.

-mwb1100 (September 14, 2008, 06:09 PM)

How so, given that their use of this phrase is entirely legitimate?

-Ehtyar (September 14, 2008, 06:21 PM)

It may be a technical term, but apparently there is still some difference of opinion on it.  In my opinion it's a stretch to call this a denial of service - what service is being blocked/prevented/denied?

Since you suggested using Google to clear up any  misconception, here's what I get on the first results page for the search '"denial of service" definition', listing only the results that don't discuss only distributed denial of service attacks, which I think everyone can agree this is not:

A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.

-http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci213591,00.html

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

-http://en.wikipedia.org/wiki/Denial-of-service_attack

A type of crack attack that makes it difficult, if not impossible, for valid system users to access their computer or particular services?such as Web applications?on a computer.

-http://www.yourdictionary.com/denial-of-service

A condition in which a system can no longer respond to normal requests.

-http://www.pcmag.com/encyclopedia_term/0,2542,t=denial+of+service&i=41128,00.asp

I still don't think this meets these definitions. If you do, that's fine.

-mwb1100 (September 14, 2008, 09:20 PM)

Are you suggesting Acrobat provides no service? In any case, were it an infinite loop scenario you're probably looking at high CPU usage, which may conform to your definition.
Notice how each of your definitions is followed by the word 'attack'? The article never mentioned a 'denial of service attack', it simply refers to Acrobat freezing as 'denial of service'. You can find some examples of its usage here (http://www.google.com/search?hl=en&q=denial+of+service+condition+-attack&btnG=Search).

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Deozaan on September 14, 2008, 09:52 PM

So now we all know. The first Denial of Service Condition was in 1968 (or 2001, depending on how you look at it (http://www.imdb.com/title/tt0062622/)):

"I'm sorry Dave, I'm afraid I can't do that. (http://www.imdb.com/title/tt0062622/quotes)"

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 14, 2008, 10:10 PM

Hahaha, awesome post Deo, thanks :)

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Carol Haynes on September 15, 2008, 04:34 AM

Your definition of "Denial of Service" is basically anything that stops something from working! Would a blown fuse be a denial of service? How about over heating?

How would you deal with rodents nibbling at your cables? Presumably shout at them "Stop denying my my service" before you drop something heavy on them  :mad:

Denial of Service is generally understood to be a deliberate act - i.e. a DENIAL of service. The most common kind is flooding a server with requests so that no one else can use the server.

A bug isn't a denial that is just crappy programming and testing - or are you saying Adobe deliberately sell software that is designed to frustrate you. (I know Mouser would take this attitude  :-*).

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 15, 2008, 07:32 AM

I refuse to continue debating this subject. Those of you unfamiliar with IT security terminology should consider withholding your comments unless you're certain what you're talking about.

Ehtyar.

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Lashiec on September 15, 2008, 08:17 AM

In short, if someone asks, Adobe locks or crashes. Just like it used to do in previous versions when closing the browser with the plugin loaded :D

At least it's not a serious vulnerability (unless I'm missing something), and otherwise Acrobat 9 is pretty nice, fast and everything (I thought it would never happen).

Title: Re: Vuln. Alert: Malformed URLs Crash Acrobat 9
Post by: Ehtyar on September 15, 2008, 08:33 AM

...
At least it's not a serious vulnerability
...

-Lashiec (September 15, 2008, 08:17 AM)

Correct.

Ehtyar.