Adobe Acrobat Reader Security Vulnerability

[mouser]

Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines.

The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

The bug affects Adobe Reader 8.1 and earlier versions, Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions, and Adobe Acrobat 3D.

http://blogs.zdnet.com/security/?p=566

[Darwin]

Thanks for alerting us to this one, Jesse. I'm off to read up on it and hopefully secure my computer!

[Ralf Maximus]

Is this a flaw in the Adobe rendering engine or the PDF file format itself?

If I use (say) FoxIt to view PDFs am I vulnerable?

[Darwin]

Interesting - this is described as a "complicated workaround" but it's a simple matter of changing a "2" to a "3"... Hardly seems like rocket science.

Note that:

Adobe categorizes this as a critical issue and recommends that users apply the workaround described above for their product installations.

Ralf, this is a problem with the Acrobat rendering engine and not the file format itself, so if you are using Foxit and do not have Acrobat Reader installed, you should be fine.

[Lashiec]

No, but be careful (search for "Foxit")

[Darwin]

Interesting, thanks for correcting me on that Lashiec.

[Renegade]

Is this a flaw in the Adobe rendering engine or the PDF file format itself?

If I use (say) FoxIt to view PDFs am I vulnerable?

-Ralf Maximus (October 09, 2007, 11:34 AM)

It's kind of not possible for a file format to have a vulnerability. If you're working from a spec., then whatever language you implement it in will have different ways to handle things.

If you're using an unmanaged language like C and implementing something like a "title" field in a file header that in the spec. may only be up to 255 characters (or whatever), then it's up to you to make sure that you check the size, etc., and ensure that you don't allow a buffer overflow, etc. Perhaps you need to null terminate it. Perhaps there's another mechanism for that like delimiters. Those considerations mostly apply to reading as if you're writing a file nothing really matters, and if you're a virus writer, it's the reader application that you want to exploit by injecting code (or whatever).

So if you are reading a file and encounter a title field in a file header that is 4,582 bytes long before you encounter a null termination, then you've got to discard everything after the 255th byte, or you need to do some kind of error checking. etc. etc. etc.

It is possible for there to be a flaw in the spec., but that's a different question entirely. Most exploits are for implementations.

The obvious example of a 'flawed spec.' is Windows 9x. It was designed as a stand-alone personal computer, and not a network computer. Once it became connected to untrusted networks, the problems became painfully apparent. That of course is all debatable, but should kind of point out the difference somewhat.

[Ralf Maximus]

Renegade: I take your point, and mostly agree.  However if a specification allows for (say) an executable to be launched with elevated security rights, is that a flaw in the specification?  Or just a poor decision by the designer?

My question was more along these lines -- is there something in the spec itself that warrants concern? 

I could probably figure it out myself by reading about the PDF internal layout, comparing Adobe & FoxIt implementations, and googling for security news... but it seemed more expedient to simply ask here.  Plus reading all that crap about PDF seems about as exciting as waiting for my solar flashlight to charge at night.

[Renegade]

I don't believe that there is anything in the PDF spec. that warrants a concern, but I could be wrong. It would be unusual for there to be a problem there.

Another example of a security "hole" is the ZIP 2.0 encryption standard. It's considered "weak" because if you have one of the files from a ZIP archive in unencrypted form, you can decrypt the entire archive. Well... It is a problem, but it's not really all that serious if you're just using it for casual security. If you know that you have the only copy of all of the files, then the entire archive is secure. So while there is a kind of exploit for it, it really isn't a huge worry as the exploit is very very specific. It's not like a buffer overflow that can be exploited at will. 

As for watching your solar flashlight recharge at night... Please don't. (I got a kick out of that one! Thanks for the laugh.) But if you did find a real PDF exploit... Those things are worth money! Well... to the bad guys anyways...

[SKA]

Javacool (of SpywareBlaster fame) has a free tool to fix this:

http://www.javacools...ware.com/pdffix.html

Rgds
SKA

[Grorgy]

ahhh thanks for that SKA, thats a whole lot easier 

[Carol Haynes]

Anyone know if Acrobat 7 Professional is vulnerable?

I can't afford (and don't need) to upgrade but Adobe says it applies to version 8.1 and earlier versions. However, the workaround registry fix can't be applied to Acrobat 7 as the registry entry does not exist at all. There is a registry entry which is similar (but store in the HKLM/Programs/Adobe ... branch) but it doesn't have the specific permissions key tSchemePerms it just has sSchemePerms which doesn't have a value including mail anyway ?

[dimtiri]

Anyone know if Acrobat 7 Professional is vulnerable?

I can't afford (and don't need) to upgrade but Adobe says it applies to version 8.1 and earlier versions. However, the workaround registry fix can't be applied to Acrobat 7 as the registry entry does not exist at all. There is a registry entry which is similar (but store in the HKLM/Programs/Adobe ... branch) but it doesn't have the specific permissions key tSchemePerms it just has sSchemePerms which doesn't have a value including mail anyway ?

-Carol Haynes (October 10, 2007, 04:09 AM)

Actually I went into the registry and followed their path and found sSchemePerms instead of tSchemePerms and it still had the mailto in it. But is this the same key?

[SKA]

Seems Windows is the culprit , not Adobe - for this flaw

http://www.betanews...._PDF_Flaw/1192118748

SKA

[f0dder]

Seems Windows is the culprit , not Adobe - for this flaw
http://www.betanews...._PDF_Flaw/1192118748
SKA

-SKA (October 11, 2007, 11:41 PM)

If the exploit can happen just by opening a .pdf file, without clicking the link, the problem is with Adobe, not Microsoft.

Depending on ShellExecute to do URI filtering? That should be punishable by death. You just do not pass on unverified input, whether it's coming from the keyboard, a file, network, etc.

[Eóin]

While not the same thing the pointing fingers of blame onto ms reminds me of the IE-Firefox Exploit fiasco.

[SKA]

<If the exploit can happen just by opening a .pdf file, without clicking the link, the problem is with Adobe, not Microsoft>

Well f0dder <grin> MS doesnt agree with you - they owned up to it being a Windows XP+IE7 bug per Betanews:

http://www.betanews....Microsoft/1192118748

SKA

[f0dder]

Well f0dder <grin> MS doesnt agree with you - they owned up to it being a Windows XP+IE7 bug per Betanews:
http://www.betanews....Microsoft/1192118748

-SKA (October 14, 2007, 12:40 AM)

They actually don't disagree.

What Microsoft has patched is the ShellExecute function, which didn't do proper verification. But if something can get to ShellExecute without user intervention, you have a serious problem...