Forgot your password?
typodupeerror
Security News

Adobe Warns of Reader, Acrobat Attack 195

Posted by timothy
from the gnome's-reader's-pretty-good-y'know dept.
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
This discussion has been archived. No new comments can be posted.

Adobe Warns of Reader, Acrobat Attack

Comments Filter:
  • by Anonymous Coward on Tuesday December 15, 2009 @12:10PM (#30445214)

    I thought after so many vulnerabilities everyone had turned that off in Reader...

    • by jasonwc (939262) on Tuesday December 15, 2009 @12:30PM (#30445554)

      I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

      The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

      • by Zumbs (1241138)

        So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".

        DRM, I've heard. Another reason for having it would likely be that Adobe needs to be ahead of the competition, for example by supporting multimedia content. There are, after all, a lot of very good pdf readers/writers (and editors?) out there.

      • by wkk2 (808881) on Tuesday December 15, 2009 @01:12PM (#30446322)

        JavaScript in PDFs has always been trouble. I use forms that auto complete, add columns, etc. A compromise might be a default of prompt before running scripts with a recommend/default of "no". I'd always click "no" unless I trusted the source. Since that would marginalize the product it will probably never happen. I wish I had never upgraded from 4.

      • Re: (Score:3, Interesting)

        by digitalhermit (113459)

        It's easy enough to disable, but everytime a doc gets loaded with embedded JS, the reader will prompt to enable it with a message saying something like "the document may not display correctly" without it enabled. Clicking the "yes" will then re-enable it. The problem with this approach is that we get so many warnings that people may automatically start enabling JS accidentally.

        • by jasonwc (939262)

          Based on the numerous JS vulnerabilities, the default should be "No". A message should warn about the security vulnerabilities of running the document and tell the user only to enable JS (temporarily) if they trust the source of the document. However, it should also mention that if JS is disabled, it may not display correctly.

          The fact is that Adobe simply doesn't care about the vulnerabilities. They have responded slowly or not at all to the issue.

      • by MrNemesis (587188)

        ...or has been repeatedly told by their bosses that it's a "never going to happen" risk and that "antivirus and perimeter security will stop all malware".

        Yeah, I don't work there any more, but there are plenty of people who are all too aware of the twatworthy shitness of acrobat that have absolutely no means of a) switching to an alternative (I love SumatraPDF for windows) or b) turning off the more idiotic default settings "in case it breaks something". Ah, status quo is god... how can you be a "pro-active

      • I've used it for setting up sharing of notes via WebDAV in PDF's.

        Works really well, actually.

        Although I don't know how much that matters if they can't secure their PDF format.

      • The bigger question is why Adobe doesn't just disable Javascript by default.

        Because the intent is to push you towards using their software for as many things as they can get you to. The more things you use it for, the more reliant you are on it, the more likely you are to buy more copies.

        I don't think it's all that nefarious in intent. They want their software to be useful and cutting-edge. If their intent was only to create a fast PDF reader/writer, then they'd be done sometime around Acrobat 4. Every version since would be bug-fixes, performance improvements, and updates in

    • I am surprised anyone that comes to /. uses adobe reader anymore. Bloated to an almost impressive level and filled with security holes.
      • Re: (Score:2, Insightful)

        by maxume (22995)

        And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.

  • Javascript Again (Score:4, Informative)

    by Anonymous Coward on Tuesday December 15, 2009 @12:12PM (#30445236)
    If you have to use Reader, ALWAYS disable Javascript. It always seems like that's was these exploits use. Or use one of the many PDF reader alternatives.
    • With PDF being an open standard, and there being tons of free lightweight readers out there, there is really no excuse to use the Acrobat Reader.

    • Re: (Score:3, Insightful)

      by gad_zuki! (70830)

      What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.

      The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have n

    • Re: (Score:3, Interesting)

      I have javascript disabled at each user login on our network (through the logon script), just in case someone has re-enabled it when their system was last logged on. I haven't found a way to totally lock it out yet.

      The huge problem is that Adobe offers to enable javascript for users when they open a PDF with Javasript in it. It displays a message along the lines of "you're not seeing everything here unless you enable javascript...click here to enable it" with a big friendly "YES" button. Kind of defeats

  • Does it run Linux? (Score:3, Interesting)

    by filesiteguy (695431) <kai@perfectreign.com> on Tuesday December 15, 2009 @12:14PM (#30445264) Homepage
    Normally that would be my first response as a joke, but I begin to wonder if Adobe could affect anything that is not root-level (or admin level).
    • by MrMr (219533)
      I guess it still doesn't run on x86_64 with installing a lot of 32 bit junk.
  • Why is Reader being used in large-scale deployments? It's freeware-ish and gets no more support from Adobe than many of the other free pdf reader alternatives out there would get. I have Reader installed at my work without having Writer or Photoshop either.
    • by Krneki (1192201)
      Sheer lack of mental motivation to change what you use.

      Nothing new.

      Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.
      • by compro01 (777531)

        Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.

        Certainly there is missing functionality. This article points out one such instance of missing functionality.

    • Re: (Score:3, Interesting)

      by COMON$ (806135)
      I would love a good alternative personally. All my users do is read the PDFs and we use PDFCreator for merging documents. I just havent found one that seems to be solid enough for the enterprise push. Any recommendations from people who have made the switch? I am getting tired of patching every 5 minutes.
    • Cost -- the full product is hundreds of dollars -- and brand recognition, which is important to PHB's.
  • This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window.

    I've used Reader forever, and I never even noticed that there was a preferences dialog. There's 26 sub-dialogs, each with one or two dozen options, and (checking a few at random) I see several that look worthy of more investigation. Anyone know of any recommendations of where I should start?

  • by NoYob (1630681) on Tuesday December 15, 2009 @12:16PM (#30445306)
    They're horrible. You have guys flipping and attacking you with their feet while standing on their hands. You have two other guys with one sitting on the other's shoulders while they punch down on you. You try to fight back and they just do backflips away or jump and balance on some pole way above your head.

    Yikes! I hate acrobat attacks!

  • BUT WAIT!!!! (Score:2, Interesting)

    No one uses Adobe Reader for anything other than business PDF's.

    Seriously, The launch time for a PDF off the web is too large for me to bother. First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.

    Seriously - I have only ever seen PDF's used at work and at school, and anywhere else they exist usually aren't worth the bother.

    So who are the people taking advantage of these vulnerabilities?

    • Re:BUT WAIT!!!! (Score:4, Interesting)

      by betterunixthanunix (980855) on Tuesday December 15, 2009 @12:31PM (#30445570)
      Acrobat and Reader are bloated. Try something a little lighter like XPDF or Okular.
      • by Sir_Lewk (967686)

        I second Okular, it does this wicked thing where while dragging a document to scroll, the mouse cursor wraps from the top of the screen to the bottom (or vice-versa). It seems odd when you hear about it, but once you use it you'll swear by it.

    • by Krneki (1192201)
      Your problem is not PDF, but your PDF reader.

      Change it, you will see how fast it can be with a proper application.

      Oh, and it's not only the reader, everything from Adobe is as slow as humanly possible.
    • Re: (Score:3, Interesting)

      by jasonwc (939262)

      Half of my readings in Law School are scanned documents/books in PDF format. Many of the documents are 25-40 MB in size and several hundred pages. I find that PDFs actually load very quickly - much faster than a similarly sized Word or Open Office document, and easier to read. Of course, you can use any PDF reader and not just Adobe Reader/Acrobat.

      On my Core 2 Duo and Core i7 systems, I can open PDFs pretty much instantaneously (less than 0.5 seconds). The only delay is the download. Thankfully, this is one

    • How else do you get portable documentation if you don't use PDF? There's no other format that can do what it can do, period.
    • Scientific papers are distributed as PDFs, which is a fairly substantial (and important) market. Of course, there's little reason to use Adobe Reader itself, as there are plenty of alternatives.

  • by 140Mandak262Jamuna (970587) on Tuesday December 15, 2009 @12:21PM (#30445386) Journal
    It is high time people stop using any pdf reader that uses javascript or opens external links or does anything other than simply render the document on screen. Editable pdf, where one can fill in the fields etc must be a separate application, not plugged into the browser. I feel safe with NoScript controlling FireFox. Hope someone comes up with a good general purpose sandboxer that will sandbox every plug-in.
    • As others have mentioned, many businesses use the JavaScript features for field validation, action buttons, loading content from a remote DB, etc.
  • by oDDmON oUT (231200) on Tuesday December 15, 2009 @12:27PM (#30445472)

    Seems like deja vu, since this has issue cropped up before [sans.org], what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]

    Which makes it a good idea to use alternatives like Preview, and Skim [sourceforge.net] (for OS X), as well as Foxit Reader [foxitsoftware.com] for Windows.

    It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.

  • by Gothmolly (148874) on Tuesday December 15, 2009 @12:29PM (#30445520)

    Separate your programs from your data, and your documents from your interactive media.

  • seen it, I think (Score:3, Informative)

    by 1u3hr (530656) on Tuesday December 15, 2009 @12:30PM (#30445560)
    I was browsing a soft porn site and suddenlty Acrobat launched, then crashed. So it looks like someone really is trying to use this. Since I use Acrobat 4, I think I'm safe from this. (I need a full version of Acrobat for DTP, and version 4 does the job, and quite quickly. If I need to open a later version file I use FoxIt.)
    • Re:seen it, I think (Score:4, Informative)

      by StuartHankins (1020819) on Tuesday December 15, 2009 @01:34PM (#30446780)
      Sounds like you need NoScript and AdBlock.
      • AdBlock could block all PDFs – which he probably doesn’t want to do.

        NoScript would not block PDFs that were loaded in frames/iframes or by meta-refresh.

      • by 1u3hr (530656)
        I did turn off scripting for that site, of course. And I already block most ads (porn site ads can be rather icky, and possibly hostile). I couldn't see what was launching the PDF, may have been in an ad, or the site code itself. But as I said, it just launched and crashed, so no panic.
  • a DOCUMENT READER shouldn't be interpreting javascript.

    Seriously. Web pages are interactive. Documents are meant to be read and maybe filled out. The only reason we need PDF is for stuff that needs to look the same on every screen and print out the way it looks. We don't need Javascript in them.

    • As has been discussed countless times in this thread already, turn off JavaScript if you don't need it. The rest of us use it for business purposes.
  • Isn't it high time that Adobe got its act together with this thing? Javascript attacks, the whole non-redacted-data text redaction "feature" that recently bit the TSA - I mean REALLY.

    Come on Adobe, you can do better.
    • the whole non-redacted-data text redaction "feature"

      I'm not sure if text redaction is a feature, they just drew a bunch of black rectangles over the text and them someone pointed out that that doesn't actually make the text go away, it's just under the rectangle.

      Screw Acrobat, Adobe needs to fix Flash. Flash CS4 is the worst software I've ever used (I've been using Flash since Flash 5, now we're on Flash 10 and they still haven't fixed the major bugs).

    • The "redaction" was because someone used a text object to overlay the source. They could have avoided failure by using the built-in redaction feature, modifying the pages at the source and generating the PDF from that, or scanning the original (with redacted sections blacked out) as graphics.

      You can't blame the tool for its clueless users.
    • the whole non-redacted-data text redaction "feature"

      Well, it’s a highlighter pen, with variable colour, opacity, and thickness.

      For some reason the idiots at the TSA thought that an opaque black highlighter would be adequate to obliterate the text. Morons.

      (Before you say “well, duh, anybody would” – no. You wouldn’t trust this on printed documents, either. You’d photocopy them, ensuring that the photocopier’s sensor couldn’t distinguish between the text and the marker it was covered with. The original document c

  • After being bitten by a PDF vulnerability before (I run as a normal user account so it didn't completely own my box and was fairly easy to clean up) I disabled the PDF plugin in Firefox. Now if I try to view a PDF I get an open/download request for the file rather than just opening automatically.

    This way a site can't open any PDF files without me knowing.

    It seems Adobe PDF reader is fast becoming the new IE in terms of web security.

    • This has nothing to do with "web security" -- IE's problems are because it allows access for remote sites to local resources. It also has a lot of holes.

      MIME types -- the things that enable launching Acrobat when a PDF file is encountered -- are used to determine how to display images, sounds etc. Surely you're not advocating disabling all MIME types, or confirming each one? You could have a plain text page with no images, sounds, etc and you'd never be surprised by things launching or displaying without
      • Re: (Score:3, Informative)

        by clone53421 (1310749)

        No, he’s advocating disabling MIME types of particularly egregious known repeat offenders.

        Opening PDFs in the browser is just an extra convenience anyway. When I click a link to a PDF, it automatically downloads to the desktop and I can open it from there, if I actually wanted to download and open the PDF. I don’t need it to load inside my browser (and if I didn’t expect it, I probably won’t appreciate having to wait for the plugin to load).

You can not get anything worthwhile done without raising a sweat. -- The First Law Of Thermodynamics

Working...