Adobe Warns of Reader, Acrobat Attack 195
itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."
Anyone still has JavaScript enabled? (Score:5, Funny)
I thought after so many vulnerabilities everyone had turned that off in Reader...
Re:Anyone still has JavaScript enabled? (Score:5, Interesting)
I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.
The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".
Re: (Score:2)
So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".
DRM, I've heard. Another reason for having it would likely be that Adobe needs to be ahead of the competition, for example by supporting multimedia content. There are, after all, a lot of very good pdf readers/writers (and editors?) out there.
Re:Anyone still has JavaScript enabled? (Score:4, Interesting)
JavaScript in PDFs has always been trouble. I use forms that auto complete, add columns, etc. A compromise might be a default of prompt before running scripts with a recommend/default of "no". I'd always click "no" unless I trusted the source. Since that would marginalize the product it will probably never happen. I wish I had never upgraded from 4.
Re:Anyone still has JavaScript enabled? (Score:4, Informative)
Re: (Score:3, Interesting)
It's easy enough to disable, but everytime a doc gets loaded with embedded JS, the reader will prompt to enable it with a message saying something like "the document may not display correctly" without it enabled. Clicking the "yes" will then re-enable it. The problem with this approach is that we get so many warnings that people may automatically start enabling JS accidentally.
Re: (Score:2)
Based on the numerous JS vulnerabilities, the default should be "No". A message should warn about the security vulnerabilities of running the document and tell the user only to enable JS (temporarily) if they trust the source of the document. However, it should also mention that if JS is disabled, it may not display correctly.
The fact is that Adobe simply doesn't care about the vulnerabilities. They have responded slowly or not at all to the issue.
Re: (Score:2)
...or has been repeatedly told by their bosses that it's a "never going to happen" risk and that "antivirus and perimeter security will stop all malware".
Yeah, I don't work there any more, but there are plenty of people who are all too aware of the twatworthy shitness of acrobat that have absolutely no means of a) switching to an alternative (I love SumatraPDF for windows) or b) turning off the more idiotic default settings "in case it breaks something". Ah, status quo is god... how can you be a "pro-active
Re: (Score:2)
I've used it for setting up sharing of notes via WebDAV in PDF's.
Works really well, actually.
Although I don't know how much that matters if they can't secure their PDF format.
Re: (Score:2)
The bigger question is why Adobe doesn't just disable Javascript by default.
Because the intent is to push you towards using their software for as many things as they can get you to. The more things you use it for, the more reliant you are on it, the more likely you are to buy more copies.
I don't think it's all that nefarious in intent. They want their software to be useful and cutting-edge. If their intent was only to create a fast PDF reader/writer, then they'd be done sometime around Acrobat 4. Every version since would be bug-fixes, performance improvements, and updates in
Re:Anyone still has JavaScript enabled? (Score:5, Insightful)
Somewhat ironic, isn't it? If you want to use Adobe's security features (digital signing/encryption) and 3rd party software to achieve SOX compliance - you must accept security vulnerabilities from Acrobat/Reader itself.
Re: (Score:2)
Re: (Score:2, Insightful)
And then someone who is paying you money sends you a pdf and expects you to make comments using Adobe's proprietary comment system.
Re: (Score:2)
Javascript Again (Score:4, Informative)
Re: (Score:2)
With PDF being an open standard, and there being tons of free lightweight readers out there, there is really no excuse to use the Acrobat Reader.
Re: (Score:3, Insightful)
What bothers me about this is that once its disabled it just prompts you to enable it once it senses a JS PDF. The end user, if he or she has rights (and they do at home), just clicks another OK box instead of being forced to go into preferences and turn it back on. Once thats clicked it runs the JS and the exploit. Its ridiculous its even on by default, let alone this UI stupidity.
The next version of Acrobat should just have it off by default. Force people to turn it on. Chances are 99.9% of users have n
Re: (Score:3, Interesting)
I have javascript disabled at each user login on our network (through the logon script), just in case someone has re-enabled it when their system was last logged on. I haven't found a way to totally lock it out yet.
The huge problem is that Adobe offers to enable javascript for users when they open a PDF with Javasript in it. It displays a message along the lines of "you're not seeing everything here unless you enable javascript...click here to enable it" with a big friendly "YES" button. Kind of defeats
Does it run Linux? (Score:3, Interesting)
Re: (Score:2)
Adobe still used why? (Score:2)
Re: (Score:2)
Nothing new.
Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.
Re: (Score:2)
Well, maybe some Adobe fan will tell you that some obscure functionality is missing from Foxit Reader.
Certainly there is missing functionality. This article points out one such instance of missing functionality.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
On Windows? Foxit Reader or PDF Xchange viewer ( http://www.docu-track.com/ [docu-track.com] ). Unlike Acrobat Reader, both have tabbed interfaces, can remember which docs were open and reopen them automatically.
I think PDF Xchange also will track where you were in each opened document and will take you right
back to the page you were reading when reopened.
Re: (Score:2)
I would love a good alternative personally. All my users do is read the PDFs and we use PDFCreator for merging documents.
Free and you don't even need to install them. Just unpack in a directory:
Foxit Reader Portable [portableapps.com]
Sumatra PDF Portable [portableapps.com]
For merge/split: PDFTK Builder Portable [portableapps.com]
Re: (Score:2)
Preferences? (Score:2)
This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window.
I've used Reader forever, and I never even noticed that there was a preferences dialog. There's 26 sub-dialogs, each with one or two dozen options, and (checking a few at random) I see several that look worthy of more investigation. Anyone know of any recommendations of where I should start?
Re:Preferences? (Score:5, Funny)
Re: (Score:3, Insightful)
or Here [foxitsoftware.com]
Both are good places to start. You can end at the other.
Although, Foxit has added the Ass - err, Ask toolbar, which sucks. Fortunately you can not agree to the toolbar's terms, and it won't install (but Foxit will still install)
Re: (Score:2)
Re:Preferences? (Score:4, Informative)
You could try the Edit -> Preferences -> JavaScript window. Here, I’ll make a little instruction sheet for you.
http://img38.imagefra.me/img/img38/1/12/15/clone53421/f_viwjj0m_1729695.jpg [imagefra.me]
Re: (Score:2, Funny)
Oh, thanks. That's nice and all but my company blocks all JPG images. Could I get that in a PDF?
CERT guidance for securing Adobe Reader (Score:2)
CERT has some suggestions for securing Adobe Reader here:
http://www.kb.cert.org/vuls/id/257117 [cert.org]
Note that the above vulnerability note is not this particular vulnerability, but the same mitigations apply time and time again. The mitigations include:
- Enable DEP
- Disable JavaScript
- Disable automatic opening of PDF files by Internet Explorer
- Disable the displaying of PDF files in your web browser
Acrobat attack. (Score:5, Funny)
Yikes! I hate acrobat attacks!
BUT WAIT!!!! (Score:2, Interesting)
No one uses Adobe Reader for anything other than business PDF's.
Seriously, The launch time for a PDF off the web is too large for me to bother. First it's gotta download that 7 Meg file, then Adobe's gotta kick start, and then it doesn't let me highlight anything to keep me from copying and pasting.
Seriously - I have only ever seen PDF's used at work and at school, and anywhere else they exist usually aren't worth the bother.
So who are the people taking advantage of these vulnerabilities?
Re:BUT WAIT!!!! (Score:4, Interesting)
Re: (Score:2)
I second Okular, it does this wicked thing where while dragging a document to scroll, the mouse cursor wraps from the top of the screen to the bottom (or vice-versa). It seems odd when you hear about it, but once you use it you'll swear by it.
Re: (Score:2)
Change it, you will see how fast it can be with a proper application.
Oh, and it's not only the reader, everything from Adobe is as slow as humanly possible.
Re: (Score:2)
Hell, probably the reader doesn't even stop once you close your PDF but is still running in the background.
I'd rather have a virus then an adobe application.
Re: (Score:3, Interesting)
Half of my readings in Law School are scanned documents/books in PDF format. Many of the documents are 25-40 MB in size and several hundred pages. I find that PDFs actually load very quickly - much faster than a similarly sized Word or Open Office document, and easier to read. Of course, you can use any PDF reader and not just Adobe Reader/Acrobat.
On my Core 2 Duo and Core i7 systems, I can open PDFs pretty much instantaneously (less than 0.5 seconds). The only delay is the download. Thankfully, this is one
Re: (Score:2)
Re: (Score:2)
Scientific papers are distributed as PDFs, which is a fairly substantial (and important) market. Of course, there's little reason to use Adobe Reader itself, as there are plenty of alternatives.
Why javascript in a pdf reader? (Score:4, Interesting)
Re: (Score:2)
Re:Why javascript in a pdf reader? (Score:4, Interesting)
You had a niche application, WYSISWYPrint. Try to compete with the swift, quick to load, quick to render competition or you will be lost in the netherworld between browsers and pdf renderers.
If anything, the PDF standard is increasing usage worldwide. PDF is a very well documented standard -- I speak as someone who wrote a program to create PDF files with images and form fields from scratch using VB 6 with no plugins -- so go ahead and create your own reader, market it and make it the #1. Nothing's stopping you.
Limit permissions and seek alternatives? (Score:3, Informative)
Seems like deja vu, since this has issue cropped up before [sans.org], what with everything from Adobe wanting to install (at least on Mac and Windows) with system level privileges and enable javascript by default. [Tell me again, how is javascript a desirable feature for this file type?]
Which makes it a good idea to use alternatives like Preview, and Skim [sourceforge.net] (for OS X), as well as Foxit Reader [foxitsoftware.com] for Windows.
It's not like there's a paucity of options to get away from Adobe's bloatware, no matter what OS you're running.
Re:Limit permissions and seek alternatives? (Score:4, Informative)
Replying to my own last line as an informational thing:
http://en.wikipedia.org/wiki/List_of_PDF_software [wikipedia.org]
Don't cross streams (Score:3, Insightful)
Separate your programs from your data, and your documents from your interactive media.
Re: (Score:2)
Don't cross streams
Yeah, that tends to upset the guy at the next urinal.
I haven't used Acrobat Reader in Years (Score:2)
seen it, I think (Score:3, Informative)
Re:seen it, I think (Score:4, Informative)
Re: (Score:2)
AdBlock could block all PDFs – which he probably doesn’t want to do.
NoScript would not block PDFs that were loaded in frames/iframes or by meta-refresh.
Re: (Score:2)
And this is why... (Score:2)
a DOCUMENT READER shouldn't be interpreting javascript.
Seriously. Web pages are interactive. Documents are meant to be read and maybe filled out. The only reason we need PDF is for stuff that needs to look the same on every screen and print out the way it looks. We don't need Javascript in them.
Re: (Score:2)
Adobe Acrobat (Score:2)
Come on Adobe, you can do better.
Re: (Score:2)
the whole non-redacted-data text redaction "feature"
I'm not sure if text redaction is a feature, they just drew a bunch of black rectangles over the text and them someone pointed out that that doesn't actually make the text go away, it's just under the rectangle.
Screw Acrobat, Adobe needs to fix Flash. Flash CS4 is the worst software I've ever used (I've been using Flash since Flash 5, now we're on Flash 10 and they still haven't fixed the major bugs).
Re: (Score:2)
You can't blame the tool for its clueless users.
Re: (Score:2)
the whole non-redacted-data text redaction "feature"
Well, it’s a highlighter pen, with variable colour, opacity, and thickness.
For some reason the idiots at the TSA thought that an opaque black highlighter would be adequate to obliterate the text. Morons.
(Before you say “well, duh, anybody would” – no. You wouldn’t trust this on printed documents, either. You’d photocopy them, ensuring that the photocopier’s sensor couldn’t distinguish between the text and the marker it was covered with. The original document c
Why need to view PDFs inline in the browser anyway (Score:2)
After being bitten by a PDF vulnerability before (I run as a normal user account so it didn't completely own my box and was fairly easy to clean up) I disabled the PDF plugin in Firefox. Now if I try to view a PDF I get an open/download request for the file rather than just opening automatically.
This way a site can't open any PDF files without me knowing.
It seems Adobe PDF reader is fast becoming the new IE in terms of web security.
Re: (Score:2)
MIME types -- the things that enable launching Acrobat when a PDF file is encountered -- are used to determine how to display images, sounds etc. Surely you're not advocating disabling all MIME types, or confirming each one? You could have a plain text page with no images, sounds, etc and you'd never be surprised by things launching or displaying without
Re: (Score:3, Informative)
No, he’s advocating disabling MIME types of particularly egregious known repeat offenders.
Opening PDFs in the browser is just an extra convenience anyway. When I click a link to a PDF, it automatically downloads to the desktop and I can open it from there, if I actually wanted to download and open the PDF. I don’t need it to load inside my browser (and if I didn’t expect it, I probably won’t appreciate having to wait for the plugin to load).
Re: (Score:2)
Interactive forms. Forms that change options and check parameters when entered, etc etc.
Re: (Score:2)
using existing tools can also reduce bugs - if a tool has been around long enough.
Are you sure this isn't an in-house fudge-up of Javascript?
Re: (Score:2)
Re: (Score:2)
On the other hand, why write your own handler for interactive forms input when the OS can provide that service to you (presumably with much greater security, much less coding errors, desktop theme consistency, and other benefits)?
Re:Really... (Score:4, Interesting)
No, PDF format is a crippled postscript. It was intentionally crippled so it will NOT be a language, because distributing documents written in a programming language was not secure. Then they realized they crippled it too much, and added javascript to it. It is an improvement, since the scripts are localized in the document, easier to identify, they can be disabled if you want to, etc.
I think in general having scripting language embedded into an interactive document format is a good idea, however, it seems that Adobe's implementation is rather buggy and badly designed.
Re:Really... (Score:4, Insightful)
To send an email after filling out a form and clicking sumbit in a PDF.
Honestly - It's not really like the Adobe reader has the vulnerability, its just javascript in general. I mean it's not great that the reader will execute the code just by opening the file - but now that you know it does that, is it really the readers fault? Isn't the user executing the code as if he were clicking a button now?
Re: (Score:2)
It's not really like the Adobe reader has the vulnerability, its just javascript in general.
Citation?
According to TFS, this is specific to Adobe Reader, and it’s an actual bug, not just “executing the code”.
Re: (Score:2)
to do useless fancy web2.0 crap. it really is not needed. We disabled it automatically across the company.
Re: (Score:2)
to do useless fancy web2.0 crap.
Yeah, like form validation. Who needs useless fancy web 2.0 crap like form validation? I say we should all trust the user's input. Users never make mistakes.
Re: (Score:2)
Oh, whatever did they do back when paper was actually used for forms? All those silly users, able to write whatever they wanted with no input validation whatsoever!
Re: (Score:2)
It's more useful than you might think. I've personally used it for two purposes:
Re: (Score:2)
For roleplaying game character sheets, there are a ton of fields that are dependent on other fields. Javascript lets you enter your dexterity score, for example, and your dexterity mod, defenses, and dex-based skills are all updated accordingly.
That sounds like a nice sheet. Could you post a link to it?
Re:Really... (Score:4, Insightful)
Not that I don't trust myself, but this is really not the time to solicit javascript-enabled pdfs from strangers.
Re: (Score:2)
Any other time and it would be off-topic
Re: (Score:2)
+1 Ironically Funny
All the spiffy things you can do with scripting-enabled PDF really should qualify it as an "attractive nuisance". Every good trap has irresistible bait, after all.
Re: (Score:2)
For roleplaying game character sheets, there are a ton of fields that are dependent on other fields. Javascript lets you enter your dexterity score, for example, and your dexterity mod, defenses, and dex-based skills are all updated accordingly.
I’m just echoing what the other guy said, really, but I created a helluva Excel spreadsheet that did that for Runescape. Why on earth would you use a PDF?
Heck... I could probably even make it import the player data from the hiscores website, but I didn’t ever bother trying.
Re: (Score:2)
Why on earth would you use a PDF?
Because it's much easier to identify the fields while you're editing, and it's much prettier than a spreadsheet when you print it out.
Re: (Score:2)
Because it's much easier to identify the fields while you're editing
Having no experience with a PDF, you’re going to have to describe that for me. Referencing cells is pretty easy in Excel, and you can lock all the non-user-editable cells so that they can only move the cursor into the ones they can edit.
much prettier than a spreadsheet when you print it out
Prettier... how?
Re: (Score:2)
Imagine a sheet that looks like the one from the back of the book, but you can type in it and all the numbers fill in automatically. It's not that I think spreadsheets are unnavigable, it's just that using a pdf is a much more pleasant experience to the eye. When I look at something for hours on end, I want it to look nice. I also like to be able to give it to a player and they are familiar with the layout.
Re: (Score:2)
Re:Really... (Score:4, Interesting)
> A spreadsheet app is also substantially larger than a PDF reader.
This *is* Adobe we're talking about here. For grins, I just installed Adobe Reader 9.2 and Gnumeric 1.9.16 on a XP VM, and for the informal survey of the "Program Files" directory, Adobe (203MB) weighs in at almost twice that of Gnumeric (106MB).
I vote for using the best app for the job. In the case of this thread, I wholeheartedly think the spreadsheet is that tool.
Re: (Score:2)
Adobe Acrobat 5.x was still kind of bloated. Even on machines nowadays it'll still take a few seconds to boot up - with that annoying little splash screen of some guy prancing about with a few office complexes in the background.
I've never used just the 5.x reader before, where would you even GET that...
Re: (Score:2)
A few seconds? On a modern machine I can load a 100 page scanned PDF in Adobe Acrobat in under 0.5 seconds (perceptibly instant with Aero) with Acrobat 9.0.2 on a Core 2 Duo/Core i7. Are you using a slow machine?
Re: (Score:2)
On a Core 2 Duo, 1 Gig RAM on an XP, 20 page PDF takes on average 4 to 5 seconds to load. This is just the full install of Adobe Acrobat 5.0
Re: (Score:2)
This may be a difference between Windows 7 and Windows XP. Superfetch in Windows 7 loads the binary into RAM after first run - or if it's a commonly used program - automatically. Therefore, I'm almost always running the program from RAM.
However, even on the initial start, it doesn't take more than 1-2 seconds. I haven't used Acrobat 5.0 in such a long time. Perhaps Reader loads faster.
Foxit Reader loads very quickly as well.
Re: (Score:2)
And, Adobe, get rid of that stupid FNPLicensingService.exe spyware that tries to run constantly in the background. I detest the idea of not being trusted when I *PAID* for the damn software!
Re:Look at the Acrobat Reader credits. (Score:4, Insightful)
If you've ever worked with such off-shore developers, you'll immediately understand why Reader is such a shitty piece of software.
Yes because it's ok to buy something and not to bother making sure you're getting your money's worth.
Responsibility lies with management for not implementing some sort of quality control - ESPECIALLY when dealing with offshore outfits. It's called due diligence. But since a lot of managers only care about their paycheck and not the brand's reputation, etc., well, this crap happens. If the board are too busy figuring out how much to pay themselves on top of that, well, that's the corporate world in a nutshell.
Re: (Score:2)
Hold on, now, at some point, Adobe WAS a good product, until everybody found out ( did the hackers know way before??) that some javascript was not safe. Hell 3/4 of sites using js in their pages is unsafe, but don't do anything about it.
The reason why they need any js in there is beyond me, as I have never used any pdfs with js embedded....
but I am sure there is a reason, they should just take it out completely out of all their versions, and add an add-on utility that adds it back in, that way only the trul
Re: (Score:2)
The manager should stop the shoddy product from coming out but he won't because he was never good at his job. The difference is when they had to hirer locals at a decent wage they're more likely to be qualifi
Re: (Score:2)
I would love to see Symnatec, etc list this as malware
I would love to see Symantec listed as malware ... have you seen how difficult it is to actually uninstall that thing (completely), and what a piece of spamming shit it turns into once your free trial is over ?
Re: (Score:2)
Anyone know what to do with the plugins? I haven't used the stand alone reader in a while.
No. I haven’t used the in-browser plugin in a while.
Precisely because of this sort of exploit.
Any PDF file a website tells my browser to open will get saved to my desktop. If I expected to be downloading a PDF, I open it. If not, it gets deleted.
Re: (Score:2)
It’s necessary for many forms and security exploits.