Adobe Warns of Flash, PDF Zero-Day Attacks 216
InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."
Re:Good thing ... (Score:4, Insightful)
It is a good thing when non-technical customers start saying they are sick of the trauma of using a dominant proprietary product. Whether or not that results in a willingness to embrace an alternative is a different matter, but it is a start.
Zero-day? (Score:1, Insightful)
Am I the only one sick of the "zero day" buzzword?
It's a vulnerability/security hole. Stop creating new 1337 buzzwords, please. It got old years ago and if I hear "zero day" one more time I'm going to go nuts and take a sniper rifle up to the top of a bell tower and start picking off wannabe technology journalists. (no, FBI and ATF I won't be doing that but I can dream of it!)
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
Problems like this are common because reader and flash are ubiquitous, flash because it has no viable alternatives and reader because most users don't realise that there are far superior pdf viewers out there (i've even seen people install reader on macs where a far superior pdf viewer comes by default)...
This is why a universal platform is important (Score:1, Insightful)
Imagine how hard it is to write malware. Having Flash and PDF available on all platforms reduces the amount of time necessary to infect people. Good work Adobe.
Current software is fundamentally broken (Score:5, Insightful)
The closest platforms to getting it right are Apple and Linux distros. I say that because they provide a central software base and can push out updates all coming from one place. If you use something like Windows, you have to get updates from Microsoft, your hardware manufactures and then your 3rd party software. AFAIK, Windows still does not come with a PDF viewer, and I think its time for 3rd party plugins to completely disappear from web browsers. I've held the plugin belief for over 10 years.
Even if I say that Apple and Linux are better, they too are broken. And then there are 3rd party apps that continually want you to upgrade them before you run them. Its obnoxious. I can't think of any consumer or professional piece of equipment that needs such care and feeding. If my car has issues (yeah car analogy), then there is a recall. Its a big deal. I would never drive a car that says, "Before you start your car, there is an important safety update, do you want to install that update or blow it off?"
I guess I'm saying that now that internet access is available via cell technology and wifi and wired devices, and I don't know of anybody that uses a compuer not connected to one of these things, that bandwidth needs to increase and "cloud" or computing as a service needs to become a reality. Sure, nobody trusts these big bad internet companies with their data besides the exceptions like online tax services, online banking, facebook and their ilk, ISPs with their logs and their email, ecommerce, and other random services. But maybe, just maybe in the near future there can be a stable computing platform.
Official Workaround (Score:5, Insightful)
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.
Re:Zero-day? (Score:3, Insightful)
Am I the only one sick of the "zero day" buzzword?
No, but I'm only annoyed when people misuse it. Zero-day [wikipedia.org] has a specific meaning that is an important distinction when talking about vulnerabilities and exploits. When I hear "Zero-day", my immediate response is: "Oh ^&@#$, who put in strange trouble tickets the last few days?" and "Yay, Overtime for out of cycle Microsoft/Adobe patching."
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:
Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.
Re:Good thing ... (Score:2, Insightful)
Re:64 bit Linux (Score:3, Insightful)
Does that really suprize you?
PDF files should not "execute" (Score:5, Insightful)
Re:Official Workaround (Score:5, Insightful)
It seems unfortunate that to have secure code you need to use a pre-release version. There is a need for a secure, but not feature-rich document format - I don't need dancing bears.
Only reading documents from "trusted" sources doesn't work - those sources may have been compromised.
Re:Look at the credits for Adobe Reader. (Score:3, Insightful)
One of the first things that I do on my customers' servers (after asking permission, of course) is uninstall Acrobat. They're generally thankful that we're concerned about the security of their systems, and frequently unaware that Acrobat was even on the thing to start with.
Show us the code Adobe (Score:3, Insightful)
Show us the code Adobe. We of the nerd community would have had that problem fixed for you long ago.
Re:64-bit Linux (Score:1, Insightful)
We heard you the first time. Maybe you should *listen* when you read: It's not fixed yet. The 10.1 RC has not been released yet (that's the whole "release candidate" part of it). There is no patch for 10.0.x.x or 9.0.x.x yet so <insert platform & architecture here> is still vulnerable. Mmm-kay?
Flaw in the spec (Score:3, Insightful)
I don't doubt there's sloppy programming involved, but this sounds like a flaw in the spec... who the hell reviews the PDF spec and how much does Adobe pay them to approve of things like allowing code execution when it's supposed to be a secure document spec that is a mandated standard in critical venues like government and legal filings.
Re:Good thing ... (Score:5, Insightful)
Why would you think you are tied to iTunes with an iPhone. You do realize that the music in the iTunes music store are simple AAC (un-encrypted at that). The iPhone/iPod Touch/iPad hardware will play standard MP3 and AAC without issue, which pretty much covers just about any music store out there. There are also a ton of open source alternatives to iTunes. iTunes exposes a standard XML which can be used to maintain the library with any third party software.
Try harder....
"Not if you use an iPod or iPhone."
Re:PDF files should not "execute" (Score:4, Insightful)
Anything fancier than a fill-in-the-blank form has no place in a document format.
That's a slippery slope you're walking there. The second that you open the document up to interaction and editing, you open the platform up to issues like editing capabilities, content type, content validation, and each of those opens up their own can-of-worms.
In my opinion, PDF should do exactly what most people use it for: it should render content in a consistent, platform-independent, and read-only manner. If you need to provide a form to fill out, there are many technologies to solve that problem, but across all of them, Web/HTML stands out as the most appropriate. Web/HTML has numerous different approaches for allowing a user to fill out a form, each richer and more flexible than Adobe's PDF will (er, should) ever be. If you want the fields that are filled out to appear in a read-only document, have the web service generate a PDF document containing your answers when you complete the HTML form.
A perfect example of this is how Google's Spreadsheets [google.com] can present a form view, which is capable of reproducing a significant amount of the capabilities that Adobe's executable content is used for with a concise user interface, and producing a PDF at the end of it.
Re:Current software is fundamentally broken (Score:2, Insightful)
Re:Good thing ... (Score:4, Insightful)
Oh, I see, everyone just took off their Apple hater hats and put on their Flash hater hats.
Re:Film at eleven (Score:2, Insightful)
So true (Score:5, Insightful)
I cannot imagine who on earth would want Flash content in PDFs. I imagine it is still some brainless marketing fuck at Adobe who thinks PDfs will trump Powerpoint for presentation and so they have to cram in just as much useless shit as can be crammed into a pptx/pps file.
What truly fucking bothers me is that the "fix" they offer is not a fix at all. Installing a release candidate Flash player across a company will not be easy in many cases and who the fuck is going to go searching for craptasticadobeshit.dll on all their machines. Sadly, this is such a problem that you have no choice, unless you want to block all Flash content and in many industries, such as media or design, that's simply impossible.
Adobe is so fucking lost it's not funny. Their Flash player is a buggy, unsecure piece of shit. Their Acrobat PDF Reader is even worse, slow to start up, full of utterly useless shit that easily 99% of people who need to view a pdf don't need, and regularly an opportunity for malware authors to get at your machine. On top of this, Adobe is so choking on their shit that they coded almost all the dialogs in the new CS5 suite in fucking Flash, leaving previously satisified customers seething with anger because dialogs that were already pretty unstandard in the last two version of the CS ballsup are now more often than not, simply not working anymore.
For the love of God, please someone, anyone, make a decent alternative to the CS suite so we don't have to put up with Adobe's increasingly bizarre attempt to remain relevant by shovelling ever more shit into what were previously perfectly good apps!
Re:Good thing ... (Score:2, Insightful)
Hey! (Score:3, Insightful)
Thanks Adobe, you help keep the Internet a fun and exciting place for everyone!
Re:Good thing ... (Score:3, Insightful)
I like the webcam broadcast interactivity of Flash.
Then you have the flash cookies and ongoing security issues.
So people enter the debate from different areas and perspectives.