Forgot your password?
typodupeerror
Security Microsoft Software News

Microsoft Helps Adobe Block PDF Zero-Day Exploit 93

Posted by Soulskill
from the damage-control dept.
CWmike writes "Microsoft has urged Windows users to block ongoing attacks against Adobe's popular PDF viewer by deploying one of Microsoft's enterprise tools. Adobe echoed Microsoft's advice, saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat. Called 'scary' and 'clever,' the in-the-wild exploit went public last week when security researcher Mila Parkour reported it to Adobe after analyzing a rogue PDF document attached to spam. Adobe first warned users Wednesday of the threat, but at the time gave users no advice on how to protect themselves until a patch was ready. Microsoft stepped in on Friday. 'The good news is that if you have EMET enabled ... it blocks this exploit,' said Fermin Serna and Andrew Roths, two engineers with the Microsoft Security Response Center in an entry on the group's blog." A Symantec blog post suggests the people exploiting this vulnerability may be the 'Aurora' group responsible for the attacks on Google late last year.
This discussion has been archived. No new comments can be posted.

Microsoft Helps Adobe Block PDF Zero-Day Exploit

Comments Filter:
  • by mcgrew (92797) * on Monday September 13, 2010 @02:38PM (#33564754) Homepage Journal

    I ununstalled Adobe Reader and installed Foxit. Problem solved!

    • "This."

      Seriously, Foxit is the way to go unless you have a reason. If you can't think of one, then yo don't have one :). There are things Foxit doesn't do or documents it has problems with but for normal users it is exceedingly unlikely you encounter it. The thing is much lighter weight and seems to have few security issues. Maybe it is just because nobody is looking, but regardless.

      I was so glad when I found it for rolling out in our instructional labs. I got sick of having to do an update for Acrobat ever

      • I installed Foxit, and every time I clicked a PDF link in FireFox, the disk would churn for 5 minutes and everything else running in the browser would come to a halt. It made Acrobat Reader fleet-footed by comparison.

    • Re: (Score:3, Insightful)

      by VGPowerlord (621254)

      As long as you don't assume it's a panacea... Foxit has had its own security exploits in the past.

    • Re: (Score:3, Informative)

      by revlayle (964221)
      Foxit insists on installing toolbars and special search engines these days... don't like it one bit.
      • Re: (Score:2, Informative)

        by Eudeyrn (1566735)
        Sumatra [kowalczyk.info] is my PDF reader of choice now. The program consists of a single executable, it's open source and GPL'ed. As long as you all you need to do is load and read PDFs (imagine that, a PDF reader that just reads PDFs), it gets the job done beautifully.
      • Not quite "insists" - more like "asks politely"

        I've always used Foxit and it gives me a very clear option to not install anything extra. If I ended up with a toolbar or anything else unwanted from it it would be my own damn fault.
      • by djh2400 (1362925)
        I said this in the original article on /. for this exploit, but I'll post it again. I use the portable version of Sumatra PDF [portableapps.com] on my Windows installation and have never had any problems while using it. I would certainly recommend it to people who do not like Foxit as a replacement for Acrobat.
      • by arndawg (1468629)
        yeah i'm finished with foxit. Google reader from now on.
    • by antdude (79039)

      So you stalled (froze) Adobe Reader? :P

    • Re: (Score:3, Informative)

      by hairyfeet (841228)

      Well let the old Hairyfeet add some helpful wisdom to those out here that have clueless relatives. Tell them to uninstall Adobe, then send them to Ninite [ninite.com] and tell them which boxes to check. Ninite has fully automated installers for all the popular apps, including FF and Chrome, Songbird and Winamp, and of course Foxit and Sumatra PDF reader. Oh and ZERO toolbars from those companies that give you crap like Oracle Java.

      So trust your old pal Hairyfeet. You got clueless user/relatives, maybe that live many m

    • by mirix (1649853)

      I believe there is a windows port of evince, which is rather nice.

      I usually use okular on linux, though. Something about it I like better, but don't recall what right now.

  • I highly doubt home consumers (i.e. your grandmother) are going to install this enterprise application in order to solve a "0 day" exploit for Adobe. I mean, really? Can a normal person even read the previous sentence I just wrote?

    Maybe they should work harder at patching it then finding workarounds, or just tell us the truth (don't open any PDFs, or use foxit).

    • How would you suggest they patch it and get the patch out to users?

      In my experience:

      1. They patch it and force the patch out using Windows Update: everyone gets mad because MS is forcing an update.
      2. They patch it and recommend the update: everyone gets mad because they aren't forcing users to update, causing various exploits and generally not caring about their customers, etc.
      3. They patch it and don't say anything: everyone is mad because they are obviously trying to hide that they had an exploit.

      Of course, t

  • by IgnacioB (687913)
    Great, so EMET will be downloaded by a few developers and IT experts and their system will work fine. However, develop and deploy this beta application to run on the thousands of end user workstations on a corporate network? I'm sure between the unintended system slow down from YET ANOTHER APPLICATIOn combined with users wondering what this new icon is doing ought to be seemless. Too bad FoxIt and others don't provide a nagware free product that's an enterprise solution. Maybe Adobe will start roping ba
    • Why doesn't Microsoft make EMET part of Windows Defender, and auto-update the settings for various applications/DLLs (like the way they update compatibility-mode settings for websites in IE8)? They could have prevented this exploit on day 1.
  • ASLR (Score:5, Informative)

    by js3 (319268) on Monday September 13, 2010 @03:27PM (#33565354)

    According to the article..

      "Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on."

    So enable ASLR on the effing DLL and release a patch, problem solved? Nothing would make me work overtime and on the weekend than a highly visible level 1 bug. Adobe developers must have it good!

    • by Anonymous Coward

      ...was called Scatter Loading in AmigaOS 1.0 back in the 80's, and was done to everything loaded into RAM, executables, shared libraries, data, everything. *sigh*

    • by cbhacking (979169)

      Much though I wish this was a complete solution, there are two possible problems with it.

      The first is that ASLR is only available on NT 6.x (Vista, 7, Server 2008). People using XP are out in the cold, which they arguably deserve for using such an outdated OS, but the rest of us don't deserve the collateral damage their rooted boxes will spew (for bonus points, XP has no form of browser sandboxing and the default user has Administrative permissions, making it the most likely to be successfully exploited in

  • the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat.

    Just what the world needs: a security automaton [wikipedia.org] which drops dead if you get one letter wrong.

  • Here is a Technet video describing EMET [microsoft.com] and here is the download url. [technet.com]
  • ... saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat.

    It's the Enhanced Mitigation Experience Toolkit -- no migration required.

    • by erroneus (253617)

      Yeah, that word threw me for a bit. On one hand, I was scared because I didn't want to know what Microsoft wanted to Migrate users to... on the other hand, it could have been a Windows to Linux migration tool... okay, probably not that but I have to pull some optimism from somewhere.

  • anyone know what that might be?
  • My personal system uses PDF Xchange Viewer. But on another that has Acrobat Reader 8.x installed, I'm not able to find the dll in question. I never upgraded to 9.x on that system due to bloat but guess new features will come with bugs/vulnerabilities.
  • ... and release lite & (somewhat) safe release of Acrobat Reader for home users that just reads plain PDF files that have 0 extra "features". and 99% of world would happily use it.
    • by tehcyder (746570)
      I've often wondered why Adobe's Acrobat Reader is such a large install, when it doesn't actually do much more than read .pdf files anyway.
  • Obviously no one here uses Microsoft products, but it is Mitigation not Migration...
  • "'The good news is that if you have EMET enabled ... it blocks this exploit,'"

    You know what else blocks this exploit? Not using Acrobat Reader.

The speed of anything depends on the flow of everything.

Working...