Adobe Warns of Critical Zero Day Vulnerability 236
wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."
Oh adobe... (Score:4, Informative)
You can pretty well set your watch by adobe exploits. Get it together, guys...
Re:A lack of diversity... (Score:2, Informative)
Not good enough alternatives? FoxIT reader is better imho. Heck, the Ubuntu default document viewer works fine for me. It's a shame that "adobe" has become synonymous with "pdf".
FYI: U3D = Universal 3D (Score:5, Informative)
According to the Wikipedia article on Universal 3D [wikipedia.org]:
The format is natively supported by the PDF format and 3D objects in U3D format can be inserted into PDF documents and interactively visualized by Acrobat Reader (since version 7).
and
There are four editions to date.
The first edition is supported by many/all of the various applications mentioned below. It is capable of storing vertex based geometry, color, textures, lighting, bones, and transform based animation.
The second and third editions correct some errata in the first edition, and the third edition also adds the concept of vendor specified blocks. One such block widely deployed is the RHAdobeMesh block, which provides a more compressed alternative to the mesh blocks defined in the first edition. Deep Exploration and PDF3D-SDK can author this data, and Adobe Acrobat and Reader 8.1 can read this data.
The fourth edition provides definitions for higher order primitives - curved surfaces.
I'm guessing it's the vendor specified blocks from the 3rd edition that are causing the problem.
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:5, Informative)
In my experience it can (or used to) break things when interacting with other programs.
It broke my LaTeX editor. Couldn't compile a document and automatically have it open in Reader. After some fighting, I think I got it to open, but if you make some edits and recompile... it quickly errors out if you don't manually and completely exit out of Reader first. It's really annoying. Spent far too long reading up on how Reader is supposed to interact with other software and setting my editor to try different commands invoking Reader. No dice, and it looked like the documentation wasn't up to date for all the changes in X yet. But turn off protected mode, and it worked just fine.
Granted, they might have fixed that in the mean time, I've not used it in a couple months, and don't even have Reader installed any more...
Re:Patched when? (Score:5, Informative)
If you follow the "exploited to cause a crash ..." link in the initial Slashdot item, you will see that a fix to Acrobat Reader 9 will be available by this coming Monday. You will also see that, unless you disable Protected View in Acrobat Reader 10, you are not vulnerable and thus can wait a month.
Re:Release dates?? (Score:4, Informative)
Yes.
The attack can be stopped using their Protected Mode. Versions that ship with the protected mode will not be addressed to specifically mitigate this attack until later, with Adobe recommending everyone turn on protected mode to protect them in the mean time.
Whether or not that's a reasonable reaction is a whole different question.
Re:A lack of diversity... (Score:5, Informative)
I recall the Adobe loading screens on older Acrobat versions. One time while waiting for Acrobat to load its bloated carcass into memory I actually paid attention to the loading messages and noticed "movie.api" among others being loaded. That was the nail in the coffin.
While switching to non-Adobe PDF software may not be in the power of everyone, you can blacklist the Adobe PDF plugin from running in your web-browser. Apart from improving your internet experience it may also help prevent some drive-by PDF exploits.
Too late (Score:5, Informative)
Comment removed (Score:5, Informative)
Re:Look at the credits for Adobe Reader. (Score:5, Informative)
Why is the parent modded flamebait? S/he's telling the truth. We just discussed this very issue: Does Outsourcing Programming Really Save Money? [slashdot.org].
Somebody please mod the parent up. Sometimes the truth isn't pretty, but it's still the truth. I don't care if feelings get hurt by it. It's still the truth.
Re:What a mess: No patch for 9 and no IFilter for (Score:4, Informative)
OK, the summary omits it, but the article [adobe.com] says "We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011" so Reader 9 will be fixed after all.
Re:A lack of diversity... (Score:5, Informative)
If you look under the hood, Linux has the same lack of diversity in PDF viewers that Windows does: almost everything is just a frontend for the Poppler library. If a security hole is found in eg. kpdf, it's a good bet that the hole is also present in epdfview or xpdf.
Re:Mac? (Score:3, Informative)
I was forced to install it recently. Some PDFs from my state government required it. If I tried to open them in Preview, it complained that it needed a newer version of Acrobat Reader. So I installed it, printed what I needed, then removed it.
A lot of less technical folks though would have just kept it. Assuming the figured out that they needed to install it in the first place.
Be careful of "fixes" Adobe sends you by email. (Score:5, Informative)
I and a bunch of others received emails today claiming to be from Adobe (it wasn't, as mail headers showed) that included an attachment, an .exe in a zip file.
Of course, you should never run attachments sent via email, even if the source appears trusted.
Re:Look at the credits for Adobe Reader. (Score:3, Informative)
Re:Look at the credits for Adobe Reader. (Score:4, Informative)
I work for a media company in Los Angeles, and just about all of the developers in our Burbank office working on our flagship media management software are Indian. Our facility in Bangalore is where we send the actual media work if we can (transcoding, editing, etc.). But I think most of the software development stays in the States, but is done by Indians (with a few Chinese and other Asians).
Re:Mac? -- RTF please (Score:4, Informative)
Preview works very well for reading, but Acrobat Pro is currently the best Mac solution for authoring PDFs. Unfortunately. But there you have it. Open a 5mb PDF in word. Edit. Save. Wow, look at that, did you notice, now it's 45mb? It seems that acrobat pro is one of the few editors that recompresses. Now watch the secretary fill out that PDF form in Word and try to email it back to you.
PDF - Portable Document Format. It does a good job at being universally supported, for reading anyway. Do you want that, or maybe something else proprietary like DOC? (or even better, DOCX) You may hate the reader but the format is very good. It's just insanely bloated with features that are neigh impossible to secure. (it's about as good an idea as when MS added auto running macros to their DOC and XLS spec) So you can count on there being a new exploit almost constantly, and as we're seeing here, a critical exploit every quarter or so.
I personally do as much as possible in RTF format. It's fairly well supported, and doesn't have security-undermining features in the standard. On the mac, the bundled TextEdit does a marvelous job with RTF, reads and authors in it, and has very similar functionality to PDF. I just wish clicking on an RTF document on a web page would display it inline instead of downloading the bloddy thing to the desktop.
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:5, Informative)
That is not actually true. Adobe Reader is a "conforming implementation" of the ISO 32000 PDF specification. As such, it must support features that your 8.4 MB reader cannot possibly see (such as the ability to pull from CRL's when encountering a digital signature). I used to work for Adobe and I am not here to defend them but in all fairness, you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing.
Duane
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:5, Informative)
Don't forget the shell extension in windows, that enables those zero-day vulns to take effect by just hovering over the file! And unlike the updater and preloader, you can't turn this off without manually meddling with the registry.
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:3, Informative)
"By default, Adobe Reader 10.0 enables Protected Mode"
http://kb2.adobe.com/cps/860/cpsid_86063.html [adobe.com]