Adobe Warns of Critical Zero Day Vulnerability 236
wiredmikey writes "Adobe issued an advisory today on a zero-day vulnerability (CVE-2011-2462) that has come under attack in the wild. According to Adobe, the issue is a U3D memory corruption vulnerability that can be exploited to cause a crash and permit an attacker to hijack a system. So far, there are reports the vulnerability is being exploited in limited, targeted attacks against Adobe Reader 9.x on Windows. However, the bug also affects Adobe Reader and Acrobat 9.4.6 and earlier 9.x versions for UNIX and Macintosh computers, as well as Adobe Reader X (10.1.1) and Acrobat X (10.1.1) and earlier 10.x versions on Windows and Mac. Patches for Windows and Mac users of Adobe Reader X and Acrobat X will come on the next quarterly update, scheduled for Jan. 10, 2012."
Listed mitigation: Adobe Reader X Protected Mode (Score:5, Insightful)
Why on earth isn't "Adobe Reader X Protected Mode" the default?
Patched when? (Score:5, Insightful)
A lack of diversity... (Score:5, Insightful)
...leads to increased vulnerability, whether in biology or in software.
Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share. And Adobe does everything it can to make competing with it more difficult. So a key piece of software used by a large majority of computer users is bloated beyond belief and so riddled with vulnerabilities that it seems there's a new every day. It sucks, but it's hardly surprising.
On the web, as in politics, we get what we deserve - or, in this case, we get what other web users deserve, because they vastly outnumber us.
Look at the credits for Adobe Reader. (Score:5, Insightful)
If you're wondering "How can this happen?", all you need to do is look at the credits of Acrobat Reader. Notice that many of the names are quite clearly Indian. Then it all makes sense.
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
Because anytime you single out a creed, religion, race, or other general status, anyone belonging to said group interprets it as a personal attack and employs all possible methods to censor the shit out of said perceived attacker. It's like a biological kill-switch.
Re:FYI: U3D = Universal 3D (Score:5, Insightful)
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:4, Insightful)
Most of our technical manuals come in PDF form now, but thank God for Okular. It has really, really improved. :)
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
Re:A lack of diversity... (Score:5, Insightful)
Although there are alternatives to Adobe Reader, none of them is good enough to gain significant market share.
Are you kidding me? Acrobat is such a steaming pile of crap that it has bred a completely misplaced hatred of PDF in most Windows users. Ever seen a Slashdot summary with a "(warning, PDF)" note after a link? Only Acrobat can manage to bog down a brand new system opening a 1 page PDF, every other PDF reader in the world will open it instantaneously.
If anything, Acrobat has single handedly painted PDF into the very niche corner that it's in now. PDF is a good format hobbled by a hopelessly lousy reference implementation.
Re:Look at the credits for Adobe Reader. (Score:3, Insightful)
Good God (Score:4, Insightful)
Comment removed (Score:4, Insightful)
Re:Look at the credits for Adobe Reader. (Score:3, Insightful)
The term you're looking for is "fact", not "assumption".
The industry as a whole has now had 10 to 15 years of experience with Indian software developers. That's actually quite a long time, given the relatively young age of the industry. Yet for every successful project we hear about, there are literally tens of thousands of horror stories. That's clearly not a balanced ratio.
There comes a point when repeated and consistent observations must be accepted as the truth, even if this may be a painful truth to accept. Reoccurring trends start to indicate the norm. In this case, the norm is that Indian-developed software is very typically of an inferior quality, riddled with bug and security flaws.
You talk about "wild conjecture" and "weak evidence", but every observation and every shred of experience we have show quite the opposite. There's a reason why Indian developers as a whole have a bad reputation; it's because they have fucked up software projects again and again and again and again and again and again and again and again and again and again and again.
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:5, Insightful)
It has a 4.4 MB setup file, compared to Adobe Reader's 40.5 MB, for Windows 7. Installed size is 8.4 MB, whereas Adobe Reader requires 335 MB of available disk space.
Adobe PDF Reader - now with 10-40x the size of what's *really* needed! ***Bonus*** - Includes Critical 0 Day vulnerability, @ no extra charge!!!
What more could you ask for?
Comment removed (Score:5, Insightful)
Attack surface (Score:5, Insightful)
I wrote it years ago, but it's still quite relevant:
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html [cert.org]
Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
You'd have to be nuts to want Reader unless you simply have no other choice.
Acrobat 10. Production environment. Multiple servers for remote desktop sessions. Have to have it. Receive secure documents all the time for markup and endorsements and Foxit can't even open it. Let's not even talk about 3rd party PDF support for electronic signatures from capture pads.
The NERVE of those fuckers to announce a zero-day exploit in the wild with an expected fix date in a quarterly update.
What the fuck are they smoking? It's the 6th of December you sadistic moronic fucktards. This is the dark side of vendor lock-in. Till that update I have to wonder about the thousands of PDF documents flowing through into the system and from emails. Believe me, there are some workers that will open anything in an email. So it is a real risk already.
Not that I don't normally, but there is a big difference between a possible threat and a known one.
It's just amazing for them to announce that with all the business customers they have. The unmitigated gall of those bastards.
Re:Look at the credits for Adobe Reader. (Score:4, Insightful)
I agree 110%.
It's a blatant and inexcusable display of negligence on Adobe's part to schedule an update over a month after telling us that a REMOTE EXECUTION EXPLOIT is confirmed, and is being exploited in the wild. Again, with confirmation. To add to that, this isn't even something where you can advise everyone to turn off javascript and pray everyone follows your instructions while keeping an eye on traffic. It's nothing short of nightmare to be honest. The fact that this software is installed on everything from a consumer's new laptop or desktop, to a hell of a lot of government agencies doesn't sit well with me either.
Re:Look at the credits for Adobe Reader. (Score:2, Insightful)
I know plenty of Indian programmers who got their H1B visas, live in America, and write shitty code. They are valued because they can churn out products quickly, but for a very costly maintenance value. YMMV - there are plenty of developers of all races that write shitty code.
Re:Look at the credits for Adobe Reader. (Score:5, Insightful)
I'm going to agree mostly, but differentiate a little. I have actually worked with a couple of very talented Indian software engineers - more talented and experienced than myself, sometimes. They weren't working for an outsourcing company, though; they were full-time hires. Good Indian software engineers have a tendency to go the same places good American software engineers do: companies that value their talent and who are willing to pay for it. They just have a marginally harder time doing it due to US immigration law. (Myself, I'd rather have them fully naturalized as soon as reasonable - I can compete with them better when their wages haven't artificially depressed by the monopsonistic exploitation of their labor associated with the immigration game).
Anyway. It's already a lot easier to find a lousy software developer than to find a good one here in the US. Outsourcing to India as part of a management-driven process? Yeah, I'm going to laugh at the quality of the results in advance, please. As for Adobe employees working on Acrobat... let's just say their product doesn't do too much to promote the idea that they're competent.
I *prefer* non-conforming (Score:5, Insightful)
> you must distinguish the difference between conforming and non-conforming implementations of PDF before comparing
Your point is valid, however, how much of that ISO standard is, itself, "ooooh, shiny"-ness which is one of the reasons why Reader has so many more possible places of failure? Before discovering better alternatives for reading PDFs under Windows, the first thing I would do to Adobe Reader was to disable scripting support inside PDF documents.
In other words, I prefer the non-conforming, because that means that (there is a chance that) the implementers might actually be ignoring stupid things which Adobe pushed into the PDF standard which shouldn't be there.
Re:Listed mitigation: Adobe Reader X Protected Mod (Score:4, Insightful)
It's the old Microsoft syndrome again...
Take software which was designed for a non networked, single user standalone environment...
Throw it onto a hostile network like the Internet...
Then make sure that 95% of systems run exactly the same software...
If there was a more even marketshare of PDF viewers out there, then they would be far less attractive to target.