Adobe swings and misses as PDF abuse worsens

Adobe swings and misses as PDF abuse worsens

Summary: After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company's response falls well short of providing definitive mitigation guidance for end users.

SHARE:

After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company's response falls well short of providing definitive mitigation guidance for end users.

[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post is a great start. ]

Adobe's response simply confirms what we already know and reiterates that turning off JavaScript will NOT eliminate the risk entirely.  However, the company does not offer any definitive suggestions or workarounds, instead pointing to a list of anti-malware vendors blocking known attacks.

Here's what we have from Adobe:

  • We have seen reports that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk. Keeping this in mind, should users choose to disable JavaScript, it can be accomplished following the instructions below:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

While this information is better than the silence we've gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring.

The company did not offer any details on the actual vulnerability.  It did not provide workarounds.  It did not provide mitigation guidance.   Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.

As my former ZDNet Zero Day blog colleague Nate McFeters points out, the issue is much worse than first imagined.

  • I decided I'd test this out and found that on a fully patched Mac OS X build, Safari 4, Mail.app, Preview.app, and potentially others all crash using the proof of concept exploit provide on milw0rm.  The crash is actually in PDFKit, which supports all of those applications and likely much more.

According to this Secunia's Carsten Eiram,  his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.

  • All users of Adobe Reader/Acrobat should therefore show extreme caution when deciding which PDF files to open regardless of whether they have disabled JavaScript support or not.

If Secunia can do it based on information that's public, what's to stop malicious hackers with major financial motivation?

So what now Adobe?

Topics: Software Development, Enterprise Software, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

50 comments
Log in or register to join the discussion
  • Hey guys, yeah, you three up above. I have a question?

    When are you guys going to post more Windows only exploits? You know
    I can bring in the clicks.
    Intellihence
    • Not to mention the cliques.

      NT
      MGP2
      • And the cliches nt

        nt
        sjbinaz
  • RE: Adobe swings and misses as PDF abuse worsens

    This Acrobat reader bloatware came pre-installed when I bought my DELL XPS H2C. As soon as I bought this computer, I formatted and reinstalled Vista. Now, I can proudly say "no crap wares installed" :)
    shellcodes_coder
  • Even simpler answer to solve issue

    Dump Adobe's crappy and bloated reader and adopt the one from Foxit instead. (Or use the one that came with your Distro in Linux instead of Adobe.)

    http://www.foxitsoftware.com/pdf/rd_intro.php

    Now I wished that Gnash was up to the same capabilities as Flash so I could be 100% Adobe free.
    soonerproud
    • Thanks Sonnerproud

      I like it when people post useful responses like yours. Thanks for the link Soonerproud. Yes, we have to realize that Adobe does not own the portable document format and there are other players in this area. Also, who wants to pay in excess of $250 for full blown, and boated Acrobat when you can get something far more lightweight and just as capable for a fraction of the cost? I see Foxit has that covered too! I myself will start to look for alternatives for my Windows based infrastructure. (and I think I found it here). It is bad enough I have to keep MS in check with vulnerabilities without having to deal with, what supposed to be simple applications, as an additional attack vector.
      djmik
    • WTF are ya'll talking about?

      PDF's work fine on my MAC
      dwatts23@...
      • FYI

        MAC = Media Access Control (ie 01:23:45:67:89:ab)

        Mac = computer made by Apple (ie Macbook, iMac)

        Figured I'd explain it before some rabid ABA fanboy throws in a
        derogatory response :)
        Gritztastic
      • PDF's

        PDF's what works fine on your "MAC?"

        Of perhaps you meant that PDFs work fine on your Mac?

        Yes, I'm sure they do. I'm sure compromising and uncompromising PDFs work fine on your Mac. The question is are you using Acrobat or an alternative to open them? You see, that's the issue here. There is a vulnerability in Adobe's product, irrespective of platform - Mac or not.
        tikigawd
    • Not a real solution in the slightest

      No one is going to 'dump' Adobe's reader (which is NOT bloated once you take into account all the functionality in it).

      We need a real solution, like turning of Javascript (which is becoming, more and more, a detriment on the web).

      Really, people should STOP WITH THE JAVASCRIPT. There is nothing that you cannot do with regular HTML that you can do with Javascript. Heck, Mozilla REMOVED Javascript support from their latest e-mail application, Thunderbird 3 Beta 2.
      If they removed it from that.... there have got to be some BIG problems with it.
      Lerianis
  • Use Foxit for PDF and XPS for new documents

    Adobe programmers are pathetic, they can't lay them off quick enough. Maybe if Adobe spent money on real programmers instead of lawyers, their products wouldn't suck so much. Die Adobe, you fucking suck.
    jackbond
    • Just what I was about to ask ....

      Is Foxit safe or not ?
      Clockwork Computer
      • Yes it is

        Foxit is a legitimate company, not some malware vendor.
        soonerproud
        • Is Foxit Reader safe from the malware?

          I think is what the OP of that question meant. I have been using Foxit Reader for a couple years now, and like it much better than Adobe Reader, so I, at least, would like to know the answer to that question - has anyone tested it for vulnerabilities of this, or any, sort?
          aroc
          • RE: Adobe swings and misses as PDF abuse worsens

            I tried Foxit, and whilst it was better than Adobe, I didn't like it. Eventually, I settled on PDFXchange viewer, which does a great job, with plenty of options. It also is not affected by the Adobe exploit, according to the company, Tracker Software Products.

            Garth
            GarthP*
      • I think it is, but

        It wants to install a toolbar, links to Ebay, and Ask.com as the default search engine when you install. You can opt out, though.

        I've used the Foxit reader for a year or so, and really like it. It's light, fast, and simple. I just updated mine this morning.

        I really wish they'd quit with the toolbars and other stuff. I know it helps keep it free, but I'd sooner pay a little bit, say ten bucks US, for it.
        clfitz
      • Windows version isn't..

        maybe the FOSS solution is, but Secunia PSI flags Foxit as a stripped out earlier version of Reader that is full of holes.

        If it is a false possitive, I haven't checked at Secunia.

        I understand you can use OpenOffice to view and convert PDF files, and that MIGHT be safer.

        You can download it at Sun. In windows, you would have to uninstall Java 6 and substitute 11 if you want at least a modicum of security whilst still using Java.
        JCitizen
    • Adobe Programmers

      I think they must have fired all their programmers. I still get a lame message everytime I open a website that requires Flash. Didn't anyone tell them that x64 systems have been around for 4 years. How much lead time do they need?
      yagijd
  • Acrobat has been an IT whipping boy...

    for over a decade. I can't remember a time when it wasn't drawing complaints of being a bloated, bug-ridden POS. I've never disliked pdf as a document format, but Acrobat truly sucks. As others have noted, there are plenty of alternatives and many work pretty well.
    jasonp@...
  • Nate Mcfeters

    Thanks for posting the link to Nate's blog. Even though his tenure was short with ZDnet, his contributions were some of the best I've read in a long time.

    Particularly his ability to spank around the ABMer trolls.
    rtk