'High risk' zero-day flaw haunts Adobe Acrobat, Reader

'High risk' zero-day flaw haunts Adobe Acrobat, Reader

Summary: Adobe's ever-present Acrobat/PDF Reader software is prone to a nasty code execution vulnerability that could expose Windows users to PC takeover attacks.

SHARE:

‘High risk’ zero-day haunts Adobe Acrobat, ReaderAdobe's ever-present Acrobat/PDF Reader software is prone to a nasty code execution vulnerability that could expose Windows users to PC takeover attacks.

Details of the flaw, which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 are being kept under wraps until Adobe releases a fix.

Petko D. Petkov, the researcher who discovered this issue, is not mincing words about the risk severity:

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

Petkov gave me a peek at a proof-of-concept exploit that worked as advertised. On my Windows XP box with a fully patched version of Adobe Reader, opening a rigged PDF file launched calc.exe without warning.

Unpatched Adobe PDF code execution vulnerability

The exploit did not work during my tests on Windows Vista.

ALSO SEE:

Exploit code posted for critical Adobe Photoshop flaw

Topics: Operating Systems, Enterprise Software, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • In the meantime

    People can use kpdf -- the 3.5.7 version is pretty slick.
    Yagotta B. Kidding
  • more reasons to switch to Linux!

    only on windoze you can get such an attack.
    Time to switch to Linux.
    Linux Geek
    • Or Vista!

      NT
      itpro_z
      • Nope, can't do it because ...

        ... some of my client's most critical business programs STILL don't run well on Vista. Gotta keep using XP SP2 so this flaw is awesomely critical.
        OButterball
      • LMAO

        hey,

        how about not installing that crap "IE7" instead of $300 - $400 for even bigger problems with vista.


        try reading the article, before thinking to give advice.
        not of this world
    • Riight!

      Let's see.. drop Windows, switch to Linux. Great. Oh.. Wait.. My mission critical apps don't run on Linux and there's NO Linux alternative... Damn. Gonna have to port them over. WHAT?!?!?! It's gonna cost me HOW MUCH to port them over?!?!?

      <sounds of someone hitting the ground with a healthy THUD>

      Sorry pal, but you've got to start thinking with your feet firmly planted in REALITY...
      Wolfie2K3
      • Or...

        It's going to cost me how much to recover from these ongoing malware attacks for my windows installation. [insert screaming and wailing]

        Sometimes it might be useful to think about cost/benefit analysis, rather than presume that what you are doing you cannot change.
        zkiwi
        • or . . .

          learn the system and stop playing around with it.

          if you want to screw around with software get a 2nd
          or 3rd pc for the internet


          this is what everyone else does. . . . . .

          reinstalling windows xp takes 50 min ,
          then another 20 for drivers and reboots

          ------ no big deal, nothing like a fresh windows install
          so get used to it and be a happy pc user.
          not of this world
          • Pardon me, but...

            Do you comprehend the term "cost/benefit analysis?"

            How does "learning the system" guarantee that you're doing the right thing? Why should "screwing around with software" be a valid approach to anything you are getting paid to do? And why should reinstalling a complete system be no big deal?
            zkiwi
    • Please

      Im develop for linux as a living and truely love this OS. If you must stick in the nose of the windows user, could you please do it more with highlighting the true coolness of this system such as many really different look and feel of the interface and the possiblity of gluing different parts together and have something your very own. Or have it on a cd and boot it on any computer. And even be allowed to give it to people without ?money being involved. Such things.

      Large group of people would never go to linux just to avoid it having bugs. Most use computer to be social and have fun so fuck the bugs.
      Also, when you say switch to linux, you should also ( and bye bye to directx games) to be fair.

      Only reason I have an xp installation.

      anyway, none of this was to correct or fight you. Simply asking for the benefit of a litte fat penguin. :)
      MetaVoid
  • Think-Ahead Progamming Isn't Cheap

    I named a price to Raytheon. $100k a month or I won't play ball. I'm not playing ball. I'm instead out of the industry, and just doing my company as a hobby on the side of something else now.

    Don't want to pay the price for a developer who thinks this stuff through? Then prepare to pay the price of your software having faults from being sloppy. Either I get paid $100k a month or I won't do the quality work $100k a month buys.

    Vulnerabilities are in many, many products. Acrobat Reader is just one. Second-rate programmers abound.
    bcroner
    • Isn't outsourcing wonderful?

      I think you are both right and wrong. You are so right about the total garbage quality of todays software! Where I disagree (to a lesser degree)is your position (I was going to use attitude but felt that a bit too strong)on "give me what I want or else" stand: This is totally your choice without reserve. However, consider why they don't pay you what you want... Neither the competition pressure or ROI for your services can be sustained! Their position wont change, I think, even to the point of enterprise collapse.

      The current American world business philosophy is suicidal. We have decided (American psuedo governmental leadership) to compete with global communism (slave labor), and supplant American industry and entreprenuerilism with their subsidized (economic enslavement) garbage! I think Carl Marx was right: "We will sell them the rope we will use to hang them". So much for the infantile wisdom of Americas leaders. And what did ISAIAH say about Gods children being led by children in the latter days?

      "Skrew-em" is self destructive, bitter. (Wormwood)
      RS9
      • Marx...

        [b] think Carl Marx was right: "We will sell them the rope we will use to hang them".[/b]

        I believe the quote in question goes something like this:

        "We will hang the last capitalists with rope of their own manufacture."
        Wolfie2K3
  • This is the HTML control again!

    From a comment on the announcement page: <i>I would take a wild
    guess and think that you are using Object Codebase to launch the
    calculator and notepad.

    http://www.greymagic.com/secur...../gm001-ie/ has a nice example
    of this that requires no scripting, but does require you to render the
    HTML inside the My Computer zone.</i>

    The Microsoft HTML control is inherently insecure. No application that
    uses it in any way should be used to view untrusted documents. Ever.

    Until Microsoft fixes this, by making the API that calls the HTML
    control operate in a way that is by default absolutely sandboxed, with
    no way for the document being displayed or any page opened by it to
    do anything but render HTML directly or using plugins specifically
    installed for use with untrusted documents, it should not be used by
    anything but internal Microsoft applications that completely control
    the content.

    I've been saying this for 10 years now. It's still true. It'll still be true 10
    years from now if Microsoft doesn't bite the bullet and fix the API.
    Resuna
    • Can you read?

      The flaw is in Acrobat Reader; a malicious PDF document can cause arbitrary code execution. Simply double-clicking a PDF (which opens it in Reader) runs the exploit. It has nothing to do with MSHTML or any other part of IE or Windows.

      And how many times have you posted this incomprehendible drivel about the "HTML control"? I assume you're talking about the ability for apps to embed MSHTML or the WebBrowser control, but it's hard to tell...
      PB_z
      • The strange thing...

        I've tested pdp's proof-of-concept. It *only* works if IE7 is installed on the machine. What does that mean?

        _r
        Ryan Naraine
        • IE7's impact

          IE7 is MUCH more than a simple browser upgrade. It makes other changes to the OS (someone here probably knows much more about the details than I do).

          I do know that VB apps we run started popping up security warnings after IE7 was installed on workstations. The VB apps have nothing to do with a web browser in this case, and yet the OS reacted differently to them when they were launched.
          ejhonda
        • Merely installed?

          Or does it have to be the browser used to open the "bad" pdf?
          zkiwi
  • Don't use IE7

    You can easily avoid this exploit by using a different browser. I use Firefox, so I've got no worries about this; use whatever you prefer, as long as it's not IE7.
    Greenknight_z
  • RE: 'High risk' zero-day flaw haunts Adobe Acrobat, Reader

    Hi, I DON'T HAVE A REAL IMPORTANT REPL BUT A ? HOW DOES ANYONE GET THE ADOBE 7.0 OFF THEIR MACHINE OR WILL IT MAKE IT WORSE. I OPEN THE WORDPAD QUITE A BIT AND I USE IE7. ALSO I HAVE BEEN HAVING THIS ONGOING PROBLEM WITH THE ADOBE READER FOR ABOUT A YEAR DIDN'T KNOW WHAT TO DO ABOUT IT. I AM NOT REAL GOOD WITH THE PC YET BUT DID THINK IT POSSIBLE THAT IT WAS A HACKER.
    THANKS
    manie3844