Rigged PDFs exploiting just-patched Adobe Reader flaw
Summary: Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.[ SEE: Heads up: Patch your Adobe Reader now ]The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.
Just three days after Adobe shipped a patch with fixes for a critical Adobe Reader vulnerability, hackers are using booby-trapped PDF files to fire exploits against Windows users.
[ SEE: Heads up: Patch your Adobe Reader now ]
The in-the-wild attacks, first spotted by the SANS Internet Storm Center, follows the public release of proof-of-concept exploits at Milw0rm.com and underscores the importance of quickly patching third-party desktop applications.
I have seen a sample of one of the rigged PDF files in circulation and can confirm it is indeed exploiting the CVE-2008-2992 vulnerability, which is a stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier. It allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.
From the SANS ISC alert:
The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.
Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts.
Adobe Reader is one of the most widely distributed pieces of software on the Windows ecosystem to the application of this patch should be an absolute priority.
The updates are available at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084 (Windows), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093 (Mac), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094 (Linux/Solaris).
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Another reader?
It's time for Adobe to look at themselves in the mirror and decide to embrace quality programming and go on a diet, for their survival and to avoid gaining the ire of the worldwide user community.
Another reader?
It's Not Going to Happen
Adobe documents now contain audio-clips, animation, streaming video, 3D; and users of the technology of taking immediate advantage of all these features.
But the earlier Adobe Readers are still out there. If someone doesn't want the ability to read current Adobe documents, he or she should be able to find an Adobe Reader 4 out there, which is a small file and takes little headroom. And, who knows, there might actually be one or two things out there it can still read.
Bollocks
Wrong.
The Adobe Reader is a free tool that enables the user to read PDF files, produced by MANY DIFFERENT PRODUCTS.
Adobe has championed PDF as a format, not just a product, for years. Suddenly deciding now that PDF is an Adobe-only format is stupid.
"Adobe documents now contain audio-clips, animation, streaming video, 3D;"
A very very tiny fraction of PDFs contain this utterly useless garbage. The VAST majority do not.
"and users of the technology of taking immediate advantage of all these features."
Anyone who thinks this cruft is an essential part of a typical PDF document is clueless.
"If someone doesn't want the ability to read current Adobe documents, he or she should be able to find an Adobe Reader 4 out there, which is a small file and takes little headroom. And, who knows, there might actually be one or two things out there it can still read."
In other words, you propose a solution that you KNOW is absolutely worthless. Thanks so very much.
Duh
knows not to use IE/Adobe reader/etc.
Find a more luddite-based forum and give this info
there, where it's needed.
Wow!
All kidding aside ...
I am curious as to what universal format that AzuMao and friends would suggest we all use to share documents. Proprietary M$ DOC or XML format-de-jour maybe? Or maybe multi-gigabyte TIF files? Or maybe some obscure format that only penquins speak? How about a picture-based language like Chinese? Instead of 256 characters (essentially), perhaps you would prefer the 6000-7000 picture "characters" that a well-educated Chinaman recognizes?
Adobe may be well on their way to screwing up a good thing but it is still ... much like the USA ... the best thing going.
Perhaps you don't understand Luddites. I'm guessing that no Luddite in his right mind goes anywhere near PDF files. They actually like to file good old paper in drawers.
Another reader... not only!
standard as odf.
This makes things more secure due to the fact
millions of developers control the programs you
use.
Hit the nail on the head
I advise my users to avoid Adobe 8.0 Reader like the plague as it has had obvious memory leaks since it was released and is quite bloated. Doesnt seem to play well with others.
I've tried using Foxit, crap. Dig out your old Adobe 5.0 and enjoy.
I don't use Adobe Reader.
Thank you, kozmcrae,
http://kpdf.kde.org/
http://en.wikipedia.org/wiki/KPDF
http://www.kde.org/
http://en.wikipedia.org/wiki/K_Desktop_Environment
kpdf
standard for documents is even better.
So change to another reader, don't pay even for
the related writers and use an affirmed open
document format.
It will cost you nothing and you'll be sure to
have millions developers controlling the
security and quality of the applications you
use, for nothing.
RE: Rigged PDFs exploiting just-patched Adobe Reader flaw
let's live in the real world, shall we?
Acrobat. If you've gone to Reader 9 after it was
offered months ago, you have no problem it appears.
- The real issue is probably those of us who may have
Reader 9, but also have Acrobat 8, from a suite or
other purchase. So, Adobe is being responsible,
giving a proper term of support.
I really wonder what those writing here want
sometimes. A highly organized criminal network
employs talent to attack anything which can give them
a return, and perhaps publicity. You think any
software producer they choose to look at is going to
be invulnerable? This is not good sense if so.
Regards,
Narr Vi
Reader 9 is a pig
Look at the increasing bloat per version
Adobe Reader 7.1.0 system requirements - Windows - 2005
* Intel Pentium or equivalent processor
* 128MB of RAM (256MB recommended for complex forms or large documents)
* Up to 90MB of available hard-disk space
Adobe Reader 8.1.3 system requirements - Windows - 2006
* Intel Pentium? III or equivalent processor
* 128MB of RAM (256MB recommended for complex forms or large documents)
* 170MB of available hard-disk space
Adobe Reader 9 system requirements - Windows - 2008
* Intel? 1.3 GHz processor
* 128MB of RAM (256MB recommended)
* 335MB of available hard disk space
Look at the progression of processor power and disk space needed. The only thing that has remained stable is the memory requirement. The available hard disk space almost doubled between each release. With all these extra lines of code, who knows how many more potential security holes were introduced.
Adobe, give users a simple reader
RE: Rigged PDFs exploiting just-patched Adobe Reader flaw
acrobat reader is just way too bloated and sluggish. foxit reader is lighter and does the job. and there are many more open source alternatives out there.
same problem?
Apps Like This May Always be Attack Vectors
There are many security tools, many freeware, that prevent such attacks without relying on signatures, which are losing the war to malware-makers that alter their signatures as frequent as every 10 minutes. Check these blog posts out for more on that:
http://www.securitynowblog.com/endpoint_security/signature-based-antivirus-and-hips-technologies-poor-endpoint-protection
http://www.securitynowblog.com/endpoint_security/secunia_report_signature-based_antivirus_misses_most_unknown_malware
If you haven't tried any of these freeware tools before, check out simple one to get a sense for what you can do:
http://www.blueridgenetworks.com/solutions/edgeguardsolo/
Adobe isn't really helping.