Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rogue PDFs Behind 80% of Exploits In Q4 '09

CmdrTaco posted more than 4 years ago | from the imagine-if-pdf-was-an-open-format dept.

Security 189

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

cancel ×

189 comments

How about (0)

Anonymous Coward | more than 4 years ago | (#31168746)

How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

Re:How about (4, Informative)

God'sDuck (837829) | more than 4 years ago | (#31168802)

The article does not say "80% of PDF exploits," it says "80% of ALL SOFTWARE exploits."

Or more likely (5, Insightful)

FreeUser (11483) | more than 4 years ago | (#31168958)

How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

Or how about:

"Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."

Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.

Re:Or more likely (1)

kyuubiunl (1747574) | more than 4 years ago | (#31169244)

Um.............follow the bouncing ball FreeUser ADOBE Flash

Re:Or more likely (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31169298)

shut it mac user

Re:Or more likely (1, Insightful)

sopssa (1498795) | more than 4 years ago | (#31170428)

Ah, the old "Windows is insecure" rant.

Drive-by installs via exploit vulnerability can happen on any OS. Only thing that might currently mitigate that is SELinux, but it's pain in the ass generally and no casual user would put up with it. Most of the vulnerabilities now a day are in 3rd party softwares like Flash or PDF Reader. They are exactly as vulnerable on any system.

It pretty much all happens on Windows currently only because its so popular (and the users are generally dumber than those geeks running for example Linux on desktop).

Fact is, no OS is secure unless it's completely locked down, and even then there are probably vulnerabilities in the OS. And please, I don't want my desktop computer to be an iPhone.

Re:Or more likely (0)

Anonymous Coward | more than 4 years ago | (#31170600)

So, in spite of the fact that different OS platforms have different development, different code, different security levels, they're all exactly the same???

Riiiiight.

It still mainly happens on Windows because the OS, development and security models are the most attractive to exploits. Far above the proportion that Windows has in the marketplace.

Re:Or more likely (2, Insightful)

ThaReetLad (538112) | more than 4 years ago | (#31171090)

No, it's because very few linux users are computer illiterate, while a great many windows users are. Targeting windows users (and with attacks like this, it is the users that make the attack possible, not the platform) is going for the low hanging fruit.

Re:Or more likely (2, Insightful)

devent (1627873) | more than 4 years ago | (#31171140)

It pretty much all happens on Windows currently only because its so popular (and the users are generally dumber than those geeks running for example Linux on desktop).

Apache is the most popular web server and it is open source. Shouldn't it have more security problems as IIS? Where is the Code Red for Apache, that infected over 250.000 servers?

Windows is targeted because of the poor security choices from Microsoft. To name a few, ()patch Tuesday, ()cannot delete opened file, ()No distinction between administrator and normal user, ()backward compatibility back to DOS, ()GUI in server and for administration tasks,()no distinction between executables and normal files,()whole hard drive is writable, ()complex database for configuration and the list goes on.

Re:Or more likely (1, Informative)

sopssa (1498795) | more than 4 years ago | (#31171494)

Whoa, you're bringing up ten year old worms to the table. Do you even understand how many old worms there has been with Linux/UNIX in all of its history, most of them not even requiring a web server?

Any of those things you list as "poor security choices from Microsoft" aren't even such.

patch Tuesday

Patch Tuesday streamlines the update process in large companies. It would be really bad solution from MS to force the update randomly, possibly breaking things. Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel. Is that really a better security choice? Would you want Windows to be the same way?

cannot delete opened file

This has nothing to do with security choice for Windows. And you can force-delete a file, at your own risk.

No distinction between administrator and normal user

You're still running Windows 95 or what?

backward compatibility back to DOS

There's no such really anymore, haven't been since XP. It's an emulated layer, and also breaks most of the old viruses because of that.

GUI in server and for administration tasks

How does this lower security again?

no distinction between executables and normal files

Just like Linux doesn't have either. You can set executable bit on any file and it happily runs.

complex database for configuration

Specifically for what? MySQL also has pretty complex database (inside itself) for its settings and users.

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31169116)

How about "We don't need a stinkin' Adobe Reader on non-Windows platforms"? Is it really that hard to understand?

Re:How about (1)

sopssa (1498795) | more than 4 years ago | (#31170468)

Uh, no one needs Adobe Reader on any platform. There are plenty of alternatives and Foxit is probably the best one (and isn't as bloat as Adobe's)

Re:How about (1)

Bert64 (520050) | more than 4 years ago | (#31170870)

The difference is that windows is the only platform which doesn't come with a PDF reader by default...

And to make matters worse, many users aren't aware that alternative pdf readers exist at all, how many mac users do you think install adobe's viewer because they don't realise preview.app can handle PDF files very well. Users have the mindset that file formats are proprietary and belong to specific programs.

Re:How about (0)

sopssa (1498795) | more than 4 years ago | (#31171262)

To be honest I'd be more worried if Windows did come with a default PDF reader. The format is overly complex with scripting capabilities and everything else under the sun and bugs are going to slip in, and the install base would be even more widespread than now with Adobe PDF Reader (or are you suggesting we should pre-install Adobe's PDF Reader on every Windows?)

I also doubt that all of the different Linux distros come with a pdf reader..

Re:How about (1)

BrokenHalo (565198) | more than 4 years ago | (#31171576)

There are plenty of alternatives...

This is true. It is also true that most of them load a lot more quickly than the Adobe product. However (sometimes depending on how the PDF is created), most of then don't actually render the PDF as well as the Adobe reader.

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31170816)

who cares, non-windows desktop platforms are just as relevant as non-adobe pdf readers. aka not at all. you can use your inferior readers all you want on your openbsd boxes.

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31169262)

I beg to differ.
Foxit Software's Reader [foxitsoftware.com] is pretty well known now, and has been mentioned on Slashdot numerous times over the past year or so, when there's been articles involving PDF's.

Re:How about (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31169750)

Yeah it's known to a bunch of nerds but in the real world everyone uses Adobe reader.

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31170484)

And in the Mac world nobody uses Adobe Reader because Mac OS X can open PDFs and "print" to PDF natively.

Re:How about (1)

Bert64 (520050) | more than 4 years ago | (#31171026)

A disturbing number of mac users actually install adobe reader and let it set itself as their default pdf viewer, despite that OSX already comes with a much better PDF viewer, people are conditioned to think that PDF files require adobe acrobat.

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31170752)

Why should I even consider using reader when my mac comes with a perfectly good postscript/PDF tool out of the box. Your statement is only true in the windows environment where Ghostscript is the only alternative and Ghostscript is a major PITA

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31170066)

Re:How about (0)

Anonymous Coward | more than 4 years ago | (#31170252)

Foxit is a buggy piece of crap.

Re:How about (1)

sneaker98 (1545049) | more than 4 years ago | (#31170832)

Don't defend them. Adobe is one of the worst bloatware software companies on the planet. They deserve this flak. Frankly, when my browser locks up, guess what program is almost always to blame? Adbobe Reader. What a piece of crap.

Re:How about (1)

cusco (717999) | more than 4 years ago | (#31171410)

What no one, especially Adobe, talks about is the possibility that some of these crackers are former programmers for Adobe with access to source code. I'm sure the fact that Adobe rarely fixes holes in its software, preferring to make customers upgrade instead, makes them an even more tempting target. Probably 3/4 of our customers are running Acrobat Reader 7 or earlier because no one wants to go to the trouble of upgrading reader software, and Adobe's filthy habit of forcing customers to install garbage that they vehemently don't want (like their stinking download manager) doesn't help matters.

For that matter I don't know the situation now, but previously security at Adobe's facilities was almost non-existant. I once had a co-irker who, in the days before WiFi everywhere, would drop by Adobe's offices, tailgate someone into the building and sit down at a random cubicle when he needed Internet access.

Two solutions. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31168788)

1.) Spend millions of dollars on R&D for a new pdf analyzer and redistribute it.
2.) Turn off javascript and any other dynamic content.

We all know option 2 is way too easy, so we'll just go with the first one.

JavaScript just needs to go, wherever it is used. (0)

Anonymous Coward | more than 4 years ago | (#31169008)

JavaScript was designed a simple hack more than 15 years ago. Unfortunately, it has been blown WAY out of proportion, and into something that a lot of people take seriously.

There's no need for JavaScript support in a PDF reader, for fuck sakes! And if they do need to embed a language, they should have used one that's sensible and not as easily exploitable. There are numerous embeddable Scheme interpreters available, for instance. Hell, even Python, Ruby or Perl would be a better idea than JavaScript. At least their implementations aren't full of holes and exploits like just about every JavaScript implementation is.

Re:JavaScript just needs to go, wherever it is use (1)

ThinkingInBinary (899485) | more than 4 years ago | (#31169276)

they should have used one that's sensible and not as easily exploitable.

Why is JavaScript so easily exploitable? It's probably the APIs available to the JavaScript, and not the language (or interpreter) itself that's exploitable.

Re:JavaScript just needs to go, wherever it is use (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31169602)

It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.

Just take a look at the wtfjs [wtfjs.com] blog to see some examples of JavaScript's outright stupidity. Keep in mind that those are virtually all language flaws, not problems with the DOM or an API.

This inconsistency makes it very difficult to implement properly, let alone with good performance, and lets security issues slip in that just wouldn't happen when implementing more sensible languages like C, Python, Ruby or Scheme.

The problem is with the language itself, not with the DOM or any APIs. That's why the language itself needs to go.

Re:JavaScript just needs to go, wherever it is use (1)

DeadCatX2 (950953) | more than 4 years ago | (#31170048)

Why is JavaScript so easily exploitable?

Probably because it's a weakly typed language and therefore programmers are sloppy when they use it.

Re:JavaScript just needs to go, wherever it is use (3, Insightful)

Anonymous Coward | more than 4 years ago | (#31169330)

I agree with this analysis of Javascript. It was never designed with security in mind, much like the original versions of Windows.

That said, it's sort of silly anyway. How do these PDFs arrive? By email or downloaded from the internet. And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.

We all know the defense. It's getting people to use their brains instead of happily clicking on everything that doesn't dodge their mouse pointer.

The weakest link in security is the user. Ya, it isn't ALL the user's fault, but you can only take secure programming so far before you start trying to protect people from themselves. And, as we all know, trying to protect people from themselves is a good way to piss them off.

Re:Two solutions. (1)

obarthelemy (160321) | more than 4 years ago | (#31169254)

or use foxit reader ?

yes, but... (0)

Anonymous Coward | more than 4 years ago | (#31168834)

..do they run on evince?

Re:yes, but... (0)

Anonymous Coward | more than 4 years ago | (#31169004)

Hackers know that people running evince have nothing worth exploiting, no credit card numbers to steal, no banking logins, no friends in their address book. Not even any bandwidth to use for spamming or DoSing, since that will all be being used to download porn, probably from the same site serving up the maliciously crafted pdf.

Also, evince is a steaming pile of horseshit.

Should PDFs be dangerous? (2)

TubeSteak (669689) | more than 4 years ago | (#31168848)

How much danger am I in once javascript is turned off for Adobe's pdf reader?

Re:Should PDFs be dangerous? (4, Informative)

toleraen (831634) | more than 4 years ago | (#31169162)

That and disabling browser integration generally mitigates the issue. That is until they figure out a way to force Reader to use javascript regardless of your setting...

Re:Should PDFs be dangerous? (1)

Skuld-Chan (302449) | more than 4 years ago | (#31170864)

Disabling browser integration will not disable javascript in Reader... (in fact many of these exploits will operate normally in the stand-alone product).

The only real risk of disabling javascript in Reader/Acrobat is that if you try to use any form that has any logic in it - it will of course not work.

Re:Should PDFs be dangerous? (0)

Anonymous Coward | more than 4 years ago | (#31169430)

Use an alternative viewer.

Then turn off javascript.

Re:Should PDFs be dangerous? (0)

Anonymous Coward | more than 4 years ago | (#31170412)

Don't turn it off! I spent a whole day making the charts in my PDF rearrange themselves with some nifty javascript. If you turn javascript off and you encounter my document on the web you won't get the full experience!!

Re:Should PDFs be dangerous? (1)

Krneki (1192201) | more than 4 years ago | (#31171518)

Never, ever install the PDF plug-in, for any browser. They are slow as hell and open up security issues. Always open PDF files with a stand alone program and for added security make sure it ain't Adobe.

Browser only? (0)

Anonymous Coward | more than 4 years ago | (#31168894)

From what I'm seeing, it looks like it's just a problem if you're looking at Adobe documents in a browser; then the browser gets hijacked. So, if you're just looking at a PDF in stand lone Reader, there shouldn't be anything to worry about.

What about alternate readers? (2, Informative)

Monoman (8745) | more than 4 years ago | (#31168966)

Is the problem with the Adobe Reader program itself or the file format? Do third party PDF readers have the same security issues?

Re:What about alternate readers? (1)

Antiocheian (859870) | more than 4 years ago | (#31169284)

Of course not, but disabling Javascript and firewalling Foxit as well isn't a bad idea.

Re:What about alternate readers? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31169338)

The official PDF spec includes scripting and DRM and all kinds of other crap that 99.99% of pdfs don't use. Many 3rd party readers limit themselves to just displaying documents, so the third party readers are have a much smaller surface area of attack.

Re:What about alternate readers? (0)

Anonymous Coward | more than 4 years ago | (#31170748)

Good not know. I've long suggested other readers anyway, since many "print" to PDF and don't have the same heavy-handed DRM aspects.

Re:What about alternate readers? (2, Interesting)

Skuld-Chan (302449) | more than 4 years ago | (#31171060)

Yes Foxit actually has security issues as well.I personally don't think there are as many because Foxit isn't in as much wide use (Foxit isn't bundled with new PC's for instance). [foxitsoftware.com]

The plain and simple fact is that it is hard to make secure software. Couple that with the fact that the PDF format is well over 20 years old (as you can imagine there's a lot of legacy code in the viewer) and you have a recipe for the perfect security nightmare.

The other problem is - once one researcher/hacker finds a big exploit the blood is in the water and suddenly you have a bunch of people looking into it for obvious reasons.

Me too? NOT (4, Interesting)

ratboy666 (104074) | more than 4 years ago | (#31168994)

The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.

And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.

Which means that I will continue to use "Evince" and hope that it won't be targeted soon.

Re:Me too? NOT (4, Funny)

Trepidity (597) | more than 4 years ago | (#31169050)

It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format

That is also my reason for choosing this fine document format for my CV.

Re:Me too? NOT (4, Insightful)

gad_zuki! (70830) | more than 4 years ago | (#31169170)

Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.

This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?

Re:Me too? NOT (3, Insightful)

LenE (29922) | more than 4 years ago | (#31170486)

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Instead of bothering you when you do something dangerous, it bothers and encourages you to let it behave insecurely. Adobe has become the new Microsoft, with respect to hindering user security.

-- Len

Re:Me too? NOT (1)

maxume (22995) | more than 4 years ago | (#31170554)

Reader does not throw any javascript prompts for documents that do not contain javascript.

Re:Me too? NOT (3, Informative)

Skuld-Chan (302449) | more than 4 years ago | (#31171268)

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Hrm tested this in 9 - it only complains with Javascript disabled that the PDF contains some elements that might not be displayed properly because of the preference, and ONLY IF you open a PDF with Javascript in it.

Static PDF files it does not display any warning if JS is off.

Re:Me too? NOT (1)

jonadab (583620) | more than 4 years ago | (#31170774)

> The web plugin should be retired and just force the
> pdf to open in the full reader. One can dream, right?

You can actually do this, in the Firefox prefs, under the Applications tab. (Doing this is on my standard deployment checklist, mainly because it's less confusing for the users. With the embedded reader plugin, the user doesn't realize they've left the web and doesn't understand why browser features, such as the Print and Print Preview commands, don't work. When Adobe Reader opens in a separate window, it's somewhat more evident to the untrained eye what's going on.)

However, if you ever upgrade or reinstall Adobe Reader, it changes the pref back, and you have to fix it again.

IMO, opening the Reader in a separate window *ought* to be the default setting. But apparently Adobe feels differently.

Re:Me too? NOT (1)

Skuld-Chan (302449) | more than 4 years ago | (#31171214)

Interestingly enough - in my days at Adobe doing Tier 3 support - the exploit PDF's I'd get from various sources internally were hard to move around the network because virus scanners would delete or clean them up.

I found this rather surprising many times because these scanners would do this to files that were zero day exploits and files that weren't yet disclosed to the public.

Also if your installing reader to your enterprise you can disable browser integration, javascript and a myriad of other features out of the box.

Acrobat/Reader does have a trust manager - but that is only invoked when the viewer goes to an external service to the PC (like the net).

Re:Me too? NOT (1)

SnuffySmith (780790) | more than 4 years ago | (#31169314)

I was one of the ones, many years ago, that was frustrated that PDFs didn't do more. Now I only want to use PDFs to deliver documents that have content that can't be altered, and print out like I well expect them too. I repent of my former desire that PDFs do stuff.

Unless of course, ooh cool, Adobe came up with a killer app by combining PDF and Flash in to one thing. Have they already done this? Have I missed the boat?

Re:Me too? NOT (4, Insightful)

nine-times (778537) | more than 4 years ago | (#31169640)

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.

And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.

Re:Me too? NOT (1)

Skuld-Chan (302449) | more than 4 years ago | (#31171298)

If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?

If you have a browser form that has a script to submit to a server and valid the form fields while doing so - why is that bad?

Re:Me too? NOT (2, Insightful)

JasterBobaMereel (1102861) | more than 4 years ago | (#31170854)

Why does a document viewer need to run code (javascript of whatever)

99.99% of people use it to display and/or print static documents .... it's only that Adobe keep extending it to do thing outside this ....

The core view a PDF is fairly bug free and exploit free it is the extensions that are buggy and vunerable ....

Why does anyone use Adobe reader anymore? (0, Redundant)

vlm (69642) | more than 4 years ago | (#31169018)

Why does anyone use adobe reader anymore?

On Winderz I use foxit, on linux I mostly use kpdf.

Other than endless exploits, and it seems subjectively to be a bit slower, would I gain anything by using adobe reader?

Re:Why does anyone use Adobe reader anymore? (1)

Noughmad (1044096) | more than 4 years ago | (#31169136)

It also can't override the evil^H^H^H^H printing protection bit.

Re:Why does anyone use Adobe reader anymore? (0)

bradley13 (1118935) | more than 4 years ago | (#31169164)

Because it works? Adobe reader may be bloated, but Foxit is primitive. KPDF has issues when printing.

Re:Why does anyone use Adobe reader anymore? (1)

memnock (466995) | more than 4 years ago | (#31169354)

i just read PDFs, i don't design or write docs in them. Foxit works just as well for that purpose as Adobe. i can open multiple window/copies of a PDF with Foxit. i don't know if i can do that with Adobe.

Re:Why does anyone use Adobe reader anymore? (3, Insightful)

Dishevel (1105119) | more than 4 years ago | (#31169484)

Primitive how. I use it all the time. I put it on all the computers in the company. It is small, fast and secure. I have never had a problem opening, reading or printing a PDF file. When doing those things it is in fact superior to Adobe reader everytime.

Re:Why does anyone use Adobe reader anymore? (0)

Anonymous Coward | more than 4 years ago | (#31169724)

I'm a contract manufacturer. My customers like to email blue prints in PDF format. I've tried printing these in 1:1 scale using different PDF viewers and as a result I did return to Adobe.

Re:Why does anyone use Adobe reader anymore? (3, Interesting)

Skuld-Chan (302449) | more than 4 years ago | (#31171558)

Primitive how. I use it all the time.

You cannot use Foxit on Livecycle forms and other kinds of interactive forms. Foxit doesn't support online commenting and reviewing, Foxit doesn't support 3d annotations (Reader even supports PMI extensions). Yeah Reader is big, but it has a ton of customer requirements.

Foxit does have security advisories - google it, and its not even a major target.

Re:Why does anyone use Adobe reader anymore? (2, Interesting)

asvravi (1236558) | more than 4 years ago | (#31171162)

I had problems viewing documents with complex formatting and embedded Chinese fonts on Foxit. Returned to Adobe. It is easy to miss some information in the document without even realizing it, if the reader sacrifices functionality in favor of being lightweight. I would any day prefer fidelity to the PDF spec over being lightweight.

Wider target audience (2, Insightful)

nstrom (152310) | more than 4 years ago | (#31169046)

Attacking Adobe Reader means that people who use Firefox are also at risk. For a long while, the popular security paradigm on Windows was that if you used IE you were at risk, but if you kept up with Windows Update and used only Firefox to browse the web you were pretty much safe from the majority of the exploits in the wild. Now that malicious PDFs are out there in force, users of Firefox are vulnerable once again.

Re:Wider target audience (0)

Anonymous Coward | more than 4 years ago | (#31169394)

For a long while, the popular security paradigm on Windows was that if you used IE you were at risk,

Just because it was popular doesn't mean it was correct. There has been plugin exploits that have worked in Firefox, this isn't a new technique.

This will kill pdf (2, Funny)

dee.cz (1160027) | more than 4 years ago | (#31169048)

one already can't send pdf attachments or even links to pdf to customers without risk of mail being deleted or lost in spam folder.

Two simple safeguards that help (3, Informative)

BlueParrot (965239) | more than 4 years ago | (#31169058)

a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.

b) Use an alternative PDF reader/viewer.

Why? (1)

msauve (701917) | more than 4 years ago | (#31169102)

Probably because, based on UI, speed, size, sheer awkwardness and oddball behavior (does it still act like you're doing a reinstall when you change a config option?), Acrobat consists mostly of unmaintainable spaghetti code - leaving it full of potential exploits.

80% of exploit code or incidents? (2, Insightful)

SnuffySmith (780790) | more than 4 years ago | (#31169168)

So, as I understand it, this article (and the referenced report) refer to code, not the total number of infections/attacks. It would be useful to know (1) how many computers are affected by PDF attacks, and (2) how many PDFs out there are compromised.

But does it run in Linux? (3, Funny)

mspohr (589790) | more than 4 years ago | (#31169248)

I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".

Re:But does it run in Linux? (0)

Anonymous Coward | more than 4 years ago | (#31169412)

I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".

Why yes, you can!

Later today, Adobe plans to patch several critical vulnerabilities in Reader and Acrobat for Windows, Mac and Linux.

Re:But does it run in Linux? (2, Interesting)

Yvan256 (722131) | more than 4 years ago | (#31170510)

Since Mac OS X has built-in support to read and write PDFs, who installs Adobe Reader on a Mac?!

Re:But does it run in Linux? (1)

NatasRevol (731260) | more than 4 years ago | (#31170682)

As far as I've ever seen, only Windows converts who don't know any better.

Adobe is a security nightmare (5, Interesting)

Coopjust (872796) | more than 4 years ago | (#31169318)

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

I scan with Secunia's (a Danish computer security company) freeware tool [secunia.com] to check if I have insecure applications.

3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

Firefox Users can use Mozilla's plugin check [mozilla.com] .

One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.

Re:Adobe is a security nightmare (3, Informative)

fishbulb- (81857) | more than 4 years ago | (#31170394)

I opened the Advanced interface of Secunia PSI, the program overview says:
'Cannot display graph, as Adobe Flash Player does not appear to be installed in Internet Explorer on your computer...' then provides a link to install it.

I feel betrayed.

Re:Adobe is a security nightmare (1)

Coopjust (872796) | more than 4 years ago | (#31170476)

I wasn't even aware that the PSI used the Trident rendering engine. I thought for sure they'd use Gecko or WebKit.
The more you know, I suppose.
The tool works very well though- it warns me about having insecure versions of GTK, for instance.

Re:Adobe is a security nightmare (1)

Sporkinum (655143) | more than 4 years ago | (#31170710)

That irritated the hell out me too! Especially since flash is a pain in the ass to update. You may install a new one, but old cruft is left behind that can be difficult to remove sometimes. Other than the flash issue, Secunia PSI is excellent.

Re:Adobe is a security nightmare (0)

Anonymous Coward | more than 4 years ago | (#31170740)

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

Nonsense, I have no affiliation with Microsoft, but in my experisnce they make the most secure software on the planet. Their programs are all stellar and don't need your Secunia.

*throws chair*

It isn't "I want some of that too" (3, Interesting)

asdf7890 (1518587) | more than 4 years ago | (#31169386)

In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.

It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).

The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.

Not just Adobe (3, Interesting)

bjackson1 (953136) | more than 4 years ago | (#31169550)

I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).

The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.

Re:Not just Adobe (0)

Anonymous Coward | more than 4 years ago | (#31170072)

Using an alternative reader is not the ultimate solution. It also helps to disable Javascript actions in the reader. Jscript is mostly seen in PDF's that use forms where user input is done. For the most part you can disable JS and enable it only when needed and you know the true source of the PDF.

Re:Not just Adobe (1)

Inda (580031) | more than 4 years ago | (#31170814)

I'm not calling you a shill, Mr bjackson1, but we all know they lurk on Slashdot.

Can anyone else confirm that Foxit has known security problems?

Re:Not just Adobe (1)

Paradigm_Complex (968558) | more than 4 years ago | (#31171652)

Can anyone else confirm that Foxit has known security problems?

Sadly, yes [coresecurity.com] . Foxit isn't happy with just doing basic rendering on PDF's, but wants to be a more completely alternative to Adobe's Reader. This includes things like running PDF's scripting, and makes it harder to implement securely.

I'm not saying a secure, full-featured PDF reader can't be made, so much as that you're a lot safer using a program that only does the basic rendering. Foxit doesn't fit the bill. It's also closed source >.>

Re:Not just Adobe (1)

caluml (551744) | more than 4 years ago | (#31170836)

running Windows 7 x64 in Firefox

Wow, that's quite impressive! What OS was Firefox running on? Bonus points if it was Linux or Mac.

Hard month for Adobe. (1)

quadelirus (694946) | more than 4 years ago | (#31169660)

First flash is blamed for most application crashes on the Mac. Now PDFs are the number one vector for malicious code in Q4 '09. Hard month for Adobe?

Re:Hard month for Adobe. (2, Informative)

mambodog (1399313) | more than 4 years ago | (#31170078)

Don't forget the controversy of Adobe allegedly trying to sabotage the HTML5 spec. [google.com]

Re:Hard month for Adobe. (1)

beakerMeep (716990) | more than 4 years ago | (#31170788)

If you read the emails by the W3C WG, they dismissed that as utter nonsense and normal procedure and rightly criticized those accusing Adobe as being extremely unprofessional.

Because of JavaScript support in Adobe Reader! (3, Informative)

JakFrost (139885) | more than 4 years ago | (#31169676)

I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.

With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.

Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.

Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

Re:Because of JavaScript support in Adobe Reader! (2, Informative)

maxume (22995) | more than 4 years ago | (#31170642)

Uncheck "Preferences->Internet->Display in browser" and Acrobat will prompt you to save those files rather than automatically loading them (this will probably also render your downloading extension redundant).

Which PDF viewer? (1)

pseudofengshui (1432581) | more than 4 years ago | (#31169842)

I'm using Foxit Reader right now, but after hearing about vulnerabilities similar to Adobe I'm reviewing my options.

Anyone have some suggestions for a more secure PDF reader?

Re:Which PDF viewer? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31170194)

I have found the best solution is to contact the site owner and request they print out the PDF and snail mail it to you.

Re:Which PDF viewer? (2, Interesting)

hitnrunrambler (1401521) | more than 4 years ago | (#31170380)

I'm wondering the same thing myself. I use Sumatra instead which is a far more stripped down reader. My instincts tell me that I'm safer because it doesn't have all of the integration (java etc) but I'd love to see some comparisons.

Re:Which PDF viewer? (0)

Anonymous Coward | more than 4 years ago | (#31170684)

Preview.app :)

Re:Which PDF viewer? (1)

jonadab (583620) | more than 4 years ago | (#31170936)

> Anyone have some suggestions for a more secure PDF reader?

Sure. First use pdf2ps to convert it to PostScript, then use other software (e.g., PStill) to convert it to eps, then use Inkscape to convert that to SVG, use Gimp or ImageMagick to rasterize it (e.g., to PNG) and open the result in IrfanView for viewing and printing. Each step of this operation can be done in a separate virtual machine...

Duh. (0)

castironpigeon (1056188) | more than 4 years ago | (#31170084)

It's not difficult to figure out why PDFs are targeted.
  1. Most big corporations and academia use PDFs for everything from forms to memos to sending photos of last week's retreat.
  2. Most big corporations and academia hire super-specialists that can, for example, diagnose a medical issue that occurs in 1 in 10,000,000 people within 5 minutes, but these people cannot function in the larger world and have no time, patience, or idea of what to do with these things you call "files."
  3. Most of these aforementioned corporations and academia will have ridiculously oversized bureaucracies that can agree to standards once every 15 years, are easily swayed by easy solutions, such as those advertised by Adobe, and don't really know or care about whether anything gets done so long as the policies they set 15 years ago are followed to the letter.
  4. And yes, Adobe makes awful, bloated software that's full of security holes and doesn't get patched for weeks or months after those holes are made public.

In other words, the issue is roughly 25% bad software and 75% PEBKAC.

Javascript in PDFs? How dumb is Adobe? (2, Insightful)

bradley13 (1118935) | more than 4 years ago | (#31170694)

As another poster pointed out: including scripting capabilities in "static" documents is just dumb. We've already been through this a few years ago, with people sending around Microsoft Office documents.

Microsoft "fixed" this, in the sense that Office now warns you if a document contains scripting. Better, of course, is that many people have learned not to send or accept such documents in the first place. This was part of what made PDFs popular: a format to send documents that (a) cannot easily be changed and (b) is not a security risk. Millions of business documents are sent as PDFs just for these reasons.

How stupid must Adobe be, to open themselves to this kind of attack. There should be no scripting in PDF documents. Alternatively - second best - scriptiing should be disabled by default, unless the user specifically authorizes it (as with Microsoft Office documents).

Bad Adobe, no donut.

Ubiquity... (1)

Bert64 (520050) | more than 4 years ago | (#31170794)

They target Adobe's PDF reader because it is extremely widespread, most users don't even realise PDF is a standard and that other readers exist... They think it's a proprietary format only supported by a single program.
As a consequence, virtually every potential victim will be running exactly the same code, or a small subset of possible versions making them a very easy target.
Also Adobe's software hasn't been attacked much before, and therefore is likely to have many more undiscovered bugs.

This is also the reason IE is generally targeted less, now that other browsers are taking significant market share away, except in corporate deployments (where the recent attacks on google proved that targeting IE is still an effective strategy).

Also, most malware filters permit PDF files through..

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...