Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Helps Adobe Block PDF Zero-Day Exploit

Soulskill posted more than 3 years ago | from the damage-control dept.

Security 93

CWmike writes "Microsoft has urged Windows users to block ongoing attacks against Adobe's popular PDF viewer by deploying one of Microsoft's enterprise tools. Adobe echoed Microsoft's advice, saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat. Called 'scary' and 'clever,' the in-the-wild exploit went public last week when security researcher Mila Parkour reported it to Adobe after analyzing a rogue PDF document attached to spam. Adobe first warned users Wednesday of the threat, but at the time gave users no advice on how to protect themselves until a patch was ready. Microsoft stepped in on Friday. 'The good news is that if you have EMET enabled ... it blocks this exploit,' said Fermin Serna and Andrew Roths, two engineers with the Microsoft Security Response Center in an entry on the group's blog." A Symantec blog post suggests the people exploiting this vulnerability may be the 'Aurora' group responsible for the attacks on Google late last year.

cancel ×

93 comments

Dear Microcock (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33564724)

I'm fucking your dead great grandmother right up the ass!

What does it say about your company... (-1, Troll)

Locke2005 (849178) | more than 3 years ago | (#33564738)

When Micosoft does something that isn't evil, it's considered news?

Re:What does it say about your company... (1)

vlm (69642) | more than 3 years ago | (#33565052)

When Micosoft does something that isn't evil, it's considered news?

MS, Adobe, and a new virus walk into a bar ... and the punchline is the word 'scary' isn't applied to using MS products. Although it scares the hell out of me, being a strictly Linux/Mac guy.

Re:What does it say about your company... (0, Troll)

Anonymous Coward | more than 3 years ago | (#33565194)

MS, Adobe, and a new virus walk into a bar ... and the punchline is the word 'scary' isn't applied to using MS products. Although it scares the hell out of me, being a strictly homosexual guy.

Re:What does it say about your company... (0)

Anonymous Coward | more than 3 years ago | (#33566198)

Project much, gayboy?

Re:What does it say about your company... (0)

Anonymous Coward | more than 3 years ago | (#33567248)

You ever noticed some people like Jerry Falwell and the poster of the above spend entirely too much time thinking about homosexuals, far more than would be considered "normal" for a straight male? Methinks the lady doth protest too much...

Adobe's perspective (4, Insightful)

alvinrod (889928) | more than 3 years ago | (#33565092)

What does it say about your company when another company has to clean up your mess while you stand around, thumb up ass, not appearing to be doing anything meaningful?

This has nothing to do about MS being good or evil. They've got a solution to the problem and it's much welcomed. Hopefully Adobe gets this fixed shortly so that people who can't make use of Microsoft's solution don't have to worry about the vulnerability either.

Re:Adobe's perspective (0)

mcgrew (92797) | more than 3 years ago | (#33565444)

This has nothing to do about MS being good or evil. They've got a solution to the problem and it's much welcomed.

Solving it helps them, too. Note MS didn't suggest simply replacing Adobe with some other company's PDF reader instead of MS software. It makes MS look like they're good at security.

Microsoft -- the DHS of software. "It's all about the look and feel."

Re:Adobe's perspective (0)

Anonymous Coward | more than 3 years ago | (#33566362)

Microsoft's easy-to-break windows security model is partly at fault. A broken application really shouldn't compromise the whole system.

Re:Adobe's perspective (0)

Anonymous Coward | more than 3 years ago | (#33571260)

Microsoft's easy-to-break windows security model is partly at fault. A broken application really shouldn't compromise the whole system.

It shouldn't but it does. It is virtually impossible to DEFINITIVELY do what you're suggesting; they try, DEP, hypervisors, limited accounts; unfortunately, when you have possible buffer overflows etc you just can't say that one insecure program won't compromise the rest of the system. Note this is true of Mac and Linux too.

Re:Adobe's perspective (1)

beakerMeep (716990) | more than 3 years ago | (#33568248)

It's called cooperation. I don't get this kind of reaction; how do you "appear" to be doing "anything meaningful"? Is it not better to actually be working on a fix, than to appear to be working on a fix?

I don't see how this turns into "someone else cleaning up your mess while you stand around, thumb up ass." Any security fix takes time -- the question is how fast should the response be? If your argument that 3 weeks is too long, that would certainly be a valid opinion. (Adobe's bulletin notes they are planning the update for October 4th). But since you dont mention that you think they are taking too long, the comment just reads as flippant immature Anti-adobe hate. Like you're just judging them on some impossible appearance criteria. You can hate on them for taking too long, or hate on them for creating the bug, but WTF has slashdot come to where we hate on them for not being good at PR?

Re:Adobe's perspective (1)

hesaigo999ca (786966) | more than 3 years ago | (#33600518)

I wonder if this was M$ who thought up another way to exclude all non legit copies to NOT get the much needed fix.
Sure just pay money to get a legit copy, or move to linux to avoid paying for an OS...I am sure there are many out there who would appreciate M$ offering free updates EVEN FOR NON LEGIT copies, as this would definitely make me rethink my M$ is evil methodology, however, it would also lend a much needed hand at securing more of the internet that is still vulnerable and responsible for most spam today.

Re:What does it say about your company... (4, Insightful)

just_another_sean (919159) | more than 3 years ago | (#33565120)

This is /. Anything related to computer security is news. Especially when it effectivaly targets most, if not, all the users/customers we have to help all day (and night, and weekends!).

Not every story about Microsoft is posted just because it's about Microsoft.

Re:What does it say about your company... (0)

Anonymous Coward | more than 3 years ago | (#33566280)

Especially when it effectivaly targets most, if not, all the users/customers we have to help all day (and night, and weekends!).

Not everyone here works in tech support. I had always assumed, based on the comments, that most people here are engineers of some flavor.

Re:What does it say about your company... (1)

rrohbeck (944847) | more than 3 years ago | (#33570224)

We're a Linux shop, you insensitive clod!

Its not zero day ... (-1, Troll)

BitZtream (692029) | more than 3 years ago | (#33564740)

unless its the day it was found. It can't be a 0 day exploit for more than 24 hours. The next day ends that naming convention.

Stop freaking calling every exploit 0 day.

When you're well past a week old, why the fuck do you keep calling it 0 day?

Re:Its not zero day ... (4, Informative)

mcgrew (92797) | more than 3 years ago | (#33564848)

When you're well past a week old, why the fuck do you keep calling it 0 day?

Because it was exploitable on day zero. It's a week old zero day exploit.

Re:Its not zero day ... (1, Funny)

Anonymous Coward | more than 3 years ago | (#33564864)

Look, naming conventions change over time and I'm not so sure it ever meant what you seem to think it meant anyway. In this context "0 day" means there are no known fixes for the problem. In other words it has been 0 days since a fix was released.

Re:Its not zero day ... (1)

_Sprocket_ (42527) | more than 3 years ago | (#33565108)

Look, naming conventions change over time and I'm not so sure it ever meant what you seem to think it meant anyway. In this context "0 day" means there are no known fixes for the problem. In other words it has been 0 days since a fix was released.

It did mean that, at one time. Zero-day meant that it was still unpublished... still secret. You had an exploit that was going to work because "nobody" knew about it. That is, nobody but you and others who had elite access to the BBS' filez. Now the industry has shifted the term to mean that the vulnerability is unpatched. Which, I suppose, has a lot of the same general meaning. Although I think it's lost a lot of the edge; big difference between unpatched and (relatively) unknown.

But then - this is all just semantics. You kids get off my lawn. Back in my day, we had to push bits through MODEMs - both ways. We used KERMIT and we LIKED IT (unless we had ZMODEM). Etc, etc.

Re:Its not zero day ... (1)

Statecraftsman (718862) | more than 3 years ago | (#33564886)

Maybe it's out of endearment...0 day, look at you. You're all grown up but don't forget you'll always be MY 0 day. (hugs)

Re:Its not zero day ... (1)

TheRealMindChild (743925) | more than 3 years ago | (#33564916)

Well, just like standard language, words become twisted and used wrongly enough that they become common use, then over x time, standard use. How many people have you heard use the word "ignorant" to mean "asshole"? Or "ironic" to mean "coincidental"?

I mean hell, in the IT world, a couple of examples are "megabyte" which somehow now means 1000^2 bytes now, instead of the 1024^2 that it has meant forever (or as long as I have been alive). "Alpha" software used to be "still in design phase" and Beta used to mean "We have everything we want done... we just have some bugs to work out". Now "Beta" has taken on the old "Alpha" meaning and "Release Candidate" has taken the meaning of "Beta".

You can't fight it. It is pointless. Just facepalm quietly at your desk and hope "bacon" doesn't come to mean something else. That is one of the signs of the end of days.

Re:Its not zero day ... (2, Funny)

Culture20 (968837) | more than 3 years ago | (#33564974)

hope "bacon" doesn't come to mean something else

Do you mean regular bacon or Canadian (which is really ham)?

Re:Its not zero day ... (1)

BlackSnake112 (912158) | more than 3 years ago | (#33565062)

hope "bacon" doesn't come to mean something else

Do you mean regular bacon or Canadian (which is really ham)?

Or Turkey bacon. Which stills makes me think for a second or two when ever I hear or see it.

Re:Its not zero day ... (1)

mcgrew (92797) | more than 3 years ago | (#33565544)

Do you mean regular bacon or Canadian (which is really ham)?

Kevin Bacon [wikipedia.org] is Canadian? I thought he was American?

Re:Its not zero day ... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33565132)

Sliced cheese now means pasteurized prepackaged cheese product...

Also, your megabyte example is more of a 'coming back' if you ask me, as Mega- is the standard prefix for 1000^2x. It was only in computers where it meant any other multiplier.

Re:Its not zero day ... (1)

grouchyDude (322842) | more than 3 years ago | (#33569384)

Only in the USA. Everywhere else (even Canada) it means real cheese sliced into ... slices.

Re:Its not zero day ... (1)

KiloByte (825081) | more than 3 years ago | (#33565426)

I mean hell, in the IT world, a couple of examples are "megabyte" which somehow now means 1000^2 bytes now, instead of the 1024^2 that it has meant forever (or as long as I have been alive).

It still means what it used to meant, unless you're a drive maker. They did get a committee to muddle the water in order to avoid lawsuits, but that doesn't change the meaning of a term that's well-established for sixty years.

The few places that do use it do have bad effects. In facts, "MiB" for most IT professionals who haven't heard of that committee's revelations sounds like "millions of bytes", bringing confusion. Plain old "MB" doesn't have that flaw as long as drive labelling is not concerned.

Re:Its not zero day ... (1)

zn0k (1082797) | more than 3 years ago | (#33567090)

> I mean hell, in the IT world, a couple of examples are "megabyte" which somehow now means 1000^2 bytes now, instead of the 1024^2 that it has meant forever (or as long as I have been alive).

Which is kind of funny given how the prefix mega had meant 10^6 for a really long time before that, including the telco world and the bits it moved around.

Re:Its not zero day ... (1)

fatphil (181876) | more than 3 years ago | (#33579316)

The _telco_ world was never one of the 1024 users. Telecomms is all based around the old bitrates of the telephone systems, which were always multiples of 1000 bits per second:

Historically, audio telephony had a sampling frequency 8 kHz.

As we went digital, G711 audio channels and ISDN B channels were 64000 b/s for 8-bit audio. Other codecs shrank that to 32000 b/s, 16000 b/s, etc. ISDN D channels were 16000 b/s. ISDN PRI channels were variously 1544000 b/s or 2048000 b/s. All the fat pipes carrying data around, be that SONET (PDH) or SDH use variously
8448000 b/s, 34368000 b/s, 139264000 b/s, etc., etc.

All those numbers are multiples of the original 8 kHz.

So don't blame telephony for the 1024s - they're the least guilty. (Telephony would even include multipliers like 30 or 31, as you'd do the old power-of-2 thing, then reserve space for control or stuffing, or...)

Re:Its not zero day ... (1)

fatphil (181876) | more than 3 years ago | (#33579626)

Doh - that's what you're saying. Tedious facts intended for your parent poster.

Re:Its not zero day ... (0)

Anonymous Coward | more than 3 years ago | (#33568406)

http://technet.microsoft.com/en-us/magazine/2008.03.windowsconfidential.aspx

Re:Its not zero day ... (1)

dieth (951868) | more than 3 years ago | (#33565196)

I'm still waiting for the upgraded version, the powerful -1 day exploit.

Re:Its not zero day ... (2, Funny)

toadlife (301863) | more than 3 years ago | (#33565748)

-1 day exploit.

You mean the user?

Re:Its not zero day ... (0)

Anonymous Coward | more than 3 years ago | (#33570212)

No he means the FFFFFFFF -ing user.

Re:Its not zero day ... (1)

Moridineas (213502) | more than 3 years ago | (#33565252)

I'm not sure that's correct? I thought it was a Zero Day attack if on the day the attack occurred, the problem was not yet known.

Zero Day:

1) People start receiving emails with engineered PDFs that take advantage of the flaw.
2) Adobe discovers the flaw.

Not Zero Day:

1) Adobe discovers (and typically announces) a potential vulnerability
2) The next day, people start receiving emails with engineered PDFs that take advantage of the flaw.

Re:Its not zero day ... (1)

ekhben (628371) | more than 3 years ago | (#33568102)

From TFSummary:

... security researcher Mila Parkour reported it to Adobe after analyzing a rogue PDF document attached to spam.

Reads like Parkour reported an exploit being used actively in the wild to Adobe, to me. Which would make the sequence of events (1), (2), and this a zero day exploit. Silly term in any case, the relevant terms are, imo, "fixed" and "ongoing."

I already fixed mine (4, Insightful)

mcgrew (92797) | more than 3 years ago | (#33564754)

I ununstalled Adobe Reader and installed Foxit. Problem solved!

Re:I already fixed mine (0)

LordBullGod (1602191) | more than 3 years ago | (#33565122)

I ununstalled Adobe Reader and installed Foxit. Problem solved!

Now that will help the rest of the world........

'I'm smug and condescending just to be an asshat!' (2, Informative)

rts008 (812749) | more than 3 years ago | (#33566146)

What's your point?

At least 'mcgrew' offered a possible solution...so, where's your 'help the rest of the world' solution?

Put up, or shut up, you hypocrite.
You are actively working against your implied cause.

I also use Foxit, and learned about it years ago right here on /., from someone like 'mcgrew', making a similar comment.

The only benefit I got from your comment is you are an asshat, just for the sake of being an asshat.

Re:'I'm smug and condescending just to be an assha (0)

Anonymous Coward | more than 3 years ago | (#33566220)

You sir, deserve my vote.

To quote Fark (1)

Sycraft-fu (314770) | more than 3 years ago | (#33565152)

"This."

Seriously, Foxit is the way to go unless you have a reason. If you can't think of one, then yo don't have one :). There are things Foxit doesn't do or documents it has problems with but for normal users it is exceedingly unlikely you encounter it. The thing is much lighter weight and seems to have few security issues. Maybe it is just because nobody is looking, but regardless.

I was so glad when I found it for rolling out in our instructional labs. I got sick of having to do an update for Acrobat every other week.

Re:To quote Fark (0)

Anonymous Coward | more than 3 years ago | (#33565416)

I installed Foxit once and I found it to be a buggy and ugly mess, hardly better than Reader itself. I think it even installed the same unnecessary system services that Reader does. It even crashed when I went to update it. Now I use Chrome PDF viewer or Google Docs, and a VMed Windows image with Acrobat installed, for when I require its functionality.

Re:To quote Fark (0)

Anonymous Coward | more than 3 years ago | (#33565620)

I do prefer foxit, but it isn't exactly perfect either [threatpost.com] . In that particular case, Reader was actually safer.

Re:To quote Fark (1)

darth dickinson (169021) | more than 3 years ago | (#33566098)

I installed Foxit, and every time I clicked a PDF link in FireFox, the disk would churn for 5 minutes and everything else running in the browser would come to a halt. It made Acrobat Reader fleet-footed by comparison.

Re:I already fixed mine (3, Insightful)

VGPowerlord (621254) | more than 3 years ago | (#33565206)

As long as you don't assume it's a panacea... Foxit has had its own security exploits in the past.

Re:I already fixed mine (3, Informative)

revlayle (964221) | more than 3 years ago | (#33565260)

Foxit insists on installing toolbars and special search engines these days... don't like it one bit.

Re:I already fixed mine (2, Informative)

Eudeyrn (1566735) | more than 3 years ago | (#33565684)

Sumatra [kowalczyk.info] is my PDF reader of choice now. The program consists of a single executable, it's open source and GPL'ed. As long as you all you need to do is load and read PDFs (imagine that, a PDF reader that just reads PDFs), it gets the job done beautifully.

Re:I already fixed mine (0)

Anonymous Coward | more than 3 years ago | (#33565828)

Toolbars? Search engines? Are we talking about the same program here?

I just downloaded the most recent zipped version for Windows last night, and it didn't even need an installer. Past versions that I've used the installer version of, had a rather obvious checkbox that you could use to opt out of installing a toolbar.

Re:I already fixed mine (3, Insightful)

vux984 (928602) | more than 3 years ago | (#33566152)

Toolbars? Search engines? Are we talking about the same program here?

Yes.
It wants to install the Foxit Search Bar powered by Ask (opt-out)
It wants to set ask.com as your home page (also opt-out)

I just downloaded the most recent zipped version for Windows last night, and it didn't even need an installer.

Right. That's hardly how most people install the software.

Past versions that I've used the installer version of, had a rather obvious checkbox that you could use to opt out of installing a toolbar.

Oh, so you know all about the toolbar crap, and you are just being disingenuous. Classy.

Bottom line this sort of behaviour is skirting the border of being malware. What percentage of users appreciate another toolbar being crammed into their browser? What percentage of users appreciate their home page being changed? When both are pretty close to zero, you don't make it OPT-OUT in your installation wizard. Its especially obnoxious when users have to keep opting out each time they install an update.

Having an opt out toolbar or home page change as part of the default install is obnoxious enough for me to avoid recommending foxit. Too many people will end up with them and none of them will appreciate it.

Re:I already fixed mine (1)

Halifax Samuels (1124719) | more than 3 years ago | (#33566010)

Not quite "insists" - more like "asks politely"

I've always used Foxit and it gives me a very clear option to not install anything extra. If I ended up with a toolbar or anything else unwanted from it it would be my own damn fault.

Re:I already fixed mine (1)

djh2400 (1362925) | more than 3 years ago | (#33566648)

I said this in the original article on /. for this exploit, but I'll post it again. I use the portable version of Sumatra PDF [portableapps.com] on my Windows installation and have never had any problems while using it. I would certainly recommend it to people who do not like Foxit as a replacement for Acrobat.

Re:I already fixed mine (1)

arndawg (1468629) | more than 3 years ago | (#33567026)

yeah i'm finished with foxit. Google reader from now on.

Re:I already fixed mine (0)

Anonymous Coward | more than 3 years ago | (#33565286)

They really need a mod type "+1 Smug". Also, "-1 Smug".

Re:I already fixed mine (1)

antdude (79039) | more than 3 years ago | (#33565524)

So you stalled (froze) Adobe Reader? :P

Re:I already fixed mine (0)

Anonymous Coward | more than 3 years ago | (#33565732)

or maybe SumatraPDF? Unless it suffers from the same or other exploits...

Re:I already fixed mine (2, Informative)

hairyfeet (841228) | more than 3 years ago | (#33566320)

Well let the old Hairyfeet add some helpful wisdom to those out here that have clueless relatives. Tell them to uninstall Adobe, then send them to Ninite [ninite.com] and tell them which boxes to check. Ninite has fully automated installers for all the popular apps, including FF and Chrome, Songbird and Winamp, and of course Foxit and Sumatra PDF reader. Oh and ZERO toolbars from those companies that give you crap like Oracle Java.

So trust your old pal Hairyfeet. You got clueless user/relatives, maybe that live many miles away? One phone call and Ninite can make a lot of those problems go away. Hell getting folks away from Adobe and IE seems to have cut down repeat infections by a good 80%. Thanks Ninite!

Re:I already fixed mine (0)

Anonymous Coward | more than 3 years ago | (#33566700)

I ununstalled Adobe Reader and installed Foxit. Problem solved!

Your suggestion sounded interesting until I read about Foxit [wikipedia.org] . From the source:

Foxit Reader is available in .exe, .msi and .zip packages. The installer version of Foxit Reader is bundled with potentially unwanted applications, and may make changes to the user system without his/her approval. Thus, PC Advisor recommends to be "diligent when installing Foxit Reader to ensure the program doesn't install unwanted software." They found that Foxit Reader "attempted to install a Firefox plug-in, made Ask [their] default search engine and created desktop, quick launch and Start Menu icons for eBay."[4] Some of these features can be disabled during the setup process and are not present in the .zip version of the package.

Re:I already fixed mine (1)

mirix (1649853) | more than 3 years ago | (#33567020)

I believe there is a windows port of evince, which is rather nice.

I usually use okular on linux, though. Something about it I like better, but don't recall what right now.

Re:I already fixed mine (0)

Anonymous Coward | more than 3 years ago | (#33567340)

Text rendering is still terrible. Problem remains unsolved.

See example:

http://forums.foxitsoftware.com/showthread.php?t=18048

Windows? Adobe? (0)

Anonymous Coward | more than 3 years ago | (#33564812)

Don't use either.

How is this a real solution? (1)

iONiUM (530420) | more than 3 years ago | (#33564890)

I highly doubt home consumers (i.e. your grandmother) are going to install this enterprise application in order to solve a "0 day" exploit for Adobe. I mean, really? Can a normal person even read the previous sentence I just wrote?

Maybe they should work harder at patching it then finding workarounds, or just tell us the truth (don't open any PDFs, or use foxit).

Re:How is this a real solution? (1)

CannonballHead (842625) | more than 3 years ago | (#33564956)

How would you suggest they patch it and get the patch out to users?

In my experience:

  1. They patch it and force the patch out using Windows Update: everyone gets mad because MS is forcing an update.
  2. They patch it and recommend the update: everyone gets mad because they aren't forcing users to update, causing various exploits and generally not caring about their customers, etc.
  3. They patch it and don't say anything: everyone is mad because they are obviously trying to hide that they had an exploit.

Of course, this appears to be more of Adobe's issue, so it's a bit of a moot point in this case, but it's a vlaid point in cases where MS is at fault ...

Re:How is this a real solution? (0)

Anonymous Coward | more than 3 years ago | (#33564980)

Ideally, Windows would bundle a lightweight PDF reader that strips out all "executable" PDF functionality (javascript, launching executables, embedding flash), and then people would download Adobe Reader to view "interactive" PDFs.
Now, unlike Apple, Microsoft probably couldn't do this due to antitrust issues.

Re:How is this a real solution? (1)

Spad (470073) | more than 3 years ago | (#33565068)

Fuck it, maybe *Adobe* could ship a lightweight PDF reader that strips out all "executable" PDF functionality (javascript, launching executables, embedding flash).

At this point, Adobe Reader is so stupidly bloated that I'll frankly be disappointed if Reader 10 doesn't launch a virtualised instance of Windows inside which another copy of Reader is used to actually render the PDF.

Re:How is this a real solution? (0)

Anonymous Coward | more than 3 years ago | (#33565146)

You forgot to put it in the cloud!
It runs a Windows VM which runs a client which sends the PDF to Adobe's servers to be rendered and then comes back. Any interaction obviously also does the round trip to Adobe's servers.

Re:How is this a real solution? (1)

AvitarX (172628) | more than 3 years ago | (#33565278)

Worse are the "Adobe Dialogues" in their design software.

What a waste, the OS dialogue does a great job of letting me save to a network share, the Adobe one is slow and sucks.

It is complete wasted effort that appears to go solely into making the application less usable.

Re:Publicity is publicity (3, Interesting)

b4dc0d3r (1268512) | more than 3 years ago | (#33565280)

Every time a news article says there's a flaw in Acrobat Reader and that everyone is vulnerable, it reinforces the idea that everyone uses Acrobat and there is no other option.

No such thing as bad publicity, bandwagon propaganda, and all that. They might as well put flaws in on purpose for the free monthly advertising. All it takes is a tiny portion of flaws to appear in Foxit, which does happen sometimes, and Adobe gets to claim that no reader is flaw-free.

Re:How is this a real solution? (2, Informative)

gad_zuki! (70830) | more than 3 years ago | (#33566216)

You know, Foxit does this. It enables 'secure reading mode' when you open a PDF from the browser. Adobe should copy this feature, but instead they keep talking about a complex sandboxing scheme for their app.

I'd rather they put in a mode like this, but they won't. Why? Because all those features it disables have been engineered by Adobe and as such they have performed a defacto extension of the PDF spec. Disabling this feature is admission that Adobe is incompetent and that people can live without js/flash embedding and mailable forms.

So Adobe's management is all about promoting their features and they don't care much about security. They figure the update process will take care of it, but it doesn't. Heck, Reader doesn't even auto-update itself. You need to manually run the updater once and then it lives in your tray asking you to do the update. End users don't update typically. MS learned that the only way to get them to do it is to enable auto-update by default and they've been doing this since XP SP2.

So now everything is hinged on this sandbox mode that lets them have their cake and eat it too. They want all sorts of insecure features and security. They think they can continue business as usual and the sandboxing will protect everyone. Dunno, this seems to be a pretty big gamble to me. Instead of a simple secure reading mode and setting auto-update to default, they're going the sandbox route. I suspect this really won't help and malware writers will find ways outside the sandbox.

Re:How is this a real solution? (0)

Anonymous Coward | more than 3 years ago | (#33568200)

> they have performed a defacto extension of the PDF spec

PDF was invented by Adobe. This is not like where Microsoft took HTML and tried to bolt on Active X and Silverlite and other such rubbish..
 

Re:How is this a real solution? (0)

Anonymous Coward | more than 3 years ago | (#33565080)

Or Acrobat Reader could just ship with Javascript turned off by default.
Does anyone have any idea at all why this isn't the case?
The minuscule fraction of users who will ever need Javascript in a PDF can turn it on when the need arises.
Are the black hats paying off Acrobat or something?

Re:How is this a real solution? (0)

Anonymous Coward | more than 3 years ago | (#33565292)

Obviously I meant, "Are the black hats paying off Adobe?"

or just use foxit (0)

Anonymous Coward | more than 3 years ago | (#33565178)

to hell with adobe

Re:or just use foxit (1)

froggymana (1896008) | more than 3 years ago | (#33565842)

I like the document reader that comes with Gnome/Ubuntu.

Re:or just use foxit (1)

icebraining (1313345) | more than 3 years ago | (#33566126)

You mean Evince. Personally, I prefer zathura [pwmt.org] - it's nice for those like me, who like programs that comply with the KISS principle and have a keyboard driven UI.

Re:or just use foxit (0)

Anonymous Coward | more than 3 years ago | (#33569828)

> comply with the KISS principle
>have a keyboard driven UI

derp

Re:or just use foxit (1)

miknix (1047580) | more than 3 years ago | (#33566350)

I like the document reader that comes with Gnome/Ubuntu.

Yeah, its getting better everytime. The other day I opened a pdf used for service inscription, I was amazed to see that evince displayed embedded form widgets like input boxes, dropdown menus etc.. It was slick!

TBH I prefer to be lagging in functionality and have security than the other way around - but that is just me!

EMET (1)

IgnacioB (687913) | more than 3 years ago | (#33565240)

Great, so EMET will be downloaded by a few developers and IT experts and their system will work fine. However, develop and deploy this beta application to run on the thousands of end user workstations on a corporate network? I'm sure between the unintended system slow down from YET ANOTHER APPLICATIOn combined with users wondering what this new icon is doing ought to be seemless. Too bad FoxIt and others don't provide a nagware free product that's an enterprise solution. Maybe Adobe will start roping back in all their bloat from the last decade and really tighten up their app?

Raises the question... (1)

KumquatOfSolace (1412203) | more than 3 years ago | (#33565326)

Why doesn't Microsoft make EMET part of Windows Defender, and auto-update the settings for various applications/DLLs (like the way they update compatibility-mode settings for websites in IE8)? They could have prevented this exploit on day 1.

ASLR (4, Informative)

js3 (319268) | more than 3 years ago | (#33565354)

According to the article..

  "Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on."

So enable ASLR on the effing DLL and release a patch, problem solved? Nothing would make me work overtime and on the weekend than a highly visible level 1 bug. Adobe developers must have it good!

Address Space Layout Randomization... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33567050)

...was called Scatter Loading in AmigaOS 1.0 back in the 80's, and was done to everything loaded into RAM, executables, shared libraries, data, everything. *sigh*

Re:ASLR (0)

Anonymous Coward | more than 3 years ago | (#33567740)

Not quite [metasploit.com]

# Vulnerability Type: Stack Buffer Overflow
# Bypasses DEP: Yes
# Bypasses ASLR: Yes
# Exploit Requires JS: Yes
# Vulnerability Requires JS: No

Re:ASLR (1)

cbhacking (979169) | more than 3 years ago | (#33567918)

Much though I wish this was a complete solution, there are two possible problems with it.

The first is that ASLR is only available on NT 6.x (Vista, 7, Server 2008). People using XP are out in the cold, which they arguably deserve for using such an outdated OS, but the rest of us don't deserve the collateral damage their rooted boxes will spew (for bonus points, XP has no form of browser sandboxing and the default user has Administrative permissions, making it the most likely to be successfully exploited in any case.)

The second is that, retarded though it seems, people do occasionally write DLLs that assume they are loaded to their specified base address and will break if they end up elsewhere (presumably due to the use of hardcoded memory addresses). This is incredibly stupid behavior, and probably very uncommon, but it's not unheard of. At least a little regression testing is required. Worse, the fact that icucnv36.dll doesn't already specify that it is relocatable may mean that Adobe *knows* it will break (arguably, is already broken). The fix shouldn't be too hard but would still require substantial testing.

Re:ASLR (0)

Anonymous Coward | more than 3 years ago | (#33568878)

Given that the file is named "icucnv36.dll", it seems plausible that this is some sort of thing derived from ICU [icu-project.org] version 3.6 - which would have been released in 2006 (2 months before Vista).

The one project I know that intentionally requires things being loaded at a specific base address is Cygwin / MSYS (the latter being a fork), due to the need to emulate fork() on a platform that only supports CreateProcess() (i.e. the child has no guarantees memory will be mapped to the same addresses). Sometimes this will fail, especially if you run things in an automated fashion such as continuous integration systems...

Leave it to Microsoft (1)

overshoot (39700) | more than 3 years ago | (#33565382)

the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat.

Just what the world needs: a security automaton [wikipedia.org] which drops dead if you get one letter wrong.

EMET Video (1)

gbrayut (715117) | more than 3 years ago | (#33565418)

Here is a Technet video describing EMET [microsoft.com] and here is the download url. [technet.com]

Mitigation, not Migration (1)

richg74 (650636) | more than 3 years ago | (#33565508)

... saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat.

It's the Enhanced Mitigation Experience Toolkit -- no migration required.

Re:Mitigation, not Migration (1)

erroneus (253617) | more than 3 years ago | (#33565690)

Yeah, that word threw me for a bit. On one hand, I was scared because I didn't want to know what Microsoft wanted to Migrate users to... on the other hand, it could have been a Windows to Linux migration tool... okay, probably not that but I have to pull some optimism from somewhere.

A different tactic is needed to protect Windows XP (1)

si3n4 (540106) | more than 3 years ago | (#33565790)

anyone know what that might be?

icucnv36.dll (1)

klui (457783) | more than 3 years ago | (#33565856)

My personal system uses PDF Xchange Viewer. But on another that has Acrobat Reader 8.x installed, I'm not able to find the dll in question. I never upgraded to 9.x on that system due to bloat but guess new features will come with bugs/vulnerabilities.

It is time for Adobe to cut down Acrobat features (1)

postmortem (906676) | more than 3 years ago | (#33567334)

... and release lite & (somewhat) safe release of Acrobat Reader for home users that just reads plain PDF files that have 0 extra "features". and 99% of world would happily use it.

Re:It is time for Adobe to cut down Acrobat featur (1)

tehcyder (746570) | more than 3 years ago | (#33571624)

I've often wondered why Adobe's Acrobat Reader is such a large install, when it doesn't actually do much more than read .pdf files anyway.

Enhanced Mitigation Experience Toolkit (1)

caekys (1845106) | more than 3 years ago | (#33568038)

Obviously no one here uses Microsoft products, but it is Mitigation not Migration...

Subject (1)

Legion303 (97901) | more than 3 years ago | (#33599750)

"'The good news is that if you have EMET enabled ... it blocks this exploit,'"

You know what else blocks this exploit? Not using Acrobat Reader.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...