×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Employees Find 60 Security Holes In Adobe Reader

Soulskill posted about a year and a half ago | from the is-that-all dept.

Google 164

sl4shd0rk writes "Upon examining the PDF Engine behind Google Chrome, Google employees Mateusz Jurczyk and Gynvael Coldwind discovered numerous holes. This led them to also test Adobe Reader, which turned up around 60 holes which could crash the PDF reader, 40 of them being potential attack vectors. The duo notified Adobe, who promised fixes, but as of the latest updates (Tuesday of this week) for Windows and Macintosh, 16 of the reported flaws are still present (the Linux version has been ignored). To prove it, Mateusz and Gynvael obfuscated the info and released it, saying the unpatched holes could easily be found. The Google employees therefore recommend that users refrain from opening any PDF documents from external sources in Adobe Reader."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

164 comments

PDFs (5, Insightful)

girlintraining (1395911) | about a year and a half ago | (#41027857)

PDFs have been a security headache for decades now. It originally started as an evolution of PostScript, but has since morphed into a "document solution". Adobe, like so many tech businesses, can't simply create a tool and then be finished. They always have to add more features, more code, more bloat. And surprise surprise, problems arise.

When I go to work on my car, I know my ratchets will work on any bolt on it; I just need to figure out what size it is and maybe an extender and I'm in business. My tools just work; they rarely break, and they don't stop working with next year's model... or the next decade's. Or the last. My ratchets will work on 1950s model cars, and I'm sure they'll still be useful on a 2050 model car.

Linux is more like my ratcheting set. Sed, awk, bash scripts... they don't change. They were there 5 years ago. They'll be there 5 years from now. They're simple, dependable, and "just work". What the fuck is so hard about making a read-only flat document that does the job of being easily readable and printable well? Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.

Be like the ratchet.

Re:PDFs (5, Insightful)

Eponymous Hero (2090636) | about a year and a half ago | (#41027917)

imho it got out of control when they added executable javascript.

Re:PDFs (5, Informative)

Jeremiah Cornelius (137) | about a year and a half ago | (#41028291)

Postscript - integral to PDF internals - is itself a Turing-complete language, derived from Forth.

It will always be a problem.

Re:PDFs (2, Informative)

Anonymous Coward | about a year and a half ago | (#41029191)

That's true, but PDF is a subset of Postscript rather than a generalized programming language. For example, the control structures are removed (if, loops, etc.) It should have been possible to put many more limitations on it. Instead, they added back even more ways to shoot yourself in the foot (e.g., Javascript). That's just nuts, and explains why Adobe Reader has been a bloated, ever-expanding program since... well, forever.

What they need is a "Lean PDF" that is strictly limited to describing the page content, with no internal programmability. It would make for simpler parsers that can be checked more easily for security flaws. The "kitchen sink" approach of the current PDF standard makes it fiendishly difficult to support without leaving opportunities for all sorts of mischief.

Re:PDFs (1)

Anonymous Coward | about a year and a half ago | (#41029257)

Postscript is much less of a problem than javascript. The interpreter is simple and it only handles a "small" number of well defined graphics primitives. It doesn't interface with any other stuff but the document itself, not with just about anything on the internet via arbitrary URLs.

Aside from that, as far as I understand, PDF just handles a subset of postscipt to make it easier to implement.

Except That (1)

Anonymous Coward | about a year and a half ago | (#41029653)

..all PS interpreters seem to be as buggy as hell. One exploit is enough to own your printer.

Which javascript? (3)

bigtrike (904535) | about a year and a half ago | (#41029199)

The javascript you can add to the PDF through a GUI or the javascript that you can embed into hex strings when writing a PDF file? The files are a hacky mix of text and binary. Some data types define their length, others have insane rules for end markers and escaping. Hex strings were originally pretty easy, but then they decided that they'd add javascript support into the parsing so you can constants that vary conditionally on the PDF version number. On top of that, you practically have to build a run time to render the PDF because of the complexity of its nested viewport stacks and viewport modifications that can be executed at any time in the PDF.

If that wasn't enough, they made it way more complicated when they hacked in support for JetForms (now known as LiveCycle), which is an XML language with poorly thought out data types and full of rendering hints that would be really useful if the documentation said more than "ignore these if you're not Adobe". If you want to save a PDF created with LiveCycle that a reader other than Acrobat can read, it's saved in both forms, resulting in a file that's 3x the size of a PDF.

Re:PDFs (5, Insightful)

Meshach (578918) | about a year and a half ago | (#41028019)

Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.

Be like the ratchet.

That works for an open source project where the ultimate goal is to provide a usable product. If the project is already usable then do not add more features. Adobe though is a commercial product. They have to constantly change things and add new features so that their customers will need to upgrade to the latest version. This constant upgrading inevitably introduces instability.

Re:PDFs (0)

Anonymous Coward | about a year and a half ago | (#41028839)

Adobe Reader is freeware.
Why would Adobe want their "customers" (who pay nothing for the software) to constantly upgrade to new versions?

Re:PDFs (5, Insightful)

JDG1980 (2438906) | about a year and a half ago | (#41029239)

Adobe Reader is freeware. Why would Adobe want their "customers" (who pay nothing for the software) to constantly upgrade to new versions?

Adobe Reader is a marketing tool used to sell upgrades to Acrobat. They want to be able to ship new features in new versions of Acrobat, and to do this, they consider it helpful to be able to ensure buyers that "everyone" will be able to use their new whiz-bang documents/forms/whatever.

Re:PDFs (0)

Anonymous Coward | about a year and a half ago | (#41029783)

Because by adding PDF features to Reader, they can also add those features to Acrobat Pro (the authoring/editing program) which is an expensive product they sell.

Re:PDFs (0)

Anonymous Coward | about a year and a half ago | (#41029645)

When they have perfected one product, they could create a new one, instead of pursuing diminishing returns and bloat.

Re:PDFs (1)

Anonymous Coward | about a year and a half ago | (#41028245)

Adobe has a long long history of a "fuck you" approach to fixing bugs and making their products work nicely for customers. This disregard for everything except their insatiable greed is why there are sites like Dear Adobe [dearadobe.com] and why many message forums are littered with posts from disappointed and disgruntled Adobe users.

At my work, we're stuck with Adobe Acrobat 9 as Adobe's site license upgrade pricing to Acrobat X is just so terribly expensive. Adobe doesn't make much of an effort to fix security issues with Acrobat 9 as they want to force their customers to upgrade to Acrobat X. We don't need or use any of the "features" Adobe has added to Acrobat for the last 4-5 years. Because Adobe has what is effectively a monopoly on PDF creation/viewing on Windows, we're stuck with their expensive insecure software. And upgrading every other version of Acrobat due to cost. There are alternatives to Adobe, but in an enterprise setting, they seem to create more problems than they solve.

Re:PDFs (5, Insightful)

fm6 (162816) | about a year and a half ago | (#41028273)

Lots of products get "improvements" that are anything but. The point of making stuff is to sell it, and you can't sell new stuff unless you can convince folks that their old stuff is obsolete. You can see that any time you visit a car dealer.

Ratchet design isn't static because their makers woke up one day and said, "It's perfect! Let's stop trying to improve it!" They just don't have any design improvements that will convince you to throw out your old ratchets and buy new ones. If they could, they would.

Re:PDFs (2)

Burning1 (204959) | about a year and a half ago | (#41029509)

Ratchet design isn't static because their makers woke up one day and said, "It's perfect! Let's stop trying to improve it!" They just don't have any design improvements that will convince you to throw out your old ratchets and buy new ones. If they could, they would.

Not to be pedantic, but they have made many improvements to ratchets over the last 50 years.

- Ergonomic handle shapes
- Fine tooth ratcheting mechanisms (helps work in small spaces)
- Low profile designs
- Flex heads
- Different reversing mechanisms
- Different release mechanisms

Even now, you can go to hadware stores and see new and improved designs being marketed.

There are a couple keys with ratchet sets... The ratchet to socket interface is standardized; ball placement, shape, diameter, etc. This is much like API design in software. Because the interface between ratchet and socket is standardized, any attempts to introduce an incompatible ratchet will more or less fail, because no one wants to throw out perfectly good sockets. (To be fair there are a few specialty ratchets that are useful in situations where a deep socket isn't deep enough.)

Because the interfaces are all standardized, ratchet manufacturers have no way of creating compatibility issues that would force users happy with their existing ratchets to throw out all their ratchets and upgrade. Compare and contrast to Microsoft Office, where you pretty much have to upgrade with every new release, or you will be unable to open documents created by newer software.

Re:PDFs (0)

Anonymous Coward | about a year and a half ago | (#41028333)

Ratchets?? Sockets! You need more training, girl.

Re:PDFs (1)

EvilBudMan (588716) | about a year and a half ago | (#41028427)

This reply is about your ratchets. Believe me the same thing is happening with mechanical stuff. Just look at the number of times Apple has changed fasteners on their iPhone so you can't open it without buying another tool. It's all part of the plan to keep you in the fold.

Re:PDFs (1)

Trepidity (597) | about a year and a half ago | (#41028607)

On cars, too, for that matter. Anything 1980s or earlier can generally be worked on with classic mechanics' tools, but 1990s and later stuff has an increasing amount of custom and electronic parts that need specialized tools.

Re:PDFs (1)

cusco (717999) | about a year and a half ago | (#41029163)

Most American cars now have covers over areas of the engine that need a custom tool, normally only available through the dealer, to get off. There are some models where you can't even get to the bloody spark plugs without a custom 7-sided Allen wrench. So far VW and Toyota seem to have avoided that particular bit of stupidity, don't know about the other non-US manufacturers.

Re:PDFs (2, Funny)

ColdWetDog (752185) | about a year and a half ago | (#41029273)

Oh this has been going on for years. Even before the 1980's - SAAB, Volvo - I'm looking at you with your weird little engine tools. British stuff didn't need anything special (other than Whitworth wrenches) - a hammer and a screwdriver would disassemble pretty much any Triumph, Spitfire or Land Rover engine ever made. Of course, they couldn't hold a quart of oil for more than 48 hours, but you never had to actually change the oil, you just replaced it.

Re:PDFs (2)

Alex Zepeda (10955) | about a year and a half ago | (#41029589)

What, you mean metric spanners and sockets (and before that SAE)? Seriously Volvo put perhaps more thought in how things come apart than most other manufacturers. With 80s Volvos if you've got a bolt and a nut, they're typically different sizes (ex 17mm + 18mm instead of 2x 17mm). The bonus here is you can use one set of tools.

Whitworth... now that's weird (unless you're Australian).

Re:PDFs (2)

cant_get_a_good_nick (172131) | about a year and a half ago | (#41028485)

I'm in a devils' advocate mood today... I don't particularly like Adobe (nor do I hate them particularly), and I think reader is a bloated piece of crap.

But Reader changed not because Adobe has a PDF agenda to rule the world, but because Adobe economically needed it to change. To make money, gain market share, whatever.

A ratchet is a simple tool, one whose expectations won't change. But software (and cars) are much more fluid. Your ratchets may work on your 1950's car, but you won't like driving it. Engines are better now, tires are better, handling is better. You'll hate the boaty-ness of your 50's era driving, the gallons-per-mile you pay for driving it, the lack of safety features, the lack of DVD player dropping from the roofline for your kid in the back seat. I wonder simply how many safety regulations that would prohibit a "new" 50's tech car being sold. Adobe finds it difficult to get money out of a non-bloated Reader the same as any car company would go out of business if it sold nothing but 50's tech in cars.

What Adobe should have done is let some group without a profit motive - or a need to bloat it to hell - take over development. Such groups do exist - Apache being the best example. Adobe wants PDF to both be a universal utility, and a tool to bind you exclusively to Adobe. Those goals conflict.

Re:PDFs (1)

Alex Zepeda (10955) | about a year and a half ago | (#41029677)

Mmm. Wrong. Modern ratchets (at least the higher end stuff) often have many more teeth than older ratchets. This allows them to be useful in more confined spaces. Both tools and expectations have indeed evolved. Someone who's used to the flexibility a new SnapOn Dual 80 ratchet afford probably wouldn't be super happy with an old 30 tooth model.

False! (0)

Anonymous Coward | about a year and a half ago | (#41028489)

PDFs have been a security headache for decades now.

PDFs have been no problem. PDF readers that can execute scripts and code are the issue.

Re:PDFs (1)

Anonymous Coward | about a year and a half ago | (#41028545)

Seriously? I've been working on my vehicles for 38 years... I didn't have very many 'special service tools' back then but, while there are still a few bolts on vehicles, I would say the typical modern vehicle requires a lot more specialized tools to do basic things. I wouldn't be at all surprised to find that your ratchets aren't useful on your 2050 model vehicle. The head bolts on my 1993 toyota diesel can't be removed with a traditional 6 point hex socket, I need a 12 point socket.. You need a micrometer to determine whether you can re-use the head bolts or need to replace them. There are now hose clamps buried so deep inside the engine compartment you need a cable-actuated clamping tool to remove/install them.

Bringing us back to "Linux", used to be that Unix tools were primarily single-purpose until Linux came along and people started adding "-R" and "-r" options to commands like 'grep', or 'chown' or 'chmod'... Back in my day, we would use 'find'. 'ls' never used to have colors. So your Unix tools may never have changed, but mine did.

Re:PDFs (1)

ColdWetDog (752185) | about a year and a half ago | (#41029303)

Seriously? I've been working on my vehicles for 38 years... I didn't have very many 'special service tools' back then but, while there are still a few bolts on vehicles, I would say the typical modern vehicle requires a lot more specialized tools to do basic things. I wouldn't be at all surprised to find that your ratchets aren't useful on your 2050 model vehicle. The head bolts on my 1993 toyota diesel can't be removed with a traditional 6 point hex socket, I need a 12 point socket.. You need a micrometer to determine whether you can re-use the head bolts or need to replace them. There are now hose clamps buried so deep inside the engine compartment you need a cable-actuated clamping tool to remove/install them.

Bringing us back to "Linux", used to be that Unix tools were primarily single-purpose until Linux came along and people started adding "-R" and "-r" options to commands like 'grep', or 'chown' or 'chmod'... Back in my day, we would use 'find'. 'ls' never used to have colors. So your Unix tools may never have changed, but mine did.

I wonder what the automobile equivalent of the Single Sided 360K floppy disk is ....

Re:PDFs (0)

smooth wombat (796938) | about a year and a half ago | (#41028633)

Adobe, like so many tech businesses, can't simply create a tool and then be finished. They always have to add more features, more code, more bloat. And surprise surprise, problems arise.

So you're saying they've adopted the Mozilla team's programming philosophy?

Re:PDFs (1)

RDW (41497) | about a year and a half ago | (#41028877)

Linux is more like my ratcheting set. Sed, awk, bash scripts... they don't change. They were there 5 years ago. They'll be there 5 years from now. They're simple, dependable, and "just work"... Stop adding features. Make the product do one thing well, and then use the profits to make a completely different product if you need something else done well.

So you're not an emacs user then?

Re:PDFs (1)

onyxruby (118189) | about a year and a half ago | (#41029341)

Be like the ratchet.

Point well made - something I wish more utilities would do. I would rather have a stable and secure PDF tool than a feature rich one constantly needs updated and patched.

Re:PDFs (1)

Alex Zepeda (10955) | about a year and a half ago | (#41029621)

My ratchets will work on 1950s model cars, and I'm sure they'll still be useful on a 2050 model car.

Your ratchets, sure. Your sockets, not so much. Plenty of new types of fasteners have been introduced since the 1950s (TORX/E-TORX/TORX Plus, Pozidrive, metric hex stuff, etc).

Alternative readers? (1)

SQLGuru (980662) | about a year and a half ago | (#41027861)

I'd like to see them include some of the alternative readers (Foxit, etc.) included in their testing since they are somewhat popular among people who have thought that Adobe Reader was bloated and slow for quite a while.

Re:Alternative readers? (1)

denis-The-menace (471988) | about a year and a half ago | (#41028021)

I tried Foxit

My Quickbooks has Adobe PDF writer built-in (only good for QB use!)
Somehow, that has made Adobe Reader get called in FF instead of Foxit.

It reminds me of the file association wars between Quicktime, WinAmp and WMP.

Re:Alternative readers? (0)

Anonymous Coward | about a year and a half ago | (#41028199)

And then there's the Apple reader too.

Re:Alternative readers? (3, Informative)

gmuslera (3436) | about a year and a half ago | (#41028239)

In Ubuntu (and probably other distributions and gnome based desktops) the default viewer is Evince, in KDE ones is Okular, and you have embedded viewers in other apps, like in google chrome. There is no need to install Adobe's unless you need some special added feature. A list of software that works with PDF can be found in Wikipedia [wikipedia.org]

Re:Alternative readers? (1)

SQLGuru (980662) | about a year and a half ago | (#41028611)

I know about the alternatives.....but what I want to know is if any of them have the same security holes (or conversely, which PDF viewer is the most secure).

Re:Alternative readers? (1)

gmuslera (3436) | about a year and a half ago | (#41028961)

Is implicit in the announcement that at the very least the Chrome embedded viewer should be safer. Anyway, probably the other viewers are based in the pdf specification not in acrobat reader code, so they shouldn't share some if not all those vulnerabilities (but could have different ones)

And in other news... (5, Interesting)

kootsoop (809311) | about a year and a half ago | (#41027899)

Google announces a new initiative: Google Document Format, for all your document sharing needs.

Re:And in other news... (0)

Anonymous Coward | about a year and a half ago | (#41028025)

Well, they do already have their own formats that they use for Google Docs. They just don't tell you what they are. However the Google Docs tools (which I admittedly use a lot for sharing, etc.) are amazingly useful at deleting things from documents that they import. For example text boxes in Excel get dropped completely when you convert to Google Spreadsheet. No warnings. Just dropped. The same things happen to some Word document elements when you import to Google formats. However, if you have a very basic document or spreadsheet to share Google Docs works well for it.

Re:And in other news... (1)

Anonymous Coward | about a year and a half ago | (#41028463)

Google doesn't need to create a new document format. As Google did with the Chrome browser, all they need to do is create a better client:

-- open source
-- free
-- secure
-- fast
-- lightweight
-- works nicely, i.e. updates without rebooting your computer, etc.
-- offers high fidelity "print to PDF" functionality

Do this and much of Adobe's low end Acrobat revenue disappears. And perhaps even more than with Chrome, Google becomes the hero of the enterprise. There is an awful lot of unhappiness out there [dearadobe.com] for the crappy Acrobat software that Adobe forces on people.

And also insecure (0)

Anonymous Coward | about a year and a half ago | (#41029399)

You forgot to add:

-- insecure (like Adobe Reader, uses Javascript)

Any system that sends arbitrary 3rd party code to be executed on users' machine is a security nightmare by definition. We've known and taught that principle to youngsters for 30 years ... but the current generation of clueless webbies has forgotten it.

Re:And in other news... (1)

Bert64 (520050) | about a year and a half ago | (#41029703)

There are already numerous better tools for viewing, creating and editing pdf files than acrobat... And yet many people still think pdf is a proprietary format that requires acrobat, and there are many websites carrying pdf files which even try to advertise this false information.

I have even seen mac and linux users, who generally have a far superior pdf viewer installed by default, using acrobat... Never understood why.

It's not better tools we need, its better awareness that these tools exist.

Also even if these viewers are just as insecure, simply having diversity will improve things massively.

Easy enough (-1)

FlynnMP3 (33498) | about a year and a half ago | (#41027933)

Don't use Adobe Acrobat Reader.

Everybody in my small office uses PDF XChange Viewer. http://www.tracker-software.com/product/pdf-xchange-viewer/ [tracker-software.com]

Re:Easy enough (5, Insightful)

itsme1234 (199680) | about a year and a half ago | (#41028047)

30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.

Re:Easy enough (2, Informative)

Anonymous Coward | about a year and a half ago | (#41028169)

30 EUR for a single license for "PDF-XChange Viewer" and you get only "1 year of product maintenance" (which probably means after one year you need to pay for security patches).
For a freaking pdf reader? And with no real assurance that this one isn't again full of security holes. Get real.

The 30EUR product is their Pro version (more like Adobe Acrobat Standard), they also have a free version which does everything Adobe Reader does and more.

Re:Easy enough (3, Informative)

Anonymous Coward | about a year and a half ago | (#41028185)

Ahem

The FREE PDF viewer download of the PDF-XChange Viewer may be used without limitation for Private, Commercial, Government and all uses, provided it is not -: incorporated or distributed for profit/commercial gain with other software or media distribution of any type - without first gaining permission.

It's got commenting features without watermarking and even does OCR which I have been very impressed by.

Re:Easy enough (0)

Anonymous Coward | about a year and a half ago | (#41028295)

Got 5000 employees? 30*5000 is 150k every year. or 1.5 million dollars over 10 years. Or the salary of 3 employees. Brilliant!

Re:Easy enough (1)

h4rr4r (612664) | about a year and a half ago | (#41028121)

Why not just use a free one?

$30 for a pdf reader is pretty steep.

Re:Easy enough (0)

Anonymous Coward | about a year and a half ago | (#41029551)

The reader is free at PDF Xchange and it does much much more than Adobe Reader.

Re:Easy enough (1)

Anonymous Coward | about a year and a half ago | (#41028183)

Don't use Adobe Acrobat Reader.

Unfortunately, some PDF documents can only be opened with Adobe Acrobat. See http://www.quickpdflibrary.com/faq/if-this-message-is-not-eventually-replaced-by-the-proper-contents-of-the-document.php [quickpdflibrary.com]

Re:Easy enough (0)

Anonymous Coward | about a year and a half ago | (#41028551)

PDF-XChange Viewer opens those PDF's without any problems (the free version atleast).

Re:Easy enough (1)

Joce640k (829181) | about a year and a half ago | (#41028365)

Don't use Adobe Acrobat Reader.

Everybody in my small office uses PDF XChange Viewer.

Or just use Google Chrome. It reads PDF with no plugin. It still lacks a few features but I assume they're working on that in between fixing the holes for Adobe.

Bad business (0)

Anonymous Coward | about a year and a half ago | (#41027941)

Adobe essentially has the userbase by the balls here, and would much rather focus on making more money than paying some self-righteous developers for a few weeks to fix 'security flaws.'

I can imagine a management meeting at Adobe now:
"Those damn programmers put more flaws in Reader!"

Irresponsible disclosure (3, Funny)

Hatta (162192) | about a year and a half ago | (#41027967)

Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.

Re:Irresponsible disclosure (0)

Anonymous Coward | about a year and a half ago | (#41028005)

maybe they were busy exploiting these holes by sending their competitors PDFs?

Re:Irresponsible disclosure (2, Funny)

bill_mcgonigle (4333) | about a year and a half ago | (#41028067)


maybe they were busy exploiting these holes by sending their competitors PDFs?

Nah, they just used them to bypass Safari tracking protections.

Re:Irresponsible disclosure (0)

Anonymous Coward | about a year and a half ago | (#41029431)

Yup, there is literally NO thing Google won't do, no law they wont break, no privacy they will not violate, to get all the tracking details on that oh so important 1 or 2 percent of web users who use Safari! I personally know (knew!) about 10 people who were murdered because they got in the way of Google tracking ONE SAFARI user's browser! They are just that serious.

Re:Irresponsible disclosure (1)

silas_moeckel (234313) | about a year and a half ago | (#41028133)

You really think nobody else knew about these already? per your sig censorship is obscene is this any different? Whats the downside the vulnerabilities are not there and thus not an issue or people can be informed and mitigate them? You can only guess that nobody else has discovered an issue it's better to assume somebody has and fix it than to sweep it under the rug.

Informed disclosure? (3, Insightful)

bill_mcgonigle (4333) | about a year and a half ago | (#41028259)

Google was irresponsible in not publishing these holes immediately so affected users could take steps to mitigate their vulnerability while Adobe put together a patch.

The Full Disclosure folks say that vulnerabilities should be disclose immediately. Their arguments have some merits. The Responsible Disclosure folks say that the vendor should have n number of weeks to get a patch out, then it goes to Full Disclosure. That has some merits as well, but the trouble is the public doesn't know there's a problem during the n weeks. The calculation is a balance of how many people will be protected vs. how many people will be harmed.

It occurs to me that a third way, call it 'Informed Disclosure' for now, would be to:

  1. Make an announcement that x number of vulnerabilities have been discovered in the foo function of bar
  2. Wait the n number of weeks
  3. move to Full Disclosure

as a way to avoid the problem with Responsible Disclosure but still give the vendor reasonable time to react. e.g. 'Informed Disclosure' may say:

ISSUE-001: Acrobat Reader has a vulnerability with JavaScript objects embedded in documents that can cause a smashed stack. Disable JavaScript in Acrobat Reader to avoid this problem.

and then send Adobe the exploit code, which will be published in 45 days. This also removes the illusion of potential blackmail from security researchers, because the public has on-record information that the disclosure will be published, regardless of the action or inaction by the vendor.

Surely others have taken this approach, but I can't find a name attached to it -- anybody?

Re:Informed disclosure? (1)

dutchwhizzman (817898) | about a year and a half ago | (#41029001)

You can get a CVE nuber reserved for your vulnerability I believe? I guess you could give a description at that moment and publicly open the CVE later on?

Re:Irresponsible disclosure (0)

Anonymous Coward | about a year and a half ago | (#41028307)

The big software companies (Apple, Microsoft, Adobe, etc.) have worked really hard to punish people who publish security vulnerabilities. Google did a good thing. Not the best thing they could do, but as much as they could do without having to deal with Adobe's legal department.

Fucking Slackers! (4, Funny)

Anonymous Coward | about a year and a half ago | (#41027981)

Those fucking slackers could only find 60 holes in that Swiss cheese? And, they couldn't even bother looking at Flash!

Oops, I have to go. My PC needs to reboot after the third Flash and Reader update today.

Google. (0)

Anonymous Coward | about a year and a half ago | (#41027989)

I can't tell if the news is that there are security holes, or that these people are Google employees. Why does this article emphasize that point so much? Why is it so important that they are Google employees? And why do we all capitalize Google like we capitalize God?

How hard is it to find security holes in Adobe? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#41028023)

I guess they just Googled it...

Best part of the article for me... (1)

sstamps (39313) | about a year and a half ago | (#41028033)

The name of the researcher "Gynvael Coldwind".

Too cool, in more ways than one. :D

Thankful for Firefox 15 beta pdf.js (0)

Anonymous Coward | about a year and a half ago | (#41028035)

I've never had the Adobe plugin and avoided plugins by Foxit and SumatraPDF in favour of just opening them in the standalone viewers.
Now I hope the same security audit of pdf.js in Firefox is done before it's released.

Re:Thankful for Firefox 15 beta pdf.js (1)

93 Escort Wagon (326346) | about a year and a half ago | (#41028383)

PDF.js is so mind-numbingly slow when rendering large PDF files, it's just ridiculous. It's simply not a useful solution in a work environment.

Bad Adobe. Bad! (0)

Anonymous Coward | about a year and a half ago | (#41028041)

Has Adobe ever released anything that wasn't total sh*t? Ever? Seriously.

Re:Bad Adobe. Bad! (1)

bn-7bc (909819) | about a year and a half ago | (#41029209)

well IMHO Premiere pro is quite good Disclaimer: I'm new to video editing so I may be way off here

Re:Bad Adobe. Bad! (0)

Anonymous Coward | about a year and a half ago | (#41029611)

Adobe After Effects.

The Acrobat Plug-In Is Garbage (2)

damn_registrars (1103043) | about a year and a half ago | (#41028081)

I just removed it from my browser a while ago after I finally got sick of it crashing. I now use Okular to read PDFs and life is much better that way. I don't know why anyone would tolerate such a miserable plug-in.

Re:The Acrobat Plug-In Is Garbage (0)

Anonymous Coward | about a year and a half ago | (#41029205)

I really like Okular. I even use it on Windows via the Windows KDE port.

*Very* Sloppy Summary (5, Insightful)

fm6 (162816) | about a year and a half ago | (#41028093)

The summary muddles two distinct PDF readers, the PDF reader built into the current version of Chrome (purely Google) and the PDF reader from Adobe that's completely separate. The Google reader is relevant only because the vulnerabilities in the Adobe reader were discovered using the tools developed to find vulnerabilities in Chrome.

Re:*Very* Sloppy Summary (1)

Trepidity (597) | about a year and a half ago | (#41028667)

The PDF reader in Chrome doesn't seem to be purely Google. On this page [google.com] comparing Chrome to the open-source Chromium distribution, they mention that they can't open-source the Chrome PDF reader because:

The Chrome PDF plugin uses 3rd-party non-free code; no Free Software PDF plugin exists that supports all the PDF features we'd like (such as filling in forms). :(

Whose third-party code? Adobe's? Someone else's?

Re:*Very* Sloppy Summary (1)

fm6 (162816) | about a year and a half ago | (#41028819)

Chromium seems to have diverged a bit from Chrome. The Google PDF reader I was describing is built into Chrome. It's not a plugin. I can't say for sure that it contains no 3rd party software, but I doubt it. It's pretty feature-limited.

Re:*Very* Sloppy Summary (1)

Justin_Schuh (322319) | about a year and a half ago | (#41029081)

That's incorrect. There's never been a PDF reader built into Chromium. The Chrome PDF reader (added in Chrome 8) has always been licensed third-party code in a plugin that ships with Chrome. It's fully sandboxed using PPAPI and has been aggressively audited and fuzzed (this latest round of fuzzing just used a more advanced toolset, so it found new things).

Re:*Very* Sloppy Summary (0)

Anonymous Coward | about a year and a half ago | (#41029461)

I was under the impression Chrome's PDF reader was built on foxit.

http://googlesystem.blogspot.com/2010/08/google-chromes-pdf-plugin-uses-foxit.html

Re:*Very* Sloppy Summary (1)

jhol13 (1087781) | about a year and a half ago | (#41028899)

Besides, would they have used tenth the time in Linux, Windows, iMacos, or whatnot, they would have found at least twice the amount.

I am extremely disappointed on Linux "security" (i give a shit about W or i). I get several updates every day. This has gotten worse since -90, and is getting much worse extremely fast.

We FUCKING need ABI! We FUCKING need design (and I do not mean kernel alone).

Re:*Very* Sloppy Summary (0)

Anonymous Coward | about a year and a half ago | (#41029193)

So you're one of the type 2 Linux users: the cheapskates. You're not ethically opposed to proprietary software--indeed your ABI comment suggests you seek to sell it--but you won't use an OS you have to pay for.

Common Factor? (0)

Anonymous Coward | about a year and a half ago | (#41028189)

of vulnerability? Wouldn't that be Adobe? Two product of their's Flash and Reader and they don't fix them.
I smell capitulation with the enemy.

Is there a tool that does *all* reader functions? (1)

cant_get_a_good_nick (172131) | about a year and a half ago | (#41028233)

I had Reader on my Mac because I had to cryptographically sign something. Is there something out there that does both forms and cryptographic signing?

Also, I forgot about Reader until something asked me to update it. I promptly deleted it, but where did the updater spawn from? Id love to remove all adobe code from my machine.

Re:Is there a tool that does *all* reader function (1)

93 Escort Wagon (326346) | about a year and a half ago | (#41028511)

Fortunately, most Mac users don't need Reader at all. Preview handles PDF viewing very well and is amazingly fast.

I have Acrobat Pro installed out of necessity (for work), but all of its auto stuff is turned off - I really only need it once or twice a year. But still... I consider Acrobat a malignant tumor on my hard drive. I may have it walled off, but it's still there, patiently waiting for a chance to spread its poison...

Really, the world would be a better place if people used alternatives to Adobe software whenever possible.

Re:Is there a tool that does *all* reader function (1)

cant_get_a_good_nick (172131) | about a year and a half ago | (#41028537)

I'm aware of Preview, doesn't do cryptographic signing. Im asking if something does everything, Preview doesn't cut it.

Hopefully, Google checks the .pdf's (0)

Anonymous Coward | about a year and a half ago | (#41028361)

that they provide links to against these attack vectors?

Adobe Management Failure! (0)

Anonymous Coward | about a year and a half ago | (#41028425)

Adobe management should have attacked these issues for PDF and Flash like Microsoft did for many years. It takes time, but Microsoft actually has gotten much better.

Adobe management has not learned. They've basically ignored security in all their programs for years. Back in 2008, many started calling on us all to avoid Adobe for our own safety. They were right. I was late in calling for this boycot - it was 2010.

Nobody should be using Adobe products unless they make a living using them. For everyone else, there are alternatives - alternatives to flash, alternatives to PDF and alternatives to all those other Adobe video and image tools. Only the extreme hard-core users of Adobe should continue.

Adobe management has not shown that they understand the issues still. They don't care about security and if the last 4 yrs hasn't gotten them to change, they never will.

Adobe response: For a hefty fee, we might fix it (1)

Anonymous Coward | about a year and a half ago | (#41028515)

Adobe has a well documented lack of interest in fixing its bugs without charging its customers. For years now, Photoshop has ignored its placebo settings panel and attached itself to storage volumes despite the wishes of users (After three years, I can only assume the purpose is nefarious, and probably related to terrorism and or a desire to harm small animals). A spokesman claims the company has finally fixed the bug in CS6, but have told users they must http://feedback.photoshop.com/photoshop_family/topics/disk_could_not_be_ejected_because_photoshop_is_using_it [photoshop.com]pony up $800+ for the antidote. Most of us will never know whether it's fixed or not.

Welcome to the 90s (-1)

Anonymous Coward | about a year and a half ago | (#41028725)

Big deal, I wrote protocol and file fuzzer tools more than a decade ago.

No app is safe from them that is why you should run them.

Nothing to see here, news at 11, easy to find crashing bugs, NULL pointer exceptions or memory access violations ... yawn.

Hardly an awesome discovery.

Solution: Setup Chrome As Default PDF Reader (1)

idealego (32141) | about a year and a half ago | (#41029115)

Setting up Google Chrome as the default PDF reader is more secure, and it's one less program to update. To do so in Windows 7 just right click on a PDF file, click "open with", click "choose default program", click Browse, and Browse to the following file:
C:\Users\\AppData\Local\Google\Chrome\Application\Chrome.exe

Adobe Reader does have some features that Chrome lacks, but 95% of users will be perfectly fine with just Chrome.

Re:Solution: Setup Chrome As Default PDF Reader (1)

idealego (32141) | about a year and a half ago | (#41029135)

Slashdot messed up the path name. Where you see the double slashes is obviously the user name.

Giving an advertising company complete access? (0)

Anonymous Coward | about a year and a half ago | (#41029751)

Are you serious? Chrome? NO-WAY! Don't run it.

The only thing worse than Adobe management's complete failure at handling this is how Google will take advantage of all that data they've been collecting from Chrome users. It might not happen this year, but we are learning more and more about google collecting data and keeping it for sometimes-creepy things. They have the data, you can't get it back.

Best to use Chromium if you like that sort of browser. Chromium is the F/LOSS on which project that Chrome browser is based.

Oooh oooh, can we do Flash next? Please! (nt) (0)

Anonymous Coward | about a year and a half ago | (#41029583)

nt

hypocrits.. (1)

SuperDre (982372) | about a year and a half ago | (#41029633)

they act like adobe is bad, but knowing well that big companies work with structured development where everything has to be planned. it's almost only 1.5 month AFTER they notified adobe about the problems and they're already bitching at adobe.. It's not like all the reported (security) bugs about chrome are fixed within one month.. So I find it very irresponsible of them to publish the information so soon, to me it more seems them trying to blackball adobe...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...