Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Finds Multiple PDF Backdoors

Zonk posted more than 7 years ago | from the watch-where-you-put-that dept.

147

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

cancel ×

147 comments

Sorry! There are no comments related to the filter you selected.

Non Adobe? (4, Insightful)

BiggyP (466507) | more than 7 years ago | (#16117767)

Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

Evince, etc. (4, Interesting)

Noksagt (69097) | more than 7 years ago | (#16117818)

I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."

Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.

Re:Evince, etc. (5, Funny)

Anonymous Coward | more than 7 years ago | (#16117988)

Did you file a bug to let them know they didn't support the exploit? This is free software, they should get right on it.

Popplers?!? (1)

bunions (970377) | more than 7 years ago | (#16118020)

Oh lord, we're doomed!

http://en.wikipedia.org/wiki/Omicron_Persei_VIII [wikipedia.org]

Re:Popplers?!? (1, Informative)

Anonymous Coward | more than 7 years ago | (#16118159)

FYI, the pdf rendering engine is named after the futurama popplers: http://en.wikipedia.org/wiki/Poppler_(software) [wikipedia.org]

AH, ZONK, YOU AND YOUR BACKDOOR PENETRATION STORYS (1, Funny)

CmdrTaco (troll) (578383) | more than 7 years ago | (#16117833)

You sure have a thing for them.

Re:Non Adobe? (0)

Anonymous Coward | more than 7 years ago | (#16117879)

Foxit reader for teh win!

http://www.foxitsoftware.com/ [foxitsoftware.com]

As bloated and intrusive adobe software is, I can't believe problems like this don't happen more often.

Re:Non Adobe? (1)

FudRucker (866063) | more than 7 years ago | (#16117976)

it probably happens more often then what is reported, websites and their databases get compramized often and users info gets ripped is what you hear about - the method used to gain access is not reported (could be innocent looking PDF files opening the holes...

--firefox-does-not-have-a-spell-checker-extension( yet)

Re:Non Adobe? (Off-topic) (2)

itsari (703841) | more than 7 years ago | (#16118302)

I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.

I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.

BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?

Re:Non Adobe? (2, Informative)

dextromulous (627459) | more than 7 years ago | (#16118364)

Not necessarily.

Some gPDF [securityfocus.com] vulnerabilities.

I didn't find any Evince vulnerabilities in my limited search, but that doesn't mean there will not be one. You will most likely remain safe from 'sploits targeted towards Adobe users by not using the Adobe PDF reader, but that should be obvious.

Windoze and IE implicated, again. (4, Interesting)

twitter (104583) | more than 7 years ago | (#16118578)

Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

From the Fine Article:

the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.

Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.

Re:Windoze and IE implicated, again. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16118959)

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

  • As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
  • Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
  • A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
  • Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
  • Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
  • Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
  • Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
  • Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
  • Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
  • There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy [ibiblio.org]

Re:Windoze and IE implicated, again. (1)

BeeBeard (999187) | more than 7 years ago | (#16119002)

Hey, great post. You pointed out that this is probably yet another Windows-centric exploit, and also how utterly great the new kpdf is (seriously--the new version is the best pdf reader I've used! Get it--get it NOW! :) The one thing we shouldn't forget, though, is that even when you're running free software, you can still accidentally pass the infected file(s) along to people who aren't.

P.S. I do the uber-paranoid thing. On the rare occasion that I boot into XP for games, the Windows I'm booting into hasn't even had any internet drivers installed. Since I'm only using the OS for one specific thing, and a net connection isn't necessary, I find it more convenient than pulling out a cat-5 cable or two, or messing around with the router so it blocks all traffic.

Re:Windoze and IE implicated, again. (1)

TheoMurpse (729043) | more than 7 years ago | (#16119016)

I clicked on the links with Opera in Windows XP, it launched Adobe Acrobat Reader as it should have, and then...nothing. Neither of the exploit demos were successful on my setup (Opera-XP-Acrobat Reader). Does this mean it's an IE-only exploit? (Note: my default browser is Opera as well)

Re:Windoze and IE implicated, again. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16119125)

http://slashdot.org/comments.pl?sid=88413&cid=7656 803 [slashdot.org]
http://slashdot.org/comments.pl?sid=77588&cid=6896 690 [slashdot.org]
http://slashdot.org/comments.pl?sid=73226&cid=6595 921 [slashdot.org]
http://slashdot.org/comments.pl?sid=71864&cid=6492 229 [slashdot.org]
http://slashdot.org/comments.pl?sid=69025&cid=6312 196 [slashdot.org]
http://slashdot.org/comments.pl?sid=49657&cid=5011 656 [slashdot.org]
http://slashdot.org/comments.pl?sid=180946&thresho ld=1&cid=14972959 [slashdot.org]
http://slashdot.org/comments.pl?sid=129735&thresho ld=5&cid=10823036 [slashdot.org]
http://slashdot.org/comments.pl?sid=112229&cid=952 1025&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=137420&cid=114 89094&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=155076&cid=130 11391&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=113493&thresho ld=5&cid=9614809 [slashdot.org]
http://slashdot.org/comments.pl?sid=164775&cid=137 51004 [slashdot.org]
http://slashdot.org/comments.pl?sid=126301&thresho ld=5&cid=10572437 [slashdot.org]
http://slashdot.org/comments.pl?sid=119108&thresho ld=5&cid=10056927 [slashdot.org]
http://slashdot.org/comments.pl?sid=135403&cid=112 99129&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=136181&thresho ld=5&cid=11374447 [slashdot.org]
http://slashdot.org/comments.pl?sid=134005&thresho ld=5&cid=11203454 [slashdot.org]
http://slashdot.org/comments.pl?sid=159878&thresho ld=0&cid=13384602 [slashdot.org]
http://slashdot.org/comments.pl?sid=166661&cid=138 99128&threshold=2 [slashdot.org]
http://slashdot.org/comments.pl?sid=168164&cid=140 19967 [slashdot.org]
http://slashdot.org/comments.pl?sid=168163&cid=140 20030&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=172399&thresho ld=1&cid=14355804 [slashdot.org]
http://slashdot.org/comments.pl?sid=172869&cid=143 89115&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=175800&cid=146 12128&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=153489&thresho ld=-1&cid=12876883 [slashdot.org]
http://slashdot.org/comments.pl?sid=118246&cid=999 7235&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=100963&cid=863 3073&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=182119&cid=150 55046 [slashdot.org]
http://slashdot.org/comments.pl?sid=112831&thresho ld=5&cid=9567128 [slashdot.org]
http://slashdot.org/comments.pl?sid=108477&cid=922 6590&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=93270&cid=8010 985&threshold=4 [slashdot.org]
http://slashdot.org/comments.pl?sid=94140&cid=8079 321 [slashdot.org]
http://slashdot.org/comments.pl?sid=88645&cid=7676 279&threshold=5 [slashdot.org]
http://slashdot.org/comments.pl?sid=116521&thresho ld=5&cid=9861962 [slashdot.org]

Core PDF freature and not a bug anyway (2, Informative)

Craig Ringer (302899) | more than 7 years ago | (#16119198)

The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.

In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.

*yawn*

Re:Core PDF feature (2, Insightful)

Craig Ringer (302899) | more than 7 years ago | (#16119201)

My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.

GhostView (1)

RareButSeriousSideEf (968810) | more than 7 years ago | (#16118796)

The nearly featureless PostScript viewer GhostView ( http://www.cs.wisc.edu/~ghost/ [wisc.edu] ) does me fine for most PDF viewing chores. If a document needs more attention than can be read on screen in a few minutes, I'm just going to send it to a printer anyway.

If it's full of "interactive content," then, well, you shouldn't have made it a PDF, since I'm pretty unlikely to jump through hoops to discover what you're trying to say. Use HTML or PowerPoint or what have you if you really need interactivity. My distrust of active content is high when it's not running in a sandbox like a well-configured browser. Simple hyperlinks are a possible exception, as long as there's no attempt to obfuscate the URI and action.

Heh (4, Funny)

Shawn is an Asshole (845769) | more than 7 years ago | (#16117774)

<beavis_and_butthead>
Huh huh, penetration.
</beavis_and_butthead>

Who started giving this title?

Re:Heh (3, Funny)

SanityInAnarchy (655584) | more than 7 years ago | (#16117820)

Speaking of buttheads, probably the same person who decided to call it a "backdoor".

Re:Heh (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16118019)

Or to call it PDF! hahaha

(Penetrate Da Females)

Re:Heh (0)

Anonymous Coward | more than 7 years ago | (#16118228)

Penetration?? Backdoor??

It's not a vulnerability, it's an exploit... (4, Insightful)

crazyjeremy (857410) | more than 7 years ago | (#16117779)

"I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.
Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?

Re:It's not a vulnerability, it's an exploit... (4, Insightful)

JustNilt (984644) | more than 7 years ago | (#16117808)

It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

Re:It's not a vulnerability, it's an exploit... (1)

Shimmer (3036) | more than 7 years ago | (#16117930)

I think the terms are pretty easy to understand:

      Exploit : Vulnerability :: Key : Lock

So what this guy has done is develop exploits for pre-existing vulnerabilities in PDF. No?

Re:It's not a vulnerability, it's an exploit... (1)

Ph33r th3 g(O)at (592622) | more than 7 years ago | (#16118505)

s/Key/Pick

Re:It's not a vulnerability, it's an exploit... (1)

Shimmer (3036) | more than 7 years ago | (#16119058)

Granted.

Re:It's not a vulnerability, it's an exploit... (2, Informative)

cgenman (325138) | more than 7 years ago | (#16117968)

I think he's defining a vulnerability to be a piece of poorly written code, like an input buffer that's vulnerable to an overflow. Or a URL parser that's vulnerable to a carefully formatted string. The code in that case is not behaving as intended.

An exploit would be more along the lines of the old outlook viruses. Outlook used to allow arbitrary scripts to be run on mail loading, and messages to be sent to an entire address book. Combine these two, and you have an exploit. It's behaving completely as intended, but they never expected someone to use the features like that.

The PDF reader is behaving as intended, though nobody expected the intended behavior to add up to that.

Re:It's not a vulnerability, it's an exploit... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16118017)

Whether or not a given piece of software is behaving as intended is not really relevant when considering whether or not the software in question has a security hole. For instance, I can write an app that listens on port 24126 and executes the commands received locally. The software is behaving exactly as intended. It also has a huge security hole - it allows anyone to connect to my computer and run basically any code they want. It may not be a bug in the code, but it is still a security hole. Just as in this case, there might not be a bug in Adobe reader's code, but there appears to be a bug in their design that amounts to a security hole.
Now, you can certainly define an exploit to only include unitended consequences, but if you do that and companies start claiming that the behavior is intentional, your definition becomes not very relevant from a security point of view.

Re:It's not a vulnerability, it's an exploit... (1)

cgenman (325138) | more than 7 years ago | (#16118771)

From a security point of view, they're the same problem. But from a *fixing* point of view, exploits are a lot more problematic. If the functionality if the application is causing the problem, then by definition fixing the security flaw will entail altering the functionality. Suddenly, your PDF-based form scripts won't work any more. A simple buffer overflow will cause headaches to the developer, but an exploit will cause headaches to the developer and a portion of your most devoted users.

Confused (3, Insightful)

ndansmith (582590) | more than 7 years ago | (#16117783)

After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?

Re:Confused (4, Informative)

MarkCollette (459340) | more than 7 years ago | (#16117874)

Basically, the PDF standard [adobe.com] allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.

Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.

In retrospect, some of the other free 3rd part PDF viewers, that don't support those fancy features, might be better for people to use:

http://www.icesoft.com/products/icepdf.html [icesoft.com]

Re:Confused (1)

TubeSteak (669689) | more than 7 years ago | (#16118721)

So, just to boil this issue down to the essentials:

Will turning off javascript within Acrobat prevent the exploit?

(I run IE w/javascript enabled, but not Acrobat. Go Figure)

Re:Confused (2, Informative)

Kesch (943326) | more than 7 years ago | (#16117886)

Really, it's using pdf supported code to undertake malicious actions. The code may or may not work in other readers depending on wether the specific feature has been implemented, however it is at least known for sure that Adobe Reader has the advanced support in place for the exploitable features.

Re:Confused (1)

coleopterana (932651) | more than 7 years ago | (#16117894)

I'd have to agree with you and suggest that instead the article and commentary title here are slightly mislieading...if that were all a typical user read, s/he'd have the impression that merely opening a PDF file would make the computer vulnerable to exploitation in some fashion. The two methods described in this eWeek article don't appear to be anything of the sort. I think the majority of people now on any platform and likely the vast majority of more highly literate (in a computer sense) users don't allow any program to open web pages without the user expressly consenting or manually clicking. The second 'vulnerability' applies to people using Adobe Professional, if I'm not mistaken. That implies to me you have to be using Adobe Professional to BE vulnerable, though I suppose I could be wrong. It looks like there's something potentially improper or loose in some sense about the way that Adobe (maybe just the professional version) is connecting to the web or specific servers? Either way, this definitely feels a tad more alarmist then it should be. I guess it'll depend on what the general news media do when they cover the story.

oops..... (1)

coleopterana (932651) | more than 7 years ago | (#16117915)

(My apologies for the above formatting, I was editing and the cat walked on the laptop, which normally doesn't result in a permanent mistake!)

Re:Confused (1)

HatchedEggs (1002127) | more than 7 years ago | (#16118191)

Its not a bug, its a FEATURE!

Dear God. (1)

O'Laochdha (962474) | more than 7 years ago | (#16117793)

How badly do you have to screw up to make it possible to hack through a virtual document?

Re:Dear God. (2, Insightful)

samurphy21 (193736) | more than 7 years ago | (#16118694)

You mean like email, word documents and such? God.. who knows?

Linux version of acroread seems fine (4, Interesting)

Noksagt (69097) | more than 7 years ago | (#16117798)

The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

Re:Linux version of acroread seems fine (1)

JustNilt (984644) | more than 7 years ago | (#16117869)

Neither test document worked for me on a Windows XP box all patched up and using Acrobat Reader 7.0.8. What I get is a Security Warning stating the document is trying to connect to the domain. I'm not totally convinced this is an Adobe warning as it looks a lot like IE's warnings and I haven't yet tested exhaustively.

Either way, it's time to start letting clients know that PDFs have been added to the list of "potentially risky" file types.

Re:Linux version of acroread seems fine (1)

JCCyC (179760) | more than 7 years ago | (#16117877)

The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

Same here (RPM version 7.0.1-1), except the dialog box does NOT say what URL is going to be opened. And it refuses to save any browser preferences.

Of course, my default viewer is GGV.

Re:Linux version of acroread seems fine (1)

sjwest (948274) | more than 7 years ago | (#16118092)

Simple answer hacking microsoft windows is more productive, and validates the issue so it gets reported here.

Re:Linux version of acroread seems fine (1)

Kesch (943326) | more than 7 years ago | (#16117932)

Looking at some of the comments in his blog, the presence or absence of a warning box is kind of random. However, it might be linked to wether you open the pdf from your browser(no warning) or from your machine.

I got an interesting result on mine (under Linux) in that it asked me if I wanted to config my browser settings. I answered 'yes' and was then directed to a config page where I could input which browser command I wanted to use to launch my browser. It looks like this could easily be set to an intermediate script which could pop up a dialogue with the URL to confirm that you really want to open a link.

pr0n (5, Funny)

User 956 (568564) | more than 7 years ago | (#16117839)

He claims there are least seven different ways to backdoor a PDF.

I've seen quite a bit of pr0n. There's way more than seven ways.

clarification (2, Funny)

User 956 (568564) | more than 7 years ago | (#16117867)

that's assuming that by "PDF", he means "Pretty Drunk Female"....

PDF? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16117943)

I thought PDF was for penis-deprived fag.

Re:pr0n (1)

Dacmot (266348) | more than 7 years ago | (#16118380)

I sure would love to have his job:

David Kierznowski, a penetration testing expert

Re:pr0n (0)

Anonymous Coward | more than 7 years ago | (#16118524)

Pregnant Dutch Female? Didn't realize the industry had gotten so specialized.

Sources claim... (5, Funny)

Mikachu (972457) | more than 7 years ago | (#16117842)

Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.

LOL. (0)

Anonymous Coward | more than 7 years ago | (#16117871)

Make sure you mod parent up, very funny.

Load PDFs with Acrobat in seconds (5, Informative)

dw604 (900995) | more than 7 years ago | (#16118175)

Re:Load PDFs with Acrobat in seconds (1)

Carthag (643047) | more than 7 years ago | (#16119131)

Or you could just you know use a third party reader...

Load PDFs in milliseconds (2, Funny)

this great guy (922511) | more than 7 years ago | (#16119190)

Even faster ! [informationweek.com]

Yippee Skippee (3, Interesting)

Mozleron (944945) | more than 7 years ago | (#16117846)

Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...

Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...

Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.

Mac OS X Drawing Subsystem? (3, Interesting)

akheron01 (637033) | more than 7 years ago | (#16117857)

As a concerned Mac user I enjoy my very securely built operating system very much, and since the OS X drawing system is based heavily around PDF I was wondering if these could possibly create vulnerabilities in the operating system for mac users.

Re:Mac OS X Drawing Subsystem? (2, Informative)

agent dero (680753) | more than 7 years ago | (#16118099)

The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.

Apple, along with Preview, has its own implementation of rendering and viewing PDFs

Re:Mac OS X Drawing Subsystem? (1)

Strolls (641018) | more than 7 years ago | (#16118129)

As a concerned Mac user ... I was wondering if these could possibly create vulnerabilities ... for mac users.
Well, if you tried downloading the sample PDF [michaeldaw.org] in 10.4 you'd see that opening it in Preview shows an apparently-live webpage. So it would seem fairly safe to say the answer may be "yes".

Stroller.

Re:Mac OS X Drawing Subsystem? (0)

Anonymous Coward | more than 7 years ago | (#16118217)

Thankfully the Mac OS X drawing subsystem isn't built on top of ACROREAD.EXE, so no.

Though that could explain why the Intel chips are so much faster for Mac OS X...

Re:Mac OS X Drawing Subsystem? (1)

Petrushka (815171) | more than 7 years ago | (#16118289)

Fear not: the title (replicated from TFA) is glaringly inaccurate in an attempt to sensationalise and induce general panic.

As even the blurb above states quite clearly, these are not vulnerabilities in PDF, a file format, they're vulnerabilities in Adobe Reader, an application (and one which most OS X users have no need for, thanks to Preview).

In fact, TFA seems to indicate moreover that the attacks are specific to Windows.

Nothing to see here .... unless you use Adobe Reader in Windows.

Re:Mac OS X Drawing Subsystem? (1)

laffer1 (701823) | more than 7 years ago | (#16118351)

Actually I have it installed on my Mac. There are a few features Preview does not support.

Re:Mac OS X Drawing Subsystem? (0)

Anonymous Coward | more than 7 years ago | (#16118346)

If you have to ask whether this will compromise the security of OS X, how do you feel qualified to name it a "very securely built operating system"? Is that just what the guy in the turtleneck at the "Genius Bar" told you? I mean, it seems like if you were qualified to analyze a system's security you wouldn't need to ask that question. And if you're not qualified, well, you probably shouldn't be making that claim to begin with.

Re:Mac OS X Drawing Subsystem? (1)

maop (309499) | more than 7 years ago | (#16119210)

He read it in MacWorld I guess.

Penetration (3, Funny)

SauroNlord (707570) | more than 7 years ago | (#16117873)

David Kierznowski, a penetration testing expert I wish I was a penetration test expert!

thar is only one way to penetrate a mac user (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16117900)

IN THA ASS

Of course (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16117924)

As if postscript is not dangerous enough, Adobes PDF attack vector executes javascript. When you're done disabling javascript in the Adobe PDF reader, you should disable it in your browser.

Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:

MSFA 20XX-00 Enabling javascript allows remote code execution

Solution: Disable javascript, on a permanent basis.

Javascript (1)

sowth (748135) | more than 7 years ago | (#16118489)

Well the first order of business would be to hunt down an kill all the "web developers" who insist on using javascript for essential parts of their site. If it wasn't for them, I could just use dillo like I want to and not worry about javascript crap...

Re:Of course (1)

pclminion (145572) | more than 7 years ago | (#16118539)

PDF does not contain PostScript. The outward appearance of PDF's high-level data types (like dictionaries), and the PDF graphics language were inspired by PostScript, but it is NOT a stack based language. You can't, for instance, write a PDF which computes Mandelbrot's fractal and displays it (as you could with a PostScript program).

Get the facts straight. Just because a PDF looks "kinda like" a PostScript file in a binary editor doesn't mean it's PostScript.

Easy (4, Informative)

OpenSourced (323149) | more than 7 years ago | (#16117942)

Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.

Free (2, Informative)

mrchaotica (681592) | more than 7 years ago | (#16118116)

Better yet, use Ghostscript [wisc.edu] . It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.

Re:Free (1)

gatzke (2977) | more than 7 years ago | (#16118199)


Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

As a result, I stopped using their reader. Free and Annoying.

Re:Free (1)

duguk (589689) | more than 7 years ago | (#16118485)


> Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

Nope, it doesn't have an annoying splash screen, but does have a small unobtrusive advert in the top right - which doesnt need internet access, only advertises FoxIts own products AND can be turned off through the menus.

> As a result, I stopped using their reader. Free and Annoying.

Definately free, but easy to use for idiots. At least it doesn't crash Firefox :)

Dug

Re:Free (1)

Ctrl-Z (28806) | more than 7 years ago | (#16118625)

I believe the comment was that ghostscript is free and annoying, not foxit.

"Hacker"?! (4, Interesting)

coyote-san (38515) | more than 7 years ago | (#16117995)

Since when is a respected security researcher a "HACKER"?!

Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.

Re:"Hacker"?! (0)

Anonymous Coward | more than 7 years ago | (#16118315)

hacker, noun. one who implements mad hax

XXX.pdf (-1, Offtopic)

f4hy (998452) | more than 7 years ago | (#16118034)

How long until someone posts a link to a pdf file of... "backdoors"

must....quote....Wargames... (1)

not a cylon (1003138) | more than 7 years ago | (#16118041)

Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.

Only on the Windows version (1, Informative)

Anonymous Coward | more than 7 years ago | (#16118108)

The Mac version of Acrobat reader is actually not affected by these vulnerabilities; they only occur on the Windows platform.

Easy Fix: Disable those plugins! (2, Informative)

imaginaryelf (862886) | more than 7 years ago | (#16118109)

Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.

I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!

So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.

Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action is not available."

You get another benefit from this. Your acrobat reader will load sooo much faster too!

Re:Easy Fix: Disable those plugins! (1)

Lehk228 (705449) | more than 7 years ago | (#16118332)

try out foxit, it's, by far faster than acrobat reader and aside from any technical security improvements, it has the benefit of being a tiny target compared to acrobat

yes even much faster than the stripped down version of acrobat reader

Back Door Demo #2 - Link Wrong (4, Informative)

md17 (68506) | more than 7 years ago | (#16118110)

In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf [michaeldaw.org]

Malicious links are a PDF problem? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16118113)

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.

Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.

Doesn't work on Linux (3, Informative)

md17 (68506) | more than 7 years ago | (#16118126)

I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.

Re:Doesn't work on Linux (5, Funny)

flyingfsck (986395) | more than 7 years ago | (#16118240)

Hmm, Linux just isn't ready for the desktop yet.

mod Up (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16118173)

told reporters, what we've 4nown

PENETRATING BACKDOORS (0)

Anonymous Coward | more than 7 years ago | (#16118206)

HOT ANAL! FUCK MY BACKDOOR! Yea baby, penetrate my backdoor hard! FUCK ME IN MY PDF!!!!!

I LOVE PDFS!! YEA!!!! YES!!! OH YEA!!!!

Does anyone else think this is good news? (0)

Zorque (894011) | more than 7 years ago | (#16118251)

Personally, I've hated PDF files from the day I encountered one. The format is bloated, wasteful, and for the most part, unnecessary. In my opinion, a standardized HTML archive format would be much more useful (smaller and faster, too) than a largely proprietary format. With news like this, maybe PDF will finally die and leave me alone.

Re:Does anyone else think this is good news? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16118320)

Respectfully disagree.

PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?

Re:Does anyone else think this is good news? (0, Troll)

Waffle Iron (339739) | more than 7 years ago | (#16118671)

PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things.

So it's incredibly useful to the people who work at a printing company. For the 99% of the rest of us, it's not very useful at all. Of all the text PDF documents that I've been subjected to downloading, I can't think of a single one wouldn't have rendered better on my screen and been more convenient to navigate as an HTML page. Some could argue that PDF is good for graphics like large maps, but the ones I've used have been so bloated and slow that I'm sure a plain old 4000x3000 pixel .PNG would have been quicker, easier and more compact.

I really don't care what the original looked like in the author's word processor. I rarely print things out anymore, and with 1600x1200 LCD monitors available for around $300, there's going to be less and less need for anyone to print hard copies as time goes by. The whole PDF concept is a vestige of dead tree technology, and it should be relegated those those people who work mainly with physical paper. It doesn't really have business being used as a document format on any general-purpose web server.

Re:Does anyone else think this is good news? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16118406)

HTML and similar document formats do not retain character sets, pagination, and other presentation-related pieces of data. Create a webpage, and view it in different browsers on different OSes with different font sets. The page is not guaranteed to look the same, and most likely will render different on each different browser. PDF, on the other hand, will render the same with every PDF reader.

PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format with some added features. It does this very, very well. It is often abused, however, by people who don't understand the purpose behind the PDF format.

Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.

Re:Does anyone else think this is good news? (4, Insightful)

alain94040 (785132) | more than 7 years ago | (#16118591)

Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.

Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.

But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.

Alain.

Re:Does anyone else think this is good news? (0)

Anonymous Coward | more than 7 years ago | (#16118791)

PDF is for print. [headscape.co.uk] It may be a Godsend for hard copy, but IMNSHO should never leave the computer connected to said intended printer without first being translated into a sane standard computer format. Reading a PDF onscreen feels about as natural as eating dinner while gripping the fork with your feet.

Gnaa have been using this for a while (0)

Anonymous Coward | more than 7 years ago | (#16118256)

Gnaa have been using this for a while in the lastmeasure shock site.. I wont link here.

da ladies... (2, Funny)

ScottyMcScott (1003155) | more than 7 years ago | (#16118463)

future mother-in-law: so, what do you do?
guy: i'm a penetration tester.
....fill in rest.....

Acrobat Reader is awful (1)

oohshiny (998054) | more than 7 years ago | (#16118481)

Apart from its (known) security problems, Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.

There are more usable, faster, and safer alternatives.

Adobe screwed up PDF (0)

Anonymous Coward | more than 7 years ago | (#16118497)

PDF was a great idea; a WYSIWYG document format.

But Adobe screwed it terribly by fitting features like JavaScript, turning an inert secure format into an active insecure one. What's more, they don't like you turning JavaScript off. When you run Adobe Reader 7 with JavaScript off, it keeps asking you if you'd like to turn it off.

Then we have the screwed up user interface, lacking even the simple basics like setting bookmarks, putting their help in PDF to prove a point, but coming up with an unusable help format in the process. And that preferences menu with 20 odd bizarrely named entries that make finding anything let alone changing it a pain in the ass. Adobe Reader has the worst designed user interface of any mainstream software product.

I'd love to see someone come up with something that can replace PDF once and for all. GhostScript/GhostView can do it, but their interface isn't up to much either.

For scanned documents we do have an alternative; DJVU. Supposedly it compresses better than PDF, and certainly one of the GUIs (it's open) WinDjView-0.4.2.exe is much better than Adobe Reader. A Document Reader doesn't need do much. WinDjView succeeds where Adobe fails so miserably.

So: Advice to Adobe: Fire your GUI designers/JavaScript boffins. They've screwed PDF badly. Add to that your ridiculous prosecution of that Russian who told the world how crap your security was, and you're a company on the nose. PostScript was nice, but everything after that was downhill.

Advice to GhostView: Give us a decent PDF alternative; Your GUI needs work.

WinDjView: Nice job. Can you do PDF too?

Microsoft: Surely you can annihiliate Adobe? How hard could it be to make a decent reader. (Yeah, MS suck, but Adobe suck too.)

Alternatives already exist (1)

KillerBob (217953) | more than 7 years ago | (#16118682)

Even for Windows. I tested the proof of concept PDFs in FoxIt PDF reader (http://foxitsoftware.com/), and none of them worked. The flaws aren't in the PDF format itself, they're in Adobe's implementation of it.

Only 7? (1)

makillik (995095) | more than 7 years ago | (#16118784)

"He claims there are least seven different ways to backdoor a PDF."

But remember there must be 50 ways to leave your lover

PDF version (1)

mclaincausey (777353) | more than 7 years ago | (#16118799)

Get your PDF version of the story here [slashdot.org]

This isn't the first PDF virus out there, either. (0)

Anonymous Coward | more than 7 years ago | (#16118921)

It's not like they shouldn't have seen this coming [slashdot.org] and I couldn't wrap my head around just what the fuck a Javascript parser was ever doing in Adobe Acrobat in the first place. I still can't: it's there to present documents as you intended them to be presented and you don't need anything dynamic coded in there to do that and code seems to necessarily defeat the point of the thing (showing documents just as you intended).
Unless there's a project manager over at Adobe with an unhealthy sense of humor who's trying to prove jwz's "applications will grow until they can read e-mail" right.
And, uh. What's with the discoverer's equivocations? Is the vulnerability really in the internets or something? Because I'm lost.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>