Adobe Systems may make changes to its widely used PDF programs to prevent attackers from using them to mount attacks that hijack users' computers. The attack was first demonstrated last week by researcher Didier Stevens. By misusing a feature contained in the PDF specification, his proof-of-concept attack showed how hackers …
Adobe don't seem to be able to make a sandwich without it containing cartoon-sized security vulnerabilities.
How they have come to be so ubiquitous with their software remains a mystery.
Same old story.
"While Adobe applications warn users they are about to execute a potentially dangerous program, Stevens showed it was possible to modify the wording, increasing the attacker's chances of successfully socially engineering his victim."
So, once more, a cool idea that does have some real usefulness (i.e, being able to automatically tie a PDF to a non-PDF document) is ruined by a poor implementation (WTF can they modify the wording of the security alert!?) and the naivete of users (Oh, it wants to run IM_NOT_MALWARE_HONESTLY_GUV.EXE? Okay!)
This is why we can't have nice things.
Adobe Reader is a bloated and secuirty-hole-ridden piece of crapware. I've been trying in vain to get my workplace to switch to an alternative such as foxit for some time.
Adobe used to offer a 'lite' version with cut-down functionality (crazily it only allowed viewing PDF files, imagine!) But I see this has disappeared.
The best and easiest fix is to just ship with the option TURNED OFF. dah. If some one really needs this they can turn it on.
Paris because she knows how to turn things on.....
Not an Adobe only problem
Since this is exploiting a feature of the pdf spec it isn't an Adobe Reader only problem. In fact it's worse in Foxit because it doesn't give you any warning.
I'm assuming that, at the moment, this only affects Windows boxen?
If so, I'm quite glad I've been moving my machines over to linux.
Penguin...... WAAAARK and stuff . . .
Re: Windows only?
I dunno. Does the Linux version have the "run moody payload automagically" option?
Of course, you can bet your bum that any moody payloads you actually get to see in the wild will be issuing Win specific commands, but if you're relying on "security through obscurity" to protect you, you're asking for it as much as the Win-loving arsehat that clicks on the "pwn me nows" button in that popup telling him that his machine's got a virus.
Re: Windows only?
Don't bother with Adobe Reader on Linux !
Okular and others seem OK - at least as reported in various places and in my own test.
The wonderful world of "powerful apps"
Also implies "powerful exploits", the funny thing is that almost nobody I know uses those power features.
Most of my customers use either pdfcreator or Adobe Distiler to create pdfs, only very few know that you can use Acrobat pro to modify PDF's, and almost no one would ever generate or have to handle anything like an executable attachment inside a pdf.
In fact I have a customer's office (about 10 seats) all using version 5.01 of Acrobat Reader because it is blazing fast compared to 6/7/8/9, and there is no way I can convince them to update.
However I had been wondering for a while why acrobat got so huge and slow compared to the old days' Acrobat 5.x, I think I found the answer, it comes bundled with a DIY exploit construction kit.
Perhaps if it would be better for them
to give up trying to reinvent the square wheel when there are working round ones out there.
Under the circumstances...
... could the folk at Adobe mull a bit faster????
I wasn't paying attention when this was first publicised
but it transpires that this attack will also work on Mac OS X – provided that you're using Acrobat, when it changes the document itself (look for the black dot in the close box) and then borks while attempting to launch stuff which isn't installed on OS X. Obviously it would be trivial to change this behaviour to try and do something actually nasty, but the PoC borked my Acrobat CS3 installation badly enough that I just had to do a repair reinstall, which I'd rather not do again.
Preview doesn't even cough, let alone try to do anything nasty, which once again proves the sense in not letting the Acrobat plug-in anywhere near my browser.
Edit > Preferences Menu
"I've been trying in vain to get my workplace to switch to an alternative such as foxit for some time."
Apparently, you didn't actually READ the article:
The attack was first demonstrated last week by researcher Didier Stevens. By misusing a feature contained in the PDF specification, his proof-of-concept attack showed how hackers could embed a malicious payload in a document and trick Adobe's Reader and Acrobat applications - as well as the competing FoxIT Reader - into executing it.
Did you see that last bit? Foxit Reader is (was) vulnerable, too. The problem lies in the PDF specification, not in the reader. Last week, Foxit Software implemented a security fix in their reader to head off the problem.
"Adobe used to offer a 'lite' version with cut-down functionality (crazily it only allowed viewing PDF files, imagine!) But I see this has disappeared."
The Lite version has disappeared because is was third-party (unauthorized) repackaging of Adobe Reader, minus some features.
1. WTF do they mean "Adobe Systems *may* make changes"? MAY? MAY??
2. I find I keep asking this... Exactly when and why did the PORTABLE *DOCUMENT* FORMAT (emphasis on the acronym) turn into a bit of everything else? Adobe should, at the very least, supply a feature-locked version that "does stuff for screen and printer" and, quite frankly, f**k the rest of it. I mean, what's all this 3D gibberish about? Something about my Brother DCP-165C that wasn't mentioned in the manual?! And oooh, hey, how would I print a video?
EPIC FAIL for "Allow opening of non-PDF file attachments with external applications", that somebody could actually add that (under "Trust manager" no less) and not think "ahhh, this could be a potential problem". Or maybe that's the point? It is really a sophisticated metajoke?
After the security debacle that was ActiveX, who could be so stupid to include a feature that... Oh, Adobe. Right.
ten years and more ago
Many years ago, Adobe turned Acrobat reader into sluggish bloatware for no discernible reason. Ever since OSX 10.1, preview.app has shown what a simple, responsive joy reading pdf's can be. When updating other apps, Adobe, having no shame, defaults to "repairing" the installation by blatting acrobat reader and plugin over the top of Apple's superior implementation. Oh no you don't, Adobe.
Adobe - another fine company ruined by arrogant and greedy management. P/E 52? I don't think so. But I still need Acrobat Pro.
A.N.Other's Tale of Nero Fiddling while Rome Burns?
"Anything that has write access can perform an incremental update," said Conway, who is a program manager for New Hampshire-based Nitrosecurity. "It stops the attack vector of using the launch command, but it doesn't fix the incremental update issue."
And whilst you are busy pottering away in the proverbial garden shed tinkering around document formats and in operating systems, does the attack force consolidate its stranglehold on human perception levers and overwhelmingly reinforce and strengthen its IT Networking Command and Control Superiority with Shared zerodDaily updated Words with Advanced Information of Novel and Noble IntelAIgent Abilities, floated from Layered Strata of Cloud to Cover the Internet with Enlightened Knowledge and Swamp Ignorance and Arrogance with Colossal AIResearch Waves.
Hi, Wanna Play with Real and Virtual NEUKlearer HyperRadioProActive Global Operating Devices and not just some Puppet and Pretend Idols? With Quantum Communications Control is IT Easy.
First they Ignore you, then they Ridicule you, then they Fight to Hate you, then they Lose against Win Win. ........ Can you Spot who's the Real Fool?
@I wasn't paying attention when this was first publicised
Why install Acrobat Reader on OS X? It already comes with a PDF viewer, although for this exploit I hope it doesn't Just Work.
In the old days
Programs would expand until they could read email. Now they expand until they can form a botnet.
Intrepidus Group has released a working PoC for this flaw
Hello folks. We (Intrepidus Group) released a working PoC for this flaw today. Check it out on our blog :) http://bit.ly/cR47tg