Researchers have uncovered sophisticated attack code circulating on the net that exploits a critical vulnerability in the most recent version of Adobe Reader. The click-and-get-hacked exploit spreads through email that contains a booby-trapped PDF file that remains virtually undetected by most anti-virus programs, according to …
"In the meantime, there are no mitigations users can take other than to exercise due care in opening PDF documents. It may also make sense to use an alternate PDF viewer such as FoxIT, but it's not yet been confirmed that that other programs aren't vulnerable."
Seems like Adobe don't know the meaning of the word security. It's every other bloody day with their software that another security hole gets discovered. If there was another PDF viewer out there that could render all PDF's correctly then i'd be all over it for work. As insecure, slow and bloated a piece of crap adobe reader is, it renders PDFs correctly.
As to home, I use Sumatra on windows and OSX's native PDF display for viewing PDF's.
@Mark C Casey
Have you tried PDF-XChange PDF Viewer? I ditched Adobe and Foxit for the usual reasons and have found it to be pretty good, though I don't get a lot of .pdfs.
Hmm...why not run a Linux distro as a host OS and have it fire up a VM on power on? The VM can be Windows, and hold Adobe Reader etc, with all files held on shared folders (either managed by the host Linux OS or up on a server). End users won't notice any difference (the only clue to them might be a change in what they see during boot) and "machines" can be easily reverted to a clean base-state should they become infected.
Interesting that all OSs seem to be vulnerable - why the hell does a PDF need JS anyway?
just found PDF-XChange Viewer a few days ago (when looking for a way to save an A3 scanned drawing out of a PDF) and it looks the nuts.
Will be trialing it for a while before sticking it out for everyone to play with at work.
sandbox the damn thing externally
Now would be a good time to experiment with your anti-malware package's sandbox support.
Because these Adobe exploits aren't likely to stop in my lifetime... ;)
Or install your own...
Or install your own sandbox using something like Sandboxie (http://www.sandboxie.com) or a similar product. I don't know why Adobe has taken so long to get a clue. Sheesh!
I've uninstalled all the Adobe Crap(sorry. Soft)Ware from my computer now.
Cheers for the heads up.
Don't want to start a dispute here but
Reading through the analysis, I noticed the malware is designed to infect Windows computers but according to the article, Adobe confirmed that Windows MacOS and Unix are all affected. Is this a CYA declaration from Adobe or they analyzed and discovered there are specific mechanisms targeting non-Windows OS. I'm not trying to argue here about which OS is more secure, since this is not a OS problem and Windows OS has nothing to do with it. What I'm trying to find is if the time has finally come for me to get rid of Acrobat Reader in Windows as well as in Linux. I know, it's certainly not Adobe who will give me the answer.
Re : Don't want to start a dispute here but
Don't use Adobe on Linux - much of the likely problem solved.
there are going to be more and more of these narrowly distributed exploits
In future, I predict there are going to be more and more of these narrowly distributed exploits used to penetrate companies and joint working groups for social, corporate and international espionage.
Keeping them narrowly distributed means they can be used for weeks, months or even years before they are discovered and forwarded to anti-virus companies.
In the future, I expect such exploits to be even more discrete and to affect a wider range of poorly tested (unchallenged) software.
Halo effect makes all Adobe products seem bad.
Adobe Reader isn't an operating system. It isn't doing anything horrendously complex.
So why does it have so many vulnerabilities?
The "halo effect" makes all Adobe products look bad in the eyes of corporate consumers, because shoddy quality control is not typically something isolated to just one department, but an enterprise wide issue.
Not the Halo effect this time
The problem is Adobe has extended what was once a simple program to the complexity of an OS without doing the associated security work. If all the program did was open a file to display fixed formatted type, none of these vulnerabilities would work. It is the addition of things like active URLs, forms completion, embedded sound, embedded movies, etc. that makes the program vulnerable to exploit. Some of those items are logical extensions to the basic program (URLS, forms) but even though they are obvious and logical, they require deeper thinking about security issues.
Adobe software bricks
are made more sh_t than mud. I guess the decision to outsource most of their development to lowest bidder spaghetti coders in India will be paying dividends for years to come for their naive customers.
Have they not thought of stuff like bounds checking before using a sledgehammer to crack a nut?
Is it just me....?
Or would Adobe be doing themselves a favor by producing a version of their "Reader" which just "read" the PDF rather than executed code in it?
Then the current "Reader" can be renamed to Adobe Executor ?
"...would Adobe be doing themselves a favor by producing a version of their "Reader" which just "read" the PDF rather than executed code in it?
Then the current "Reader" can be renamed to Adobe Executor?"
Adobe Executioner, more like.
Why all the talk of Linux? If it only affects Windows, OS X and UNIX, then Linux is in the clear, right?
the vulnerability affects
> the vulnerability affects Reader 9.3.4 and earlier versions for Windows, Mac OS X, and Unix ..
What effect does the vulnerability have on Unix systems. Is there a working demo online anywhere that I can click on ?
The sandbox mentioned in the article is based on integrity control - like Protected Mode in Internet Explorer 7/8. It will be included in Adobe Reader 10.
Isn't it about time that someone started asking why *none* of the mainstream AV vendors are catching this?
Look at the facts. We have a piece of software that has been used as a Trojan horse in new ways almost monthly for the past year or more. If it weren't from a "proper" vendor it would have been classified as a Trojan and quarantined ages ago. I shall give Adobe the benefit of the doubt and accept that they don't intend it to be used as a vector, but that's the reality and any AV vendor who just waves it through because it has "Adobe" written on the side is surely guilty of negligence.
could we please get some clarification on "UNIX vulnerable"?
From the link (contagio), it crashes / opens a decoy file ... downloads files, connects to academyhouse.us ... Here's a list of the files:
golf clinic.pdf (in \Application Data)
iso88591 (same location as original)
wincrng.exe + winhelp32.exe (downloaded from academyhouse.us)
Could someone (maybe editor? journalist?) please find out some more information? How are UNIX (and presumably Linux) systems vulnerable?
Here it is
The exploit code was written to install malware on Windows machines. The vulnerability itself is present in Reader for Unix and Mac OS X as well. Hence, they are vulnerable to attacks, but not the specific attack posted on the Contagio website.
"Then the current "Reader" can be renamed to Adobe Executor ?"
"Adobe Hangman" might give a stronger warning.
What is it with Adobe?
Even Microsloth managed to get something resembling a clue about buffer overruns and other basic security flaws over the last two iterations of internet Exploder and it may be my imagination but Flash seems to be increasingly subject to security flaws ever since they bought Macromedia. It's time for them to return to basic functionality, much as Windows should have done already, with modular, provably correct software engineering but I won't hold my breath that any one of the large firms will do something sensible rather than focus like a laser on current profitability.
PDF browser viewer alternative (gpdf)
For browsers other than IE there is an alternative for what opens a PDF file in the browser, especially if you use Microsoft Window. It is called gpdf. Here is the URL for it in Firefox where it is a seamless add-on:
You are getting this tip courtesy of Stephen Northcutt at SANS. I have no idea who he got it from. All of us security people have been searching for this for quite a while. It is starting to resemble a search for the Holy Grail. I am still crossing my fingers hoping it will work because Foxit and the other alternatives I have looked at have all bombed. Here is the home for gpdf:
As you can see, it also plugs into Chrome and also has support for both Opera and Safari as a GreaseMonkey script. I have not installed it yet but I will and will eventually (by 2010-09-18 - I am swamped right now) have a short write up on the install experience at my blog:
TWO (nix systems):
You people asking a journalist for clarification on how it works on 'nix systems are asking the wrong person. You need to ask a security professional. See the write up on it here:
As you can see, it is the lack of sandboxing that allows it to start and that is about all. Thereafter it is Windows all the way. It really poses no threat to Unix type systems. Most people using Linux are using Evince (evince) for their PDF viewer. Mac owners have a similar non-Adobe PDF viewer. Be careful on both Linux and Macintosh - you will need to reassociate what handles a PDF file manually. Normally you do not need Acrobat on these systems except to edit PDF form files so it will only be a problem if you install Acrobat and supplant the PDF viewer that is provided. Evince can be found by typing "which evince" in a terminal. Usually it is at /usr/bin/evince.
THREE (block PDF files?):
I actually have a rule in my PAC (Proxy Auto Configuration) filter that if enabled would stop the browser or anything else that uses Internet settings to prevent the loading of PDF files for a short time:
// BadURL_WordEnds[i++] = "\.pdf";
That is rather drastic if you ask me. That is why it is commented out along with the exe rule. You defeat the rules by white-listing who you will allow to be excluded from the rules. I think you need the gpdf route and while you are at it, for Firefox add Better Privacy to contain the Flash cookie LSO threat. There are even three companies being sued over the abuse of using Flash cookies to track you. Actually, I would install Firefox just to get that support of Better Privacy to remove those Flash Cookies. It really is that good: