Feeds

back to article Adobe Reader 0day under active attack

Researchers have uncovered sophisticated attack code circulating on the net that exploits a critical vulnerability in the most recent version of Adobe Reader. The click-and-get-hacked exploit spreads through email that contains a booby-trapped PDF file that remains virtually undetected by most anti-virus programs, according to …

COMMENTS

This topic is closed for new posts.

Disable javascript?

"In the meantime, there are no mitigations users can take other than to exercise due care in opening PDF documents. It may also make sense to use an alternate PDF viewer such as FoxIT, but it's not yet been confirmed that that other programs aren't vulnerable."

Not even disabling Javascript works? I work at a printers so adobe reader is a requirement here.

By the way, as slim in comparison foxit is in memory usage it has two glaring problems.. 1. it comes with spyware/adware 2. about 5% of pdf's opened using foxit have problems.. (remember, I work at a printers so we receive LOTS of PDFs) adobe reader renders them all 100% fine but that 5% problem of foxit is a pain in the arse for support.. I actually tried rolling out foxit a while back in replacement of adobe reader but the damn near constant support because somebody opened another pdf that wasn't displaying correctly in foxit was too much. We're back on adobe reader with javascript disabled. (thankfully we very, very rarely get a PDF that needs js)

Seems like Adobe don't know the meaning of the word security. It's every other bloody day with their software that another security hole gets discovered. If there was another PDF viewer out there that could render all PDF's correctly then i'd be all over it for work. As insecure, slow and bloated a piece of crap adobe reader is, it renders PDFs correctly.

As to home, I use Sumatra on windows and OSX's native PDF display for viewing PDF's.

2
0
Anonymous Coward

@Mark C Casey

Have you tried PDF-XChange PDF Viewer? I ditched Adobe and Foxit for the usual reasons and have found it to be pretty good, though I don't get a lot of .pdfs.

0
0
Silver badge

Simple answer

Hmm...why not run a Linux distro as a host OS and have it fire up a VM on power on? The VM can be Windows, and hold Adobe Reader etc, with all files held on shared folders (either managed by the host Linux OS or up on a server). End users won't notice any difference (the only clue to them might be a change in what they see during boot) and "machines" can be easily reverted to a clean base-state should they become infected.

Interesting that all OSs seem to be vulnerable - why the hell does a PDF need JS anyway?

0
0
Silver badge

@ground rush

Good call,

just found PDF-XChange Viewer a few days ago (when looking for a way to save an A3 scanned drawing out of a PDF) and it looks the nuts.

Will be trialing it for a while before sticking it out for everyone to play with at work.

0
0
Silver badge
Flame

sandbox the damn thing externally

Now would be a good time to experiment with your anti-malware package's sandbox support.

Because these Adobe exploits aren't likely to stop in my lifetime... ;)

1
0
Bronze badge
FAIL

Or install your own...

Or install your own sandbox using something like Sandboxie (http://www.sandboxie.com) or a similar product. I don't know why Adobe has taken so long to get a clue. Sheesh!

0
0
Flame

Ta Dan

I've uninstalled all the Adobe Crap(sorry. Soft)Ware from my computer now.

Cheers for the heads up.

0
0
Anonymous Coward

Don't want to start a dispute here but

Reading through the analysis, I noticed the malware is designed to infect Windows computers but according to the article, Adobe confirmed that Windows MacOS and Unix are all affected. Is this a CYA declaration from Adobe or they analyzed and discovered there are specific mechanisms targeting non-Windows OS. I'm not trying to argue here about which OS is more secure, since this is not a OS problem and Windows OS has nothing to do with it. What I'm trying to find is if the time has finally come for me to get rid of Acrobat Reader in Windows as well as in Linux. I know, it's certainly not Adobe who will give me the answer.

0
0
Anonymous Coward

Re : Don't want to start a dispute here but

Don't use Adobe on Linux - much of the likely problem solved.

1
0
Alert

there are going to be more and more of these narrowly distributed exploits

In future, I predict there are going to be more and more of these narrowly distributed exploits used to penetrate companies and joint working groups for social, corporate and international espionage.

Keeping them narrowly distributed means they can be used for weeks, months or even years before they are discovered and forwarded to anti-virus companies.

In the future, I expect such exploits to be even more discrete and to affect a wider range of poorly tested (unchallenged) software.

0
0
Unhappy

Halo effect makes all Adobe products seem bad.

Adobe Reader isn't an operating system. It isn't doing anything horrendously complex.

So why does it have so many vulnerabilities?

The "halo effect" makes all Adobe products look bad in the eyes of corporate consumers, because shoddy quality control is not typically something isolated to just one department, but an enterprise wide issue.

4
0
Silver badge

Not the Halo effect this time

The problem is Adobe has extended what was once a simple program to the complexity of an OS without doing the associated security work. If all the program did was open a file to display fixed formatted type, none of these vulnerabilities would work. It is the addition of things like active URLs, forms completion, embedded sound, embedded movies, etc. that makes the program vulnerable to exploit. Some of those items are logical extensions to the basic program (URLS, forms) but even though they are obvious and logical, they require deeper thinking about security issues.

0
0
Silver badge
Flame

Adobe software bricks

are made more sh_t than mud. I guess the decision to outsource most of their development to lowest bidder spaghetti coders in India will be paying dividends for years to come for their naive customers.

0
0
Silver badge
WTF?

Sandboxes?

Have they not thought of stuff like bounds checking before using a sledgehammer to crack a nut?

0
0
FAIL

Is it just me....?

Or would Adobe be doing themselves a favor by producing a version of their "Reader" which just "read" the PDF rather than executed code in it?

Then the current "Reader" can be renamed to Adobe Executor ?

1
0
Bronze badge
Coat

Adobe "Executor"?

"...would Adobe be doing themselves a favor by producing a version of their "Reader" which just "read" the PDF rather than executed code in it?

Then the current "Reader" can be renamed to Adobe Executor?"

Adobe Executioner, more like.

0
0
Grenade

re: ACs

Why all the talk of Linux? If it only affects Windows, OS X and UNIX, then Linux is in the clear, right?

0
0
Linux

the vulnerability affects

> the vulnerability affects Reader 9.3.4 and earlier versions for Windows, Mac OS X, and Unix ..

What effect does the vulnerability have on Unix systems. Is there a working demo online anywhere that I can click on ?

0
0
Black Helicopters

The "sandbox"

The sandbox mentioned in the article is based on integrity control - like Protected Mode in Internet Explorer 7/8. It will be included in Adobe Reader 10.

0
0
Gold badge

Trojan/AcroReader

Isn't it about time that someone started asking why *none* of the mainstream AV vendors are catching this?

Look at the facts. We have a piece of software that has been used as a Trojan horse in new ways almost monthly for the past year or more. If it weren't from a "proper" vendor it would have been classified as a Trojan and quarantined ages ago. I shall give Adobe the benefit of the doubt and accept that they don't intend it to be used as a vector, but that's the reality and any AV vendor who just waves it through because it has "Adobe" written on the side is surely guilty of negligence.

0
0
Linux

could we please get some clarification on "UNIX vulnerable"?

From the link (contagio), it crashes / opens a decoy file ... downloads files, connects to academyhouse.us ... Here's a list of the files:

golf clinic.pdf (in \Application Data)

iso88591 (same location as original)

wincrng.exe + winhelp32.exe (downloaded from academyhouse.us)

igfxver.exe (%tmp%)

Could someone (maybe editor? journalist?) please find out some more information? How are UNIX (and presumably Linux) systems vulnerable?

0
0
(Written by Reg staff)

Here it is

Reallydo,

The exploit code was written to install malware on Windows machines. The vulnerability itself is present in Reader for Unix and Mac OS X as well. Hence, they are vulnerable to attacks, but not the specific attack posted on the Contagio website.

Regards,

Dan Goodin

0
0

"Then the current "Reader" can be renamed to Adobe Executor ?"

"Adobe Hangman" might give a stronger warning.

0
0
FAIL

What is it with Adobe?

Even Microsloth managed to get something resembling a clue about buffer overruns and other basic security flaws over the last two iterations of internet Exploder and it may be my imagination but Flash seems to be increasingly subject to security flaws ever since they bought Macromedia. It's time for them to return to basic functionality, much as Windows should have done already, with modular, provably correct software engineering but I won't hold my breath that any one of the large firms will do something sensible rather than focus like a laser on current profitability.

0
0
Go

PDF browser viewer alternative (gpdf)

ONE (alternative):

For browsers other than IE there is an alternative for what opens a PDF file in the browser, especially if you use Microsoft Window. It is called gpdf. Here is the URL for it in Firefox where it is a seamless add-on:

https://addons.mozilla.org/en-US/firefox/addon/14814/

You are getting this tip courtesy of Stephen Northcutt at SANS. I have no idea who he got it from. All of us security people have been searching for this for quite a while. It is starting to resemble a search for the Holy Grail. I am still crossing my fingers hoping it will work because Foxit and the other alternatives I have looked at have all bombed. Here is the home for gpdf:

http://blog.arpitnext.com/gpdf

As you can see, it also plugs into Chrome and also has support for both Opera and Safari as a GreaseMonkey script. I have not installed it yet but I will and will eventually (by 2010-09-18 - I am swamped right now) have a short write up on the install experience at my blog:

http://SecureMecca.BlogSpot.com

In the blog I will point to a file that will also be included with the filters I provide for people under GPLv2 license. The reason why is because this has been a critical problem for over a year now. I was going to add rules for this exploit but it is obviously just a trial run before the onslaught begins. So for now steer clear of PDF files until you have this fix put in place. I would also advise turning JavaScript off in Acrobat until you really need it. gpdf doesn't necessarily replace Acrobat. It just replaces it being used by the browser for PDF files. IOW, the install order is Acrobat first, then gpdf.

TWO (nix systems):

You people asking a journalist for clarification on how it works on 'nix systems are asking the wrong person. You need to ask a security professional. See the write up on it here:

http://preview.tinyurl.com/33l5haj

As you can see, it is the lack of sandboxing that allows it to start and that is about all. Thereafter it is Windows all the way. It really poses no threat to Unix type systems. Most people using Linux are using Evince (evince) for their PDF viewer. Mac owners have a similar non-Adobe PDF viewer. Be careful on both Linux and Macintosh - you will need to reassociate what handles a PDF file manually. Normally you do not need Acrobat on these systems except to edit PDF form files so it will only be a problem if you install Acrobat and supplant the PDF viewer that is provided. Evince can be found by typing "which evince" in a terminal. Usually it is at /usr/bin/evince.

THREE (block PDF files?):

I actually have a rule in my PAC (Proxy Auto Configuration) filter that if enabled would stop the browser or anything else that uses Internet settings to prevent the loading of PDF files for a short time:

// BadURL_WordEnds[i++] = "\.pdf";

That is rather drastic if you ask me. That is why it is commented out along with the exe rule. You defeat the rules by white-listing who you will allow to be excluded from the rules. I think you need the gpdf route and while you are at it, for Firefox add Better Privacy to contain the Flash cookie LSO threat. There are even three companies being sued over the abuse of using Flash cookies to track you. Actually, I would install Firefox just to get that support of Better Privacy to remove those Flash Cookies. It really is that good:

https://addons.mozilla.org/en-US/firefox/addon/6623

1
0
This topic is closed for new posts.