User topics

Article topics

Log in Sign up

Adobe confirms remote code-execution flaw in Reader (again)

A security researcher has uncovered yet another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files. Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical flaw at last week's Black Hat …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 4th August 2010 01:17 GMT Deadly_NZ

Again?????

When oh when are they going to learn to write fuckin code?? What with this and Flash forever fucking up systems... Thank god for Foxit. But when is someone going to write a replacement for flash so we can tell Adobe to fuckin shove it once and for all..

Paris cos she good at fu^75ing...

8 1
1. Wednesday 4th August 2010 05:21 GMT Anonymous Coward
  
  Adobe what?
  
  Haven't use the Adobe bloatware reader in years. I find that PDF-XChange Viewer to be better than Adobe or Foxit. Especially when scrolling through magazine pages.
  
  2 0
2. Wednesday 4th August 2010 05:21 GMT Anonymous Coward
  
  Replacement flash
  
  There's one.
  
  It's called Gnash.
  
  http://www.gnu.org/software/gnash/
  
  It's not as compatible as the official Adobe Flash (and the latest version is a nightly snapshot), but then if you're boycotting official Adobe products, you don't really have much of a choice.
  
  2 1
3. Wednesday 4th August 2010 08:48 GMT Phillip Webster
  
  Yep, again.
  
  Adobe's track record for bugs recently is reminiscent of MS a decade ago with the 9x/ME debacles.
  
  Plenty of other PDF viewers around, as mentioned by others, Foxit probably being one of the most popular although I found recent versions a little too ad-ridden so I've switched to one called Sumatra.
  
  Making PDFs? Use Open Office or again, one of the other many free formats.
  
  As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.
  
  Easiest method of stopping Flash buggering your system is to use a flashblock extension of some sort with your favourite browser (I know both FF and Chrome support it).
  
  1 0
  1. Wednesday 4th August 2010 11:45 GMT Anonymous Coward
    
    #Yep Again
    
    >As to Flash, I think it has a variety of patents attached so Adobe may sit down hard on any competitive player in the US. May be wrong on that though. I do know they're extremely hostile to the idea of a 3rd party player.
    
    Yeah...really hostile that's why they open-sourced it via Tamarin, provide the Flex SDK as open-source and just gifted a load of stuff for native rendering to Webkit. Muppet.
    
    0 2
This post has been deleted by its author
Wednesday 4th August 2010 01:20 GMT Anomalous Cowturd

Yawn. Another one?

No surprise there then! I just hope Evince is not vulnerable too. But I'm sure if it is, it will be patched first...

The vulnerabilities in OO I'm not too happy about, but I generally send them, (documents, not vulnerabilities), not receive them, so fingers crossed.

Why can't they all just play nicely like grown ups?

Grrr.....

^_^ <<< Low budget Penguin.

0 0
Wednesday 4th August 2010 05:20 GMT JaitcH

Apple has yet to acknowledge the vulnerabilities.

This falls into the same category as 'Until Hell Freezes Over' or 'When Pigs Will Fly'.

In a word ... NEVER!

1 1
1. Wednesday 4th August 2010 08:51 GMT LPF
  
  @JaitcH
  
  What does this have to do with apple is it their software?
  
  and maybe its a good thing flash is not running on iPhones maybe jobs has the right fecking idea!
  
  0 0
  1. Wednesday 4th August 2010 11:43 GMT JaitcH
    
    LPF: Re-read the article
    
    Paragraph 4
    
    0 0
Wednesday 4th August 2010 05:20 GMT Keith T

Someone should nail Charlie Miller's car

Someone should nail (aka key) Charlie Miller's car door, to give publicity to the fact that Ford still does not make hacker proof car doors.

0 6
Wednesday 4th August 2010 08:48 GMT Daniel 1

It's a pitty it wasn't written to do something other than display PDFs, really

Consider this: if it was called as "Adobe Remote Systems Administration Client" it would be a great product.

Unfortunately, it's supposed to display PDFs.

4 1
Wednesday 4th August 2010 08:50 GMT JP19

Old news

Reader 9.3.3 was released to fix a security hole. The DAY AFTER, it was well known that the fix in 9.3.3 could be bypassed by simply using quote marks on the original exploit, rendering the changes in 9.3.3 useless. That was over a month ago and they never fixed it.

2 0
This post has been deleted by its author
Wednesday 4th August 2010 09:40 GMT Anonymous Coward

@Deadly_NZ

Seriously? If you reckon that spending half the time laying there motionless makes a girl "good at it", then I'll be making a mental note to keep you away from mortuaries!

2 0
1. This post has been deleted by its author
Wednesday 4th August 2010 10:05 GMT Doug Glass

BFD

Foxit reader.

0 0
Wednesday 4th August 2010 10:12 GMT Anonymous Coward

Why?

Why do people still use acrobat reader? There are better alternatives.

0 0
Wednesday 4th August 2010 11:02 GMT Robert Carnegie

I think Foxit had the last vulnerability too.

And Apple's problem is Apple's problem.

Note also that OpenOffice.org is said in the article to be holed. I wonder if that includes the beta or pre-beta version 3.3. Personally I don't exchange OpenOffice.org documents anyway. But it goes to show - again - that open source software isn't immune to this.

0 0
1. Wednesday 4th August 2010 13:18 GMT Anonymous Coward
  
  Foxit
  
  The vulnerability you mention was in effect a vulnerability in the PDF format rather than the reader. Virtually every acrobat reader suffered from that one.
  
  If you want some amusing reading check out the history of vulnerabilities in Adobe Acrobat Reader and Foxit Reader over the last few years. It looks really bad for Adobe if you take away the ones that are common to both it look een worse for Adobe.
  
  And Foxit isn't the only alternative Acrobat reader you know.
  
  0 1
Wednesday 4th August 2010 11:49 GMT andy gibson

For a free writer

I recommend CutePDF. No programs, just a virtual printer that writes your PDF document.

0 0
1. Wednesday 4th August 2010 12:49 GMT Anonymous Coward
  
  Why?
  
  I fail to see why a PDF writer is a good idea. Distributing PDF documents effectively encourages people to use Adobe Acrobat Reader and given it's history that is not a good thing.
  
  0 0
  1. Wednesday 4th August 2010 15:34 GMT Mike Moyle
    
    It must be nice...
    
    ...to be able to afford every program and font in existence.
    
    For those of us that have to send complex documents created in InDesign or Quark XPress for approvals by people who don't have them, or who get, say, ArcView maps in from people when we don't own ArcView, PDF writers/readers fulfill a vital need.
    
    0 0
Wednesday 4th August 2010 13:25 GMT Conor

Integer vulns are hard to spot

Sumatra is a nice PDF reader. Small and fast.

I read a document a few years ago describing integer overflow and the possible vulnerabilities it induces. I'd always been cautious in my coding with integers but to be fair to Adobe programmers, there were some subtle little things that could trip up anyone.

I mean fair's fair - hands up anyone who has never multiplied a char by something else without considering that the char, when converted to int, would sign extend to a negative number. Nobody? You're s0 gr8.

Belabouring the bleeding obvious, the answer is security in the OS such that when an app is owned, your computer is not owned too. That means not running as admin and forgoing apps that MAKE you run as admin. Bring em back to the shop. Sandboxing, such as is easily possible under Windows 7 is nice too.

0 0
Wednesday 4th August 2010 14:20 GMT Ross 7

Love that line

"There are no reports of the flaw being targeted for malicious purposes"

3...2...1...

Whilst the info is not fully disclosed yet knowing that there is *definitely* an exploit in there and it's an integer overflow makes it worthwhile hunting for it and lets you know (roughly) where to focus your attention.

I don't see it being more than a week or two before it's weaponised and actively exploited by someone like the Zeus team (not the httpd one). I hope Adobe et al are working hard!

Re: Connor - if you're paid to code production quality software, esp. software that is going to be a large target for blackhats you really ought to read the compiler notes. Being paid £30k+ comes with certain responsiblities. Not being a lazy bugger is probably in there somewhere. I agree with your points which are well made, but many security flaws are the result of stupid or lazy coding. Relying on implicit type conversion in C++ without reading the compiler notes is risky at best. Doing anything in C++ is risky tbh but hoping the complier does what you want it to do without checking first?..

0 0
This post has been deleted by its author
1. This post has been deleted by its author
  1. Thursday 5th August 2010 10:30 GMT Tom 7
    
    AC Colour Separation
    
    Only of use when you have to print something. Only required when you have a Pointless Document Format cos ist not HTML and you cant read it on the screen.
    
    If you have to force users to print your information 20 years after the WWW appeared you may as well throw your computer away - its too clever for you.
    
    And if you think when I print a PDF it looks anything like it does on your printer you're hopelessly mistaken. Pointless Document Format - does what it says on the tin - fuck all.
    
    1 0
    1. This post has been deleted by its author
2. Wednesday 4th August 2010 18:06 GMT Mike Moyle
  
  See my comment above: "It must be nice..."
  
  True enough, in the sense that it is conceivably possible that I could create screen-caps of a 100+-page, highly-formatted document and create a web site where clients could look it over for approvals.
  
  It would be a pretty moronic use of my time, but it WOULD be possible.
  
  Of course, to make sure that the images were sufficiently high-rez, I'd probably have to zoom in and take screen caps of PARTS of each page and stitch those together -- and likely have to color-correct them, as well...
  
  Then, of course, once the job was approved, the printer would have to print off of those screen-caps, or I would have to send him all of the raw files and hope that he's not running older versions of the publishing software that I used.
  
  Or I could just send PDFs to all parties concerned and get back to billable work.
  
  Guess which one gets my vote.
  
  1 1
Wednesday 4th August 2010 16:48 GMT David Eddleman

I guess...

...that iPhones are vulnerable to Flash exploits too.

Oh wait...

0 0
Wednesday 4th August 2010 18:22 GMT Trevor_Pott

Die, Adobe, die!

You make my life miserable. Please sell Photoshop to someone that doesn't suck and just fade into oblivion.

1 0
Wednesday 4th August 2010 21:01 GMT Willy Messerschmitt

All Future Acrobat Reader Patches In One Package

This procedure wil make sure:

1.) Uninstall Acrobat Reader

2.) Download the Develper's version of Chrom

3.) Enable the built-in PDF plugin

4.) Right-click on a PDF document and set Chrome as the default viewer

The result is secure and very, very fast. No difference to viewing html at all.

To all those who don't like PDF I suggest to differentiate between Adobe Acrobat Reader (clearly a pile of poo) and the PDF format itself. It is well-documented and in my opinion one of the few formats computers will be able to render correctly in 50 years time.

1 1
1. Thursday 5th August 2010 11:10 GMT Tom 7
  
  Render Properly in 50 years time?
  
  Having spent 5 years in the printing industry I can say that if you think your document is going to look the same on my printer as it does on yours you are sadly deluded.
  
  A printed document will, if your very very lucky, look the same if its printed on the same printer, just after calibration, at the same temperature and humidity, same batch of inks and paper and all other parameters identical.
  
  I have taken a large wad of cash from someone who was stupid enough to think otherwise.and by putting a single sheet of a different kind of paper into a print run was able to get the whole meaning of a contract changed as on carefully chosen word (not) was not visible in the second copy as the paper didn't take show the word.
  
  Pointless Document Format doesn't render correctly now - it certainly wont in 50 years time.
  
  0 0
  1. Friday 6th August 2010 09:02 GMT Willy Messerschmitt
    
    For me, it is Ok
    
    I am not in the printing or graphics business and PDF is totally OK with me. There is a PDF standard explicitly chosen for long-term preservation of documents (think of aircraft manuals, building documentation etc). As far as I know this is the major standard for this kind of application.
    
    I don't care if it is not 100%, pixel-by-pixel the same on different PDF renderers, I care that my brain thinks it is the same. And I also don't care about the kind of criminal abuse you describe.
    
    What would be the alternative ? GIF ? TIFF ? JPEG ? Rather memory-intensive, I would say.
    
    0 0
2. Thursday 5th August 2010 15:53 GMT Anonymous Coward
  
  So, essentially...
  
  You're trading out one evil corp (Adobe) for another Chrome (Google)?
  
  0 0
Wednesday 4th August 2010 22:13 GMT Anonymous Coward

Now we know...

Now we know why Jobs doesn't want Flash on the iPhone. It's associated with scripting - not something we associate with PDFs. If Acrobat documents have got such an obvious vulnerability, how bad can Flash ones get?

0 0
Thursday 5th August 2010 09:02 GMT Georgie's Girl

fool me once

Let's see, details on vulnerability in Adobe pdf reader posted in multiple pdf files. Is this an IQ test?

1 0
Thursday 5th August 2010 14:48 GMT Eddie Johnson

The Larger Lesson Here Is...

The evils of feature creep. If PDF had been kept to its original purpose, we'd be fine. But Adobe couldn't leave it alone and wanted to start making their static documents dynamic. IMO that change from static to dynamic is what destroyed the web, made it perform like shit, and opened up tons of security holes. Geniuses that they are, Adobe copied this static to dynamic change in the web to their Portable Document Format, forgetting that the very nature of a document is STATIC. It is to *document* the state of something at a point in time. There is no reason for links, Javascript, dancing GIF animations or whatever crap the markettards want to introduce to try and sell me their overpriced, unexciting crap. Adobe has simply made the exact same mistake that pretty much the entire web has made, so as utter failures go they aren't even original, they are just copycat failures.

Adobe adopted the idea that PDF was a container for offline web information so they wanted to be able to bundle up all the features of the web (viruses included but not intended) into a compact portable format. Knowing all the investment they had in dynamic content from stuff like Macromedia it was obvious they wanted to be able to deliver animated flash presentations and shit like that in a PDF, they probably saw it as a PowerPoint killer. Well, they succeeded at bundling up all the (destructive) power of the web into an easily portable format for exchange. They succeeded so well they have now become one of the primary conduits for malware.

Kudos Adobe!

1 0
Friday 6th August 2010 12:44 GMT Willy Messerschmitt

Not Entirely True

Buffer overflows can happen even in C-type programming languages even if you have a program which is only supposed to be a "viewer". Even vi, less and more could theoretically have buffer overflows.

http://en.wikipedia.org/wiki/Buffer_overflow

On the other hand, it IS possible to run untrusted executable code securely, IF you have a proper sandbox around that. Javascript, Java and .Net prove that (through user-level software mechanisms). In addition to that, mechanisms like SE Linux, AppArmor, BSD Jails or the Google Chrome Security Architecture intercept and validate system calls using the Memory Management Unit and the Operating System. IE8 is doing something similar.

One could also argue that proper Operating Systems like Unix, the WNT Kernel and things like VMware or Xen have proven that secure execution of untrusted code is indeed possible.

The problem of numerous buffer and integer overflows will persist, though. That means sandboxes are exactly the right thing to do.

0 0

This topic is closed for new posts.

Other stories you might like

Academics probe Apple's privacy settings and get lost and confused

Just disabling Siri requires visits to five submenus

Security 5 Apr 2024 | 30

Apple iPhone AI to be powered by Baidu in China, maybe

Of course it's called ERNIE seeing as Google has BERT

Personal Tech 23 Mar 2024 | 13

Apple cuts hundreds of jobs after ditching the car project and more

Self-driving to the nearest job center

Personal Tech 5 Apr 2024 | 12

Apple's GoFetch silicon security fail was down to an obsession with speed

Opinion Ye cannae change the laws of physics, but you can change your mind

Security 2 Apr 2024 | 23

Apple fans deluged with phony password reset requests

Beware support calls offering a fix

Security 27 Mar 2024 | 18

No joke: FTC boss goes on the Daily Show and is told Apple tried to block her

Comment Land of the Free has lost its way in quest for profits

Offbeat 2 Apr 2024 | 76

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Patch Tuesday Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Security 10 Apr 2024 | 22

TSMC's 3nm node powers up, setting stage for tech giants' next-gen chips

AMD, Apple, Intel throw weight – and cash – behind process technology

Systems 27 Mar 2024 | 3

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

Applications 26 Mar 2024 | 29

Uncle Sam, 15 US states launch antitrust war on Apple

Lawsuit alleges iGiant rips off fans, stifles dev innovation, makes it tough to dump iOS for rivals

OSes 21 Mar 2024 | 40

Woz calls out US lawmakers for TikTok ban: 'I don’t like the hypocrisy'

Go look at Facebook and Google, says Mac man

Personal Tech 25 Mar 2024 | 66

GoFetch security exploit can't be disabled on M1 and M2 Apple chips

For now, cryptographic work should be run on slower Icestorm cores

Research 25 Mar 2024 | 14

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024