back to article Adobe Reader browse-and-get-pwned 0day under attack

Adobe has confirmed reports that yet another unpatched vulnerability in the latest versions of its ubiquitous software is being actively exploited to infect end users with data-stealing malware. The vulnerability exists in Adobe's Reader document viewer and Flash Media Player for Windows, OS X and Unix operating systems, Adobe …

COMMENTS

This topic is closed for new posts.
  1. gorgehead
    Thumb Up

    more bloat, more bugs..

    These guys issue more updates than Microsoft these days, I can't keep up with them. No wonder Apple wishes Flash banished. No doubt when the sandbox technology makes it's appearance the download will probably double in size.

    1. Anonymous Coward
      Pint

      Way to go, Adobe!

      With one coding error you manage to make vulnerable two applications on a Windows PC simultaneously. I'm impressed or shall I say I'm moved... to an alternate PDF viewer.

  2. Andrew Stevenson

    Who will provide the sandbox...

    Who will provide the sandbox?

    I hope its from a reputable third party, because Adobe doesn't seem to be on the cutting edge of securing software.

    1. Anonymous Coward
      FAIL

      Microsoft

      There was some information that MS were helping them develop it.

      Instead of trying another incremental solution just rewrite the damn thing from the ground up with security in mind - that's got a far greater chance of "fixing" it than just trying to plug holes.

      1. asdf
        FAIL

        sad but true

        When M$ is having to help you with security because you are making their platform look insecure you know you have problems. Seriously though M$ unlike Adobe has come a long way in taking security seriously and though still fairly bad it has actually improved somewhat. Nice how the short term gain of moving development to India to boost executives bonuses is now biting them hard in the butt. Get mine right now and screw everyone else attitude why western civ is starting to decline.

      2. Tom 13

        Or they could just re-write without using Active X.

        Oh wait, that COULD be taken to mean "security in mind" ...

  3. Matt Black

    Bad Couple of Years for the Adobe Security Team?

    Working in a security team is usually a depressing experience - under-resourced and fixing crap mistakes made by people who should have known better; not being allowed in to the design and review cycle early; etc.

    And now you report it as if they are the ones to blame.... look higher up the tree and earlier in the process!

    1. AndrueC Silver badge
      FAIL

      Not just security

      Have you ever tried to get time and budget to refactor old code? Or offer management two solutions:

      Quick 'n' dirty.

      Slow but well implemented.

      Guess which they go for every time? Try and point out that the slower solution will be more future-proof and what's their response? "Doesn't matter - we can just factor the issues into development time for the next project".

      The only projects I've worked on where the team was allowed to make quality and future-proofing a priority are those where the engineers ran the team. That's happened twice in the last 25 years.

  4. Steve 72

    PDF Xchange Viewer

    ...from Tracker is another alternative.

    Susceptible to this? Can't say, but I've used it for a long time now after Adobe bloated their reader out of contention and never had a problem.

  5. Alastair Dodd 1

    Adobe reader

    is terrible these days, it's a huge install and full of problems.

    I'd avoid it toally and use an alternative like Foxit

  6. John F***ing Stepp

    Should take a page from Microsoft.

    Microsoft gives away a product called document viewer that does not have VBA capability and is a fairly safe way of looking at a possibly compromised DOC file.

    Perhaps Adobe should do the same and make a product for looking at PDFs; I don't know what they would call it though, any suggestions?

    1. Anonymous Coward
      Anonymous Coward

      I've got a name suggestion

      "PD File".

  7. semprance

    Ttir,amcla/od

    I honestly wasn't aware that anyone even used it anymore...

    I've been using Foxit Reader for ages, amongst others. It's not even much smaller than Adobe but it does the job fine.

  8. demo
    Go

    Yet another...

    ...reason to use HTML5.

  9. Darryl
    Pint

    (untitled)

    It wouldn't be so bad if Adobe would make these things updateable using WSUS or something, but their whole world vision seems to be that every user is the admin on their PC and they can do these things by themselves, making us poor sysadmins either push them out using pstools or run around from workstation to workstation every week. This increases the consumption of beer. Maybe Adobe is in cahoots with the major breweries?

  10. batfastad
    Jobs Horns

    must contain letters and/or digits

    Foxit is great. Starting to get a bit bloated these days but still loads very very quickly.

    Another good one is Sumatra PDF but that's a bit more basic.

    Cannot wait until Adobe ceases to exist!

  11. Tony Paulazzo
    Unhappy

    liability

    shouldn't adobe be held responsible for systems getting compromised?

    1. Anonymous Coward
      Anonymous Coward

      Yes they should, as should Microsoft

      and Oracle (now that they own Java)

  12. Maty

    isn't it annoying ....

    .... how often Steve Jobs is right? Keeping this bug-ridden pile of insecure turds off the iPad is looking like a highly prescient decision.

  13. Boris the Cockroach Silver badge
    Grenade

    Having

    been recently pwned by the ramnit virus, if only m$ had designed the damned operating system so that users could'nt alter core system files without using a password.

    Oh and the code that ate my system was a VBscript consisting of

    Check for SVChost (windows only thing i guess)

    Load data into memory

    exec svchost linked to the data

    How ****ing stupid is that ?

    Any software designers that allow that sort of thing to happen ought to be taken out and shot.

    I wont mention what should be done with the virus creators, but it does involve the hand grenade

    1. Ray Simard

      @Having (FYI)

      svchost.exe is a generic application used as a host for DLLs (Windows shared libraries). DLLs can't be run directly from Windows; they have to be loaded and executed from some other executable. svchost.exe is an executable designed for that purpose.

      At any time there will be a pretty long list of instances of svchost.exe, each of which is running one or more services from their respective DLLs. This virus was set up to run this way. It looks like from your description the data loaded into memory was the image of a DLL and svchost.exe was then induced to run it as such.

      1. AndrueC Silver badge
        Boffin

        Could've been better though

        I understand the need for svchost but the reporting leaves a lot to be desired. TaskManager should be able to do better than just say 'svchost'. It ought to be able to list the DLLs it's hosting as a minimum. Ideally there should be a utility (maybe svchost itself) that can display the DLLs along with a meaningful description.

        1. TeeCee Gold badge
          Happy

          @ AndrueC

          You mean like the Task Manager on Se7en does if you ask it nicely what that particular "svchost" is doing?

          XP types can swap the XP Task Manager for the Sysinternals (now MS TechNet) Process Explorer to get the same functionality, showing the tasks hosted and allowing you to drill down and view the individual threads that it's fired off.

          The one being developed on the freshly-Borged other.

          1. AndrueC Silver badge
            Thumb Up

            Interesting

            I didn't know about Se7en (thanks for that) but I did know about SysInternals. Unfortunately I gave up on that because it takes sooooo long to open up. Half the time it took so long that the application I wanted to kill off had already died.

  14. Mr Young
    WTF?

    Total total rubbish

    According to popular myth even a bunch (sorry, troop) of monkeys with typewriters can get it right now and again! I don't even know if I can be bothered installing another Adobe update - what is it going to do next? Jeez, my PC needs more attention than my freaking kids nowadays! Pity I can't use 2 WTF Icons at the same time?

  15. TimeMaster T
    Linux

    Pardon my smug grin

    I use Linux and KPDF, so this doesn't affect me.

    1. AndrueC Silver badge
      Stop

      Don't count your chickens

      If/when Linux ever becomes a massively popular OS (ie;gains market share at least vaguely close to Windows) then bugs in Flash will matter more. It's a shame Linux hasn't achieved that kind of adoption really. It'd be very interesting to see how it would withstand the onslaught from hordes of Bad People(TM) once they thought enough people were using it to make it a worthwhile target.

  16. Tom 35
    FAIL

    Upgrade treadmill

    PDF was a Portable Document Format. But Adobe want more money, so they want to sell upgrades, so they need new features that the marketing department can stick on the box.

    They ran out of useful new features years ago and now keep sticking more crap that has nothing to do with documents into Acrobat. Who asked for Flash, video, sound in PDF files?

    1. Framitz
      Boffin

      Adobe trivia

      If I remember correctly PDF originally stood for Page Description File. Those were simpler times.

  17. Anonymous Coward
    Stop

    ...ubiquitous - so a nice target

    sorry but Adobe flash and Adobe reader are pretty ubiquitous in the online world - to view flash video and read PDFs - as such, a vast majority of systems on the web have such tools installed to make the web useful - and thus are prime targets for hackers.

    okay...so you remove them - and their replacements are targetted instead - and that will be FoxIt too if it was worth it. and if not flash, then it'll be the browser itself - mark my words, the video components of new browsers will be seriously tested with HTML 5 and MP4 codecs being probed and attacked. the old MacOSX security myth is also slowly being eroded. Safari and Quicktime having quite a few updated in the past year already

    1. Paul Crawford Silver badge
      FAIL

      @...ubiquitous

      Your theory is only partly tight - of course virus writers go for the biggest return (i.e. maximum number of users and/or biggest value targets to hack open).

      But it also fails to weight up the relative underlying quality of code in different cases. If product A had hundreds of exploitable bugs, but product F only a few, even if they were of equal popularity you can work out which is going to be getting pw0ned more often.

      Adobe's problem is they have so much dumb stuff in Acrobat (as already pointed out, who actually wants scripting and application running in a document reader?) and it appears to be written by incompetent monkeys, a combination guaranteed to FAIL.

  18. Morpho Devilpepper
    Jobs Horns

    Quite compelling

    This supports my theory that most of the computer viruses in existence were created by Mac users.

    OK...maybe not. Makes you wonder, though...

  19. Bilgepipe
    FAIL

    How many more times...

    ...does this have to happen? Dump Flash, dump Adobe, and dump Windows at the same time, for good measure. Security problem solved.

    1. NumptyScrub

      Time limited protection

      RE: "How many more times... ...does this have to happen? Dump Flash, dump Adobe, and dump Windows at the same time, for good measure. Security problem solved."

      For 6 months, until the guys writing the exploits stop aiming at Windows and instead start aiming at supposedly secure operating systems. Firefox on non-windows operating systems was shown to be vulnerable to the same 0-day that some script kiddie went after a few days ago.

      The only difference was his malware was windows only. When malware starts becoming cross platform and includes Linux, then you're going to start needing to install proper AV on Linux :(

  20. AndrueC Silver badge
    Thumb Down

    Hit the delete button

    And their installer will no doubt still drop a useless program icon on my desktop.

  21. Tom 7

    Dump PDF

    it really doesn't do anything it says on the tin.

  22. Chris Robinson 1

    use Sumatra

    I use Sumatra for reading .pdf's. Fast free and open source.

  23. Anonymous Coward
    Anonymous Coward

    "Dump PDF"

    Why? Is it PDF that's broken, or is it Adobe's recent readers?

    I still use Acrobat 5. It does what it says on the tin. It loads quickly and then it reads documents, and that's about all it does. Until it stops working (and it still works with pretty much every PDF I ever needed to read) then I stick with it. There's a lot of PDF out there and it's not going away anytime soon, even if Adobe Reader is.

  24. Tom 38
    Go

    I use evince

    Builds for windows here:

    http://live.gnome.org/Evince/Downloads.

    Adobe stopped adding useful things at around version 3 or 4 of reader. Since then, they have simply been 'embracing and extending' their own open format, in order to ensure that only Adobe Reader is able to process them (think gov.uk 'secure pdf' forms).

    They are like Microsoft 10 years ago, except seemingly without any competent code monkeys.

  25. rob hindle

    Spam promo of 3rd party pdf alternative

    I got several like this yesterday (2 versions with different download addresses but both resolving to the same URL). Sender name given as Adobe Support or Adobe News

    "Adobe is pleased to announce new version upgrades for Adobe Acrobat 2010.

    To upgrade and enhance your work productivity today, go to: http://www.adobe-acrobat-new-download.com"

    (the other address: http://www.official-adobe-software.com)

    Adobe don't publish any email addresses on their website so can't advise them of the spam.

    While I'm not "a friend of Adobe" (with particular reference to their policy of translating already high USD price to GBP price by changing the currency symbol) nor do I have any time for a spam-promoted alternative. And who knows what malware it may include... At least the official product only contains bugs and vulnerabilities! And at least we get to hear about them and Adobe will probably release patches.

  26. Anonymous Coward
    Grenade

    Abandon ship!

    Abandon ship! the Adobe boat is sinking and has too many holes to be fixed. Time to build a new boat of better stuff with NO HOLES.

  27. Pink Duck
    FAIL

    Grr, I've had enough

    I've uninstalled Flash entirely (and disabled Chrome's built-in Flash too). Roll on Firefox 4 and WebM HTML5 codec support.

This topic is closed for new posts.