RSSNew Adobe Acrobat Flaw Resembles Old
By Scott M. Fulton, III | Published January 4, 2007, 3:17 PM
Last September, the French Security Incident Response Team (FrSIRT) discovered an exploit made feasible by way of intentionally malformed arguments placed to certain methods in Adobe’s Acrobat Web reader control. Adobe advised its customers of the flaw in November, and issued a patch for Acrobat 7 in early December.
But when a pair of Italian security engineers demonstrated a new way to exploit the same flaw, in a presentation before a hackers’ convention in Berlin just before Christmas that at one time was supposed to have been entitled, “Hijacking AJAX for Fun and Profit,” FrSIRT picked up on the news as though it were a new discovery, issuing a fresh security bulletin.
The second alert, not the first, caught the attention of Symantec, which yesterday posted a blog entry with the gripping headline, “When PDFs Attack!” And it’s Symantec’s response to the second alert complete with Symantec’s advice for how Firefox users can immediately protect themselves against the danger of URLs sending malformed parameters to Acrobat, that has press sources today sounding their own alarm bells, some of which are actually touting the potential exploit as a “Firefox flaw.”
The Italian team of Stefano Di Paola and Giorgio Fedon discovered that the already-published malformed address problem – the one which FrSIRT found first, but whose existence the same FrSIRT learned about from Di Paola and Fedon later - could be exploited by means of an Acrobat feature called OpenParameters, which enables parameters and attributes to be sent to Acrobat’s embedded Web browser control by attaching them to the end of the URL. The original FrSIRT advisory omitted any mention of OpenParameters, although like a police press conference that intentionally omits certain details of the crime, the original advisory may have intentionally left out any description of what is probably the exploit’s only attack vector anyway.
As the team’s documentation clearly states, a URL can be intentionally malformed within Internet Explorer and Opera as well as Firefox browsers, although Firefox 2.0 appears to have been the browser used in the Berlin demo. Using information from the Symantec advisory, the Associated Press reported this morning that users could protect themselves against the flaw by changing Firefox settings for handling PDF and related filename extensions, although the advice could easily apply to other browsers.
Furthermore, the flaw has nothing whatsoever to do with AJAX, purportedly the original topic of the Berlin demo.
The US Dept. of Homeland Security’s US-CERT team has been following the Acrobat flaw since the Italian team first revealed it to the public last October. Its own advisory acknowledges three of the team’s discoveries, one of which is that a URL is allowed to trigger JavaScript code to run. This is a classic “cross-site scripting vulnerability,” meaning if one site is capable of loading another site’s page in a separate window, the first site can execute JavaScript code from the second site without warning or verification. Indeed, this does open up a world of vulnerabilities.
But US-CERT also acknowledges that Adobe has addressed the problem and may have already completely solved it, not with a simple patch but with a complete solution: Adobe Acrobat 8.0, released last September...just before all the brouhaha over Acrobat 7 started. US-CERT also says it has performed limited testing on Acrobat 8, and sees no evidence of the OpenParameters flaw in that version.
So once again, users may find themselves asking which is the more dangerous exploit: the original flaw, or the subsequent headlines?
IE7 is immune
IE7 is immune
IE7 is immune
IE7 is immune
The flaw appears to target IE6 and Mozilla Firefox 2.0.0.1 browsers.
They recommended that users protect themselves by upgrading Internet Explorer or changing Firefox's user options so the browser does not use the Acrobat plug-in.
Score: 0
|http://www.adobe.com/sup...ulletins/apsb06-20.html
At least it's a workaround for earlier versions...
Score: 0
|Foxit.
Score: 0
|Perfect. The solution: pay to buy the upgrade to fix THEIR mistake. Sounds like Adobe is falling behind Microsoft, who practically invented that scenario.
Score: 0
|At least Microsoft supports their products AT LEAST 5 years after a new version comes out! Heck, Windows 2000 will be 7 years old in February, and extended support (for NEW security hotfixes and updates) will last until at least 2009 according to Microsoft.
Windows 98/98SE had hotfix support through June of last year, that's frikin 6 years after the next version of Windows had "replaced" Windows 98, yet you compare Adobe to Microsoft here?
Adobe needs to have a serious shakeup like Intel has had, because I'm no longer confident in using Flash Player these days either...
Score: 0
|Most users use Acrobat Reader and not the full Acrobat program. Reader is, of course, a free download.
I'm not sure if it's possible, but I would imagine it would be best to use Reader 8 as the embedded PDF reader for browsers and use Acrobat 7 for only offline PDF editing.
Score: 0
|You can't use acrobat 8 and earlier versions (reader or writer) on the same machine. Lots of people complaining on the adobe forums about this.
Basically, Adobe should not be trusted to provide enterprises with secure apps. I'm not migrating to 8 just because you tell me to. We'll just replace the entire suite if we're going to be hardballed.
Score: 0
|Exactly. And I bet there is not going to be a patch for Acrobat Pro 7. They will make you pay for the upgrade to AP8
EDIT: In fact, that irks me so much that I am torrenting AP8 right now. FU Adobe for pullin' that kinda sh*t. That is somthing Microsoft would pull...
Score: 0
|Word.
Score: 0
|No surprise here. Adobe sucks as a software company. Not trying to bash them, but you would be pressed to find an IT manager or a Network Admin in the world that has kind words to say about Adobe. I wish they weren't so popular so we wouldn't have to use them.
Score: 0
|To me, *IF* Microsoft is illegal by including IE in windows 98, ADOBE should be illegal for paying every major pc manufacturer to include their software, as well as Real Media, Apple Quicktime, the infamous AOL, Symantec, McAfee, ETrust CA antivirus--the list goes on. Why is it the same people who claim MS is so evil use the same tactics that Microsoft uses and they more or less get away with it? Why does success = illegal in capitalism?
Okay, sorry for that rabbit trail...
Score: 0
|They don't pay us to put it on OEM machines. We just do it because customers expect it to be there.
Score: 0
|bour: I agree with your first point; PCs need to be bundled with A browser in order to access the WWW anyway, and MS in essence just simplifies the process for manufacturers by bundling their own.
One could argue bundling MORE browsers would give the user a wider array of choices... but most people don't need 3-4 different web browsers wasting space on their hard drives unless they are doing web design.
However, for your main point, I disagree. You cannot blame the software companies, at least not completely, because ultimately it is the computer manufacturer that chooses what software goes on the machines it sells.
Admittedly, I'm sure it's a slight bit more complex than that. Do manufacturers sell new computer pre-installed program slots like advertisement spaces? I find it hard to come up with a GOOD reason why they'd pre-install stuff like that, other than money.
Score: 0
|If you're saying Microsoft is a success, then you haven't owned their stock in the last seven years. Microsoft wouldn't have any legal problems if they didn't try to sell their software to every government on earth. And if you knew the history of Microsoft, what they couldn't buy, they stole, thus all their problems are self-made. Maybe you don't remember that the illegality wasn't having IE built-in to the OS on the desktop; it was forcing vendors to remove all other installed browsers shipped on Windows PCs. (Check the facts, Jacque!)
Like Microsoft, however, Adobe is taking on the same water. No one can quite match the quality of some of their key apps, so people keep throwing good money after bad. And don't forget, Adobe is the same company who rushed to sue Microsoft if they included PDF document export in Office 2007, even though it's free to every other vendor on the planet.
Score: 0
|Unfortunately for enterprises and other companies, migrating to 8 isn't as easy as flipping a switch. Many companies have incompatibilities, training, migration, support to deal with.
For shame on Adobe for abandoning their own platform so quickly. They should be releasing a patch for those of us that cannot migrate on a moment's notice. I haven't even mentioned how there are many many third party tools that rely on Acrobat 7.x and cannot be easily adapted to 8.
Score: 0
|Amen. For God knows what reason we decided to stay with Adobe 6 over here, and still use it. AAARRRGGGHHH!!!
Score: 0
|