back to article Adobe mulls changes to close hole in PDF apps

Adobe Systems may make changes to its widely used PDF programs to prevent attackers from using them to mount attacks that hijack users' computers. The attack was first demonstrated last week by researcher Didier Stevens. By misusing a feature contained in the PDF specification, his proof-of-concept attack showed how hackers …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    Adobe don't seem to be able to make a sandwich without it containing cartoon-sized security vulnerabilities.

    How they have come to be so ubiquitous with their software remains a mystery.

  2. Steven Knox

    Same old story.

    "While Adobe applications warn users they are about to execute a potentially dangerous program, Stevens showed it was possible to modify the wording, increasing the attacker's chances of successfully socially engineering his victim."

    So, once more, a cool idea that does have some real usefulness (i.e, being able to automatically tie a PDF to a non-PDF document) is ruined by a poor implementation (WTF can they modify the wording of the security alert!?) and the naivete of users (Oh, it wants to run IM_NOT_MALWARE_HONESTLY_GUV.EXE? Okay!)

    This is why we can't have nice things.

  3. A. Lewis


    Adobe Reader is a bloated and secuirty-hole-ridden piece of crapware. I've been trying in vain to get my workplace to switch to an alternative such as foxit for some time.

    Adobe used to offer a 'lite' version with cut-down functionality (crazily it only allowed viewing PDF files, imagine!) But I see this has disappeared.

    1. James Loughner
      Paris Hilton

      Easy Fix

      The best and easiest fix is to just ship with the option TURNED OFF. dah. If some one really needs this they can turn it on.

      Paris because she knows how to turn things on.....

    2. Dave Murray

      Not an Adobe only problem

      Since this is exploiting a feature of the pdf spec it isn't an Adobe Reader only problem. In fact it's worse in Foxit because it doesn't give you any warning.

  4. Ceiling Cat

    Windows only?

    I'm assuming that, at the moment, this only affects Windows boxen?

    If so, I'm quite glad I've been moving my machines over to linux.

    Penguin...... WAAAARK and stuff . . .

    1. TeeCee Gold badge

      Re: Windows only?

      I dunno. Does the Linux version have the "run moody payload automagically" option?

      Of course, you can bet your bum that any moody payloads you actually get to see in the wild will be issuing Win specific commands, but if you're relying on "security through obscurity" to protect you, you're asking for it as much as the Win-loving arsehat that clicks on the "pwn me nows" button in that popup telling him that his machine's got a virus.

      1. Chemist

        Re: Windows only?

        Don't bother with Adobe Reader on Linux !

        Okular and others seem OK - at least as reported in various places and in my own test.

  5. John Sanders

    The wonderful world of "powerful apps"

    Also implies "powerful exploits", the funny thing is that almost nobody I know uses those power features.

    Most of my customers use either pdfcreator or Adobe Distiler to create pdfs, only very few know that you can use Acrobat pro to modify PDF's, and almost no one would ever generate or have to handle anything like an executable attachment inside a pdf.

    In fact I have a customer's office (about 10 seats) all using version 5.01 of Acrobat Reader because it is blazing fast compared to 6/7/8/9, and there is no way I can convince them to update.

    However I had been wondering for a while why acrobat got so huge and slow compared to the old days' Acrobat 5.x, I think I found the answer, it comes bundled with a DIY exploit construction kit.

  6. Tom 7

    Perhaps if it would be better for them

    to give up trying to reinvent the square wheel when there are working round ones out there.

  7. Anonymous Coward
    Anonymous Coward

    Under the circumstances...

    ... could the folk at Adobe mull a bit faster????

  8. Anonymous Coward
    Anonymous Coward

    I wasn't paying attention when this was first publicised

    but it transpires that this attack will also work on Mac OS X – provided that you're using Acrobat, when it changes the document itself (look for the black dot in the close box) and then borks while attempting to launch stuff which isn't installed on OS X. Obviously it would be trivial to change this behaviour to try and do something actually nasty, but the PoC borked my Acrobat CS3 installation badly enough that I just had to do a repair reinstall, which I'd rather not do again.

    Preview doesn't even cough, let alone try to do anything nasty, which once again proves the sense in not letting the Acrobat plug-in anywhere near my browser.

  9. Martin Smith 2

    Edit > Preferences Menu

    Just disabled the non PDF file attachments and what on earth is all that other nonsense in that menu. I just want to read PDFs not track RSS feeds, run Javascript or do any geospatial calculations!

  10. Joe User

    @A. Lewis

    "I've been trying in vain to get my workplace to switch to an alternative such as foxit for some time."

    Apparently, you didn't actually READ the article:

    The attack was first demonstrated last week by researcher Didier Stevens. By misusing a feature contained in the PDF specification, his proof-of-concept attack showed how hackers could embed a malicious payload in a document and trick Adobe's Reader and Acrobat applications - as well as the competing FoxIT Reader - into executing it.

    Did you see that last bit? Foxit Reader is (was) vulnerable, too. The problem lies in the PDF specification, not in the reader. Last week, Foxit Software implemented a security fix in their reader to head off the problem.

    "Adobe used to offer a 'lite' version with cut-down functionality (crazily it only allowed viewing PDF files, imagine!) But I see this has disappeared."

    The Lite version has disappeared because is was third-party (unauthorized) repackaging of Adobe Reader, minus some features.

  11. heyrick Silver badge

    Two thoughts...

    1. WTF do they mean "Adobe Systems *may* make changes"? MAY? MAY??

    2. I find I keep asking this... Exactly when and why did the PORTABLE *DOCUMENT* FORMAT (emphasis on the acronym) turn into a bit of everything else? Adobe should, at the very least, supply a feature-locked version that "does stuff for screen and printer" and, quite frankly, f**k the rest of it. I mean, what's all this 3D gibberish about? Something about my Brother DCP-165C that wasn't mentioned in the manual?! And oooh, hey, how would I print a video?

    EPIC FAIL for "Allow opening of non-PDF file attachments with external applications", that somebody could actually add that (under "Trust manager" no less) and not think "ahhh, this could be a potential problem". Or maybe that's the point? It is really a sophisticated metajoke?

  12. Circadian


    After the security debacle that was ActiveX, who could be so stupid to include a feature that... Oh, Adobe. Right.

  13. sleepy

    ten years and more ago

    Many years ago, Adobe turned Acrobat reader into sluggish bloatware for no discernible reason. Ever since OSX 10.1, has shown what a simple, responsive joy reading pdf's can be. When updating other apps, Adobe, having no shame, defaults to "repairing" the installation by blatting acrobat reader and plugin over the top of Apple's superior implementation. Oh no you don't, Adobe.

    Adobe - another fine company ruined by arrogant and greedy management. P/E 52? I don't think so. But I still need Acrobat Pro.

  14. amanfromMars 1 Silver badge
    Thumb Up

    A.N.Other's Tale of Nero Fiddling while Rome Burns?

    "Anything that has write access can perform an incremental update," said Conway, who is a program manager for New Hampshire-based Nitrosecurity. "It stops the attack vector of using the launch command, but it doesn't fix the incremental update issue."

    And whilst you are busy pottering away in the proverbial garden shed tinkering around document formats and in operating systems, does the attack force consolidate its stranglehold on human perception levers and overwhelmingly reinforce and strengthen its IT Networking Command and Control Superiority with Shared zerodDaily updated Words with Advanced Information of Novel and Noble IntelAIgent Abilities, floated from Layered Strata of Cloud to Cover the Internet with Enlightened Knowledge and Swamp Ignorance and Arrogance with Colossal AIResearch Waves.

    Hi, Wanna Play with Real and Virtual NEUKlearer HyperRadioProActive Global Operating Devices and not just some Puppet and Pretend Idols? With Quantum Communications Control is IT Easy.

    First they Ignore you, then they Ridicule you, then they Fight to Hate you, then they Lose against Win Win. ........ Can you Spot who's the Real Fool?

  15. Dan 55 Silver badge
    Jobs Halo

    @I wasn't paying attention when this was first publicised

    Why install Acrobat Reader on OS X? It already comes with a PDF viewer, although for this exploit I hope it doesn't Just Work.

  16. Natalie Gritpants

    In the old days

    Programs would expand until they could read email. Now they expand until they can form a botnet.

  17. jallen0002
    Thumb Up

    Intrepidus Group has released a working PoC for this flaw

    Hello folks. We (Intrepidus Group) released a working PoC for this flaw today. Check it out on our blog :)

This topic is closed for new posts.