[arachne] Adobe swings and misses as PDF abuse worsens | Zero Day | ZDNet.com

Arachne at FreeLists---The Arachne Fan Club!
Suddenly the "safe" small footprint way to transmit documents is no longer safe. Is anyone really surprised that PDF finally became a target for abuse?
http://blogs.zdnet.com/security/?p=2690&tag=nl.e589 <http://blogs.zdnet.com/security/?p=2690&tag=nl.e589>
After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company’s response falls well short of providing definitive mitigation guidance for end users. /[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post <http://blog.metasploit.com/2009/02/best-defense-is-information.html> is a great start. ] http://blog.metasploit.com/2009/02/best-defense-is-information.html 
/
Adobe’s response simply confirms what we already know and reiterates that turning off JavaScript will NOT eliminate the risk entirely. However, the company does not offer any definitive suggestions or workarounds, instead pointing to a list of anti-malware vendors blocking known attacks.
Here’s what we have from Adobe <http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue_1.html>: http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue_1.html 

   * We have seen reports that disabling JavaScript in Adobe Reader and
     Acrobat can protect users from this issue. Disabling JavaScript
     provides protection against currently known attacks. However, the
     vulnerability is not in the scripting engine and, therefore,
     disabling JavaScript does not eliminate all risk. Keeping this in
     mind, should users choose to disable JavaScript, it can be
     accomplished following the instructions below:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK
While this information is better than the silence we’ve gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring. The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive. As my former ZDNet Zero Day blog colleague Nate McFeters points out <http://natemcfeters.blogspot.com/2009/02/pdf-abuse-gets-worse.html>, the issue is much worse than first imagined. 

   * I decided I’d test this out and found that on a fully patched Mac
     OS X build, Safari 4, Mail.app, Preview.app, and potentially
     others all crash using the proof of concept exploit
     <http://milw0rm.com/exploits/8099> provide on milw0rm. The crash
     is actually in PDFKit, which supports all of those applications
     and likely much more.
According to this Secunia’s Carsten Eiram <http://secunia.com/blog/44/>, his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled. 

   * All users of Adobe Reader/Acrobat should therefore show extreme
     caution when deciding which PDF files to open regardless of
     whether they have disabled JavaScript support or not.
If Secunia can do it based on information that’s public, what’s to stop malicious hackers with major financial motivation? 
So what now Adobe?
Ryan Naraine is a security evangelist at Kaspersky Lab <http://www.kaspersky.com>, an anti-malware company with operations around the world. See his full profile <http://blogs.zdnet.com/bio.php?id=naraine> and disclosure <http://blogs.zdnet.com/security/?page_id=324> of his industry affiliations. 

l.d.
Arachne at FreeLists -- Arachne, The Premier GPL Web Browser/Suite for DOS --

Other related posts: