Hacker News new | past | comments | ask | show | jobs | submit login
Zero-Day vulnerability in Adobe Reader (h-online.com)
54 points by nkhumphreys on Feb 13, 2013 | hide | past | favorite | 26 comments

Use Chrome (PDF reader built in) and turn on Click-To-Play for all plugins (e.g. Flash, Java) then add YouTube to your white-list.

Settings->Show Advanced Settings->Content Settings->Plug-Ins->Click to play


Settings->Show Advanced Settings->Content Settings->Plug-Ins->Manage Exceptions->[*.]youtube.com->Allow->Ok

You're now fairly safe from MOST drive-by attacks. Except those that impact Chrome directly.

After years of consistent security flaws in Flash and Reader, why does anyone allow Adobe software to accept untrusted input from the Internet?

Because the unwashed masses don't care about security, the push for security comes from various institutions trying to make fewer PCs botnet-controlled.

The masses would have moved off Windows and IE already in the days of the ActiveX holes if they cared, but instead Microsoft kept customers happy by keeping it on for years and years.

Because most alternative PDF renderers have been worse? Charlie Miller did an analysis once, fuzzing various engines, and Adobe's actually came out on top. (Combine this then with personal experience tangentially gained during JailbreakMe 2.0 and 3.0, and I now refuse to allow Apple's PDF renderer to ever open a file on my system, and always make certain to have Adobe Reader installed on my Macs.)

There's a difference between theoretical and practical security, though. On Windows everyone targets Adobe's products, because everyone uses them, thus they present the biggest attack surface. So while e.g. Acrobat may be more secure in theory, in practice it's the least secure of all.

If OS X ships with a built-in PDF viewer then it probably presents the bigger attack surface, thus could be less secure than Adobe's products in that case. But as an individual (non-enterprise) user, statistically you'd still be better off with some niche third-party offering.

Most of the "niche" renderers use the same codebase (or at best only rely on large common libraries like FreeType); the JailbreakMe 2/3 exploits, for example, were able to affect almost all of them (its payload simply assumed it was trapped in MobileSafari and wanted root on an iPhone, but on systems without codesign I believe it could have affected just about everyone fairly generally). The thing that Adobe has going for it is that when there is a bug, they tend to fix it, they fix it correctly (JailbreakMe 3 shouldn't have been possible), and the fix is pushed quickly to users via automatic update prompts.

> Charlie Miller did an analysis once, fuzzing various engines, and Adobe's actually came out on top

The CanSecWest slides I found had him fuzzing standalone "PDF applications". This whole problem is because of handing random stuff from the internet to third party native code! Nowadays the browsers are in a class of their own wrt security.

So use the PDF readers built into browsers, Chrome has one tended to by their security ninjas and Firefox has one running in their battle-hardened Javascript sandbox.

Because most content is from untrusted sources? ;)

Anyway, on my Windows computer I uninstalled it last week and installed Foxit. Too bad so many Websites still need Flash.

Damn... So either I stick with an even less common reader or I go back to Acrobat, they are able to fix faster. On the other hand I didn't install the Foxit Reader Plugin. I got the habit to not install PDF Reader plugins because they make browser freeze and crash even without vulnerabilities...

If you're just reading, use Chrome's built in PDF reader or PDFjs for Firefox [1]

[1] https://addons.mozilla.org/en-US/firefox/addon/pdfjs/

I like Foxit too, but people should be aware that you have to opt-out of some shitty crap-ware toolbar during installation.

Times change, IIRC Chrome suffers the same problem.

Because they are masters of lock-in.

I just tried out every single open source or adobe-reader alternative for my wife to read university issued material in PDF.

the only one that could render the documents correctly was adobe reader. So, that's what she is using, with all the vulnerabilities.

every hour adobe acrobat will add some garbage or do something different with the files it output, that you can only read them in adobe reader.

Only printers should have to read PDFs. if even...

If you were an enterprising hacker with a lot of time on his/her hands, I imagine Adobe Reader and Flash Player would be a great place to focus on for selling software exploits to the US Government. I hear they are paying nicely these days for verifiable not-yet-released in the wild exploits.

The US government would have to pay each independent discoverer of the not-yet-released exploit, no? If they said 'no thanks, we've already got that one,' the second discoverer could just turn around and disclose it, making the original purchase a lot less valuable.

What, besides their own sense of ethics, stops the original exploit discoverer from selling the exploit to someone else, who will then resell it back to the US government? That seems like a lot easier way to get more money from your exploit than, say, developing contacts with a second government.

The only way I can think of for the US government to effectively prevent you from reselling your exploits is to monitor your communications and finances for anything shady - whenever the exploit is independently discovered, they would have to do some research into your behavior to make sure it was actually independently discovered. Hell, why wouldn't they do this monitoring all along to make sure you're not trying to sell it to a foreign government?

I'm probably just paranoid, but being one of the few people who know something the US government would like to keep a secret doesn't sound like a good position to be in. I'd want to be rather well paid.

In the U.S., the National Security Agency and other branches of the U.S. military, law enforcement and intelligence agencies are among the biggest buyers of vulnerabilities. But there are other buyers, including any party with an interest in being able to penetrate an adversary's computer network.


How exactly do you sell a vulnerability to the US Federal Government?

You don't (for the most part). You'd actually sell it to one of about a dozen small firms around the beltway who purchase vulnerabilities (who in turn either license "exploit-packs" to the government, or who work on specific tactical campaigns using said exploits).

I've always wondered how one would find a contact within such a community. I know there's an old joke about looking for a job at the NSA: "The NSA offers exciting and interesting work for recent college graduates in mathematics and computer science. Pick up the phone, call your mom, and ask for an application."

I imagine it's easier than you think ;)

They have a contact page these days: http://www.nsa.gov/public_info/contacts/index.shtml.

I recently switched to Evince - so far so good.


I am pretty happy with SumatraPDF on Windows. Orders of magnitude faster than Reader too.



This is an attempt at dry humor. Or more accurately in this case, dark humor.

I wonder if there are more Pokemon, or zero-day vulnerabilities for Adobe products... "Gotta catch 'em all!"

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact