First Things First

First let’s learn more about this vulnerability.

References:

• Vulnerability announcement on SecurityFocus
• Adobe PSIRT: Update on Adobe Reader Issue
• Adobe: Security bulletins and advisories

This vulnerability is especially nasty due to the following:

• Adobe Acrobat and Adobe Reader can be found installed on almost any computer. It is difficult to conceive of any Internet user who hasn’t had the need to read PDF files. This makes the software a very attractive attack vector.
• Apparently, there is very little that one needs to do in order to be attacked. While I’m not sure whether this vulnerability can be exploited by opening a PDF, I was able to test the JavaScript proof-of-concept by printing, saving, and closing PDF files.
• Search engines widely report results that link to PDF files. The attacker can literally be just a click away.
• The proof-of-concept code has already been posted online. It is now much easier for criminal hackers to come up with exploits that can result in access to your system.
• This vulnerability goes back many versions of the product. While it has recently been discovered and published by some, can we guarantee that this problem hasn’t been successfully exploited for years by others?

Disable JavaScript

To protect yourself you need to disable JavaScript. Here are the instructions from Adobe:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Screenshot: How To Disable Javascript in Adobe Reader

Try It Out Yourself

Those with modest technical skills and access to a Linux system will be able to reproduce this problem. The proof-of-concept code can be found on securityfocus.com. You will also need knowledge of how to attach JavaScript to a PDF and we can thank Adobe for this wonderful tutorial: Perk up PDF documents with JavaScript. The proof-of-concept code will not work on Windows without modification.

Why does one need JavaScript inside PDF anyway? Or why is it enabled by default?

Getting infected by a virus or being exploited by crackers may now be as simple as interacting with a specially-crafted PDF file. Yet again we are reminded that extra software features come at the expense of security. In software development, the greater the complexity the higher the likelihood of flaws. There are many techniques to improve software quality. While good software design and testing is essential in order to mitigate the problem, we are constantly faced with example after example that even the best software companies are not able to cope with this problem.

Exchanging image, PDF, and word-processor documents are some of the most common tasks by a computer user. We should not expect basic functionality like this to have as many serious problems as we have seen. For the month of April 2009 alone I was able to find at least 10 Adobe Reader “remote” vulnerabilities on SecurityFocus. (29420, 30035, 32100, 32105, 33751, 34229, 34169, 34736, 34740, and 34768).

While I think Adobe deserves its due criticism, they are not alone. We can all recall similar issues with other software vendors. One of my least favorite ways to get hacked would be by opening JPG files.

As a custom software development consultancy, we always inform our clients that extra features and extra code comes at an extra cost that will grow non-linearly compared with functionality.

So what is a good balance between useful and robust features vs. stability and security in this case? I don’t know, but I am now seeking out alternatives for Adobe PDF. I know others are too.

Technorati Profile