Comments for A New Twist to the Adobe Vulnerability

A New Twist to the Adobe Vulnerability

2009-03-08T23:14:18Z

If you think it is safe to download PDF documents and view them once Adobe finally releases its patch next week, think again. Didier Stevens, an IT security consultant last week demonstrated that simply viewing the folder containing compromised PDF documents within Microsoft's Windows Explorer is enough to launch the exploit.

It appears that this is due to Adobe's shell extension for Windows Explorer which allows the malicious code to be invoked in three ways; when hovering over a PDF document, single clicking on a PDF document, or viewing the thumbnail.

]]> Adobe Acrobat Reader installs a shell extension, which is code that is executed by Explorer to retrieve metadata (from a PDF file in this instance). The Adobe shell extension adds this extra data so that users can see details about a file at a glance in Windows Explorer. Details such as Title, Author, Subject, Size and thumbnail image; details that typically occur in tooltips.

Stevens created a PDF which exploits the vulnerability not within the main document information, but rather, its metadata. Using this technique, he was able to crash Windows Explorer by doing the following:

Selecting a vulnerable PDF document within the folder
Viewing thumbnails of a folder containing a vulnerable PDF document.
Hovering the mouse over a vulnerable PDF document

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document," Stevens explained.

Stevens proof of concept caused Explorer to crash, however, someone with dubious intentions can exploit the vulnerability to potentially do anything they like on your system.

Adobe acknowledged this vulnerability in all versions of Adobe Reader on February 19, 2009 and categorized it as a critical issue. An update is expected next week for Reader 9 and Acrobat 9.

Unfortunately, Adobe's advice to disable JavaScript is useless when it comes to this new twist and therefore we recommend you take John Paczkowski's advice from a few weeks ago: Adobe\Acrobat\Uninstall.exe

Note: Stevens has produced a short video showing how these vulnerabilities can be triggered; we've embedded it below.

Comment from Srikanth Manda on 2009-03-08

2009-03-09T01:20:48Z

Wouldn't using Foxit PDF reader be a more sensible solution!?

I've been using it for long now. More over, it uses far less memory than Adobe Reader.

Comment from store your Windows Mobile applications on 2009-03-08

2009-03-09T06:56:26Z

According to Adobe, the update addresses five different CVE vulnerability reports. Effects of a possible exploit range from privilege exploitation to clickjacking and remote code execution.

Comment from 花蓮民宿 on 2009-03-09

2009-03-09T07:26:00Z

The update addresses five different CVE vulnerability reports. Effects of a possible exploit range from privilege exploitation to clickjacking and remote code execution.

Comment from venkat on 2009-03-09

2009-03-09T07:48:30Z

It will be much better to use Foxit reader than resources eater and vulnarability holder Adobe reader.Adobe reader always have the vulnarabilites.

Comment from Andrew on 2009-03-09

2009-03-09T07:58:51Z

Have been using Adobe all the while. May consider Foxit for a better alternative.

Comment from Orlandus on 2009-03-09

2009-03-09T16:47:56Z

Yet another reason to get off the Windows platform, with its stability and security headaches, as soon as possible.

Better still, never to have gotten on it.

Comment from Serena from Docstoc on 2009-03-09

2009-03-09T18:32:30Z

This is not a surprise. The best way to share documents is going to be to upload them is not to save them as a PDF but to put them on an open platform like Docstoc.com. In fact, all you have to do is upload your document and email out the URL. Then folks can read your document, and you can use the measurement tool to track the stats. So much safer and so easy to use.

Comment from John Davis on 2009-03-10

2009-03-10T21:13:56Z

Wow, scary stuff dude!

RT
www.privacy.at.tc

Comment from A. Z. on 2009-03-10

2009-03-10T21:23:07Z

Foxit is usually faster than Adobe but it has its own exploits. I have been using a firefox plugin from a Lifehacker tip: http://tinyurl.com/bdxxkm

Comment from Online TeleVision on 2009-03-10

2009-03-10T21:31:25Z

Fox it is great, I really recommend it!

Comment from Yonah on 2009-03-10

2009-03-10T21:44:27Z

The Adobe PDF explorer extension, as well as any other 3rd party extensions can be disabled with a great program called "ShellExView". Google should help you find it with little trouble.

Comment from Jeunium on 2009-03-10

2009-03-10T22:33:33Z

One can disable the "PDF Shell Extension" using "ShellExView".

A completely free tool from http://www.nirsoft.net/utils/shexview.html

Beware, you might be scared by what you see and start disabling stuff you have no idea how important to the system it is...

But one can learn alot with this tool using an incrementaly documented and backed up approach :-)

Enjoy

Comment from mantolama on 2009-03-31

2009-04-01T06:24:23Z

Fox it is great, I really recommend it!

Comment from YouNoobs on 2009-04-03

2009-04-03T15:04:40Z

You Noob! FoxIt was affected too!

Comment from Simon Heaps on 2009-07-07

2009-07-08T06:35:44Z

Another great alternative to Adobe that uses less resources and offers even more in the way of free features is the PDF-XChange Viewer and the look and feel is way superior to both.

Comment from Simon Heaps on 2009-07-07

2009-07-08T06:37:12Z

And PDF-XChange was NOT affected by the JBIG vulnerability !

Comment from Hiphop on 2009-07-20

2009-07-20T18:01:07Z

Wouldn't using Foxit PDF reader be a more sensible solution!?

I've been using it for long now. More over, it uses far less memory than Adobe Reader.

Comment from Rap on 2009-07-20

2009-07-20T18:02:33Z

Another great alternative to Adobe that uses less resources and offers even more in the way of free features is the PDF-XChange Viewer and the look and feel is way superior to both.