A New Twist to the Adobe Vulnerability
If you think it is safe to download PDF documents and view them once Adobe finally releases its patch next week, think again. Didier Stevens, an IT security consultant last week demonstrated that simply viewing the folder containing compromised PDF documents within Microsoft's Windows Explorer is enough to launch the exploit.
It appears that this is due to Adobe's shell extension for Windows Explorer which allows the malicious code to be invoked in three ways; when hovering over a PDF document, single clicking on a PDF document, or viewing the thumbnail.
Adobe Acrobat Reader installs a shell extension, which is code that is executed by Explorer to retrieve metadata (from a PDF file in this instance). The Adobe shell extension adds this extra data so that users can see details about a file at a glance in Windows Explorer. Details such as Title, Author, Subject, Size and thumbnail image; details that typically occur in tooltips.
Stevens created a PDF which exploits the vulnerability not within the main document information, but rather, its metadata. Using this technique, he was able to crash Windows Explorer by doing the following:
- Selecting a vulnerable PDF document within the folder
- Viewing thumbnails of a folder containing a vulnerable PDF document.
- Hovering the mouse over a vulnerable PDF document
"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document," Stevens explained.
Stevens proof of concept caused Explorer to crash, however, someone with dubious intentions can exploit the vulnerability to potentially do anything they like on your system.
Adobe acknowledged this vulnerability in all versions of Adobe Reader on February 19, 2009 and categorized it as a critical issue. An update is expected next week for Reader 9 and Acrobat 9.
Unfortunately, Adobe's advice to disable JavaScript is useless when it comes to this new twist and therefore we recommend you take John Paczkowski's advice from a few weeks ago: Adobe\Acrobat\Uninstall.exe
Note: Stevens has produced a short video showing how these vulnerabilities can be triggered; we've embedded it below.
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Wouldn't using Foxit PDF reader be a more sensible solution!?
I've been using it for long now. More over, it uses far less memory than Adobe Reader.
According to Adobe, the update addresses five different CVE vulnerability reports. Effects of a possible exploit range from privilege exploitation to clickjacking and remote code execution.
The update addresses five different CVE vulnerability reports. Effects of a possible exploit range from privilege exploitation to clickjacking and remote code execution.
It will be much better to use Foxit reader than resources eater and vulnarability holder Adobe reader.Adobe reader always have the vulnarabilites.
Have been using Adobe all the while. May consider Foxit for a better alternative.
Yet another reason to get off the Windows platform, with its stability and security headaches, as soon as possible.
Better still, never to have gotten on it.
This is not a surprise. The best way to share documents is going to be to upload them is not to save them as a PDF but to put them on an open platform like Docstoc.com. In fact, all you have to do is upload your document and email out the URL. Then folks can read your document, and you can use the measurement tool to track the stats. So much safer and so easy to use.
Wow, scary stuff dude!
RT
www.privacy.at.tc
Foxit is usually faster than Adobe but it has its own exploits. I have been using a firefox plugin from a Lifehacker tip: http://tinyurl.com/bdxxkm
Fox it is great, I really recommend it!
The Adobe PDF explorer extension, as well as any other 3rd party extensions can be disabled with a great program called "ShellExView". Google should help you find it with little trouble.
One can disable the "PDF Shell Extension" using "ShellExView".
A completely free tool from http://www.nirsoft.net/utils/shexview.html
Beware, you might be scared by what you see and start disabling stuff you have no idea how important to the system it is...
But one can learn alot with this tool using an incrementaly documented and backed up approach :-)
Enjoy
Fox it is great, I really recommend it!
You Noob! FoxIt was affected too!
Another great alternative to Adobe that uses less resources and offers even more in the way of free features is the PDF-XChange Viewer and the look and feel is way superior to both.
And PDF-XChange was NOT affected by the JBIG vulnerability !
Wouldn't using Foxit PDF reader be a more sensible solution!?
I've been using it for long now. More over, it uses far less memory than Adobe Reader.
Another great alternative to Adobe that uses less resources and offers even more in the way of free features is the PDF-XChange Viewer and the look and feel is way superior to both.