Network News

X My Profile
View More Activity

Take Me to Your (Adobe) Reader

It seems like almost every week now we learn about a security threat that is linked to ill-conceived "features" built into widely used software applications. Most recently, it was a design flaw in the Apple QuickTime player that powered the hugely successful QuickSpace worm (a flaw, by the way, that remains unpatched and for which exploit code is now posted online).

The latest example of this trend is a flaw revealed late last month in most versions of Adobe Reader -- the ubiquitous program useful for viewing PDF documents -- that can be used to further phishing scams or to steal sensitive and personal information from users.

The trouble, once again, is with Javascript, a powerful programming language that works exceptionally well with Web sites to do all kinds of things that make the online experience much smoother, such as dynamically loading Web page content, forms, etc.

The problem with that kind of power is that it can be a tempting target for attackers. The Adobe flaw is with a Javascript "feature" in Reader and the Adobe plug-ins that render PDFs in Microsoft's Internet Explorer and Mozilla's Firefox Web browsers. It turns out that this feature introduces the possibility of so-called "cross-site-scripting" attacks, which involve tricking a Web site (or a user's Web browser) into displaying content from a site other than the one that's listed in the browser's address bar. (Yes, I'm aware of the irony of referring readers to a PDF document for further reading on cross-site-scripting attacks in Adobe's software...).

Let's say you're reading some comments on a random blog about online banking and someone leaves a comment that includes a link to a PDF document that's hosted on BankofAmerica.com. Maybe the document is about how great Bank of America's Web site security is, and how much the company has done to protect users from Javascript attacks that criminals can use to make their online scams seem more legitimate. So you click on this link, and indeed are taken to Bank of America's actual Web site and are presented with a legitimate PDF document.

But here's where it gets dangerous: Because Adobe Reader will silently relay pretty much any Javascript commands, the person who posted that comment could include Javascript commands in the link that tell your browser to launch a pop-up prompt or new Web page pulled from a separate site set up by the attacker. In a such an attack, the page that pops up (in all likelihood on top of the bank's PDF file) would be designed to look exactly like Bank of America's site but would actually be hosted on a site controlled by the bad guys. This fake page could be a login prompt or a bogus warning saying you need to "update" your account information.

"The scary thing is that regardless of how secure a bank makes its site, that bank now has a cross-site-scripting vulnerability due to this feature," said Billy Hoffman, an expert on cross-site-scripting attacks and lead security researcher at Atlanta-based SPI Dynamics.

If you're curious how this type of attack looks (or if my hypothetical left you befuddled), these guys have a harmless proof-of-concept example that displays a PDF from Google's site and then launches another page on top of that. (In case you're wondering, it's merely the HTML source code for that Google landing page, but it could have just as easily been a fake Gmail login page.) Websense also has a cool screenshot that makes this a little easier to wrap your brain around.

Let's take this attack one step further: Say you're a Bank of America customer and you logged into your online bank account just prior to clicking on the malicious blog link.

According to Hoffman, the Javascript commands included in the blog link could just as easily be written to select an option to transfer funds from your account to another account, even to click "yes" to any confirmation message that pops up asking if you really want to transfer all of your savings out of your account. And all of this could be done through Javascript without ever tipping off the user. Scary, right?

That particular attack would be fairly complicated and would most likely occur only on a very targeted basis. But it illustrates just how dangerous this kind of vulnerability can be. If that example didn't scare you, check out the aforementioned Security Fix blog post on some of the more dastardly things crooks can do to you with unrestricted Javascript access.

Fortunately, there are some mitigating circumstances here, and of course there are always alternatives to Adobe.

Adobe apparently removed this unfortunate feature in Acrobat/Reader version 8. If you're using an older version, then shame on you for not updating when I wrote about the patch a month ago.

Versions 7.x on IE6 (Windows XP with Service Pack 2) and IE7 are not vulnerable to this kind of attack. Mozilla's Firefox with Adobe Acrobat/Reader version 8.x is not vulnerable, but Adobe Acrobat/Reader versions 7.x and older for are vulnerable on Firefox.

For a variety of reasons (not all security-related), Adobe is almost certainly going to end up on my personal list of Software You Can and Probably Should Learn to Do Without in 2007. I'm currently in the process of transferring over my various Windows machines to use Foxit Reader, which is free, lightweight, super-fast, and near as I can tell more secure.

But even if you uninstall Adobe Reader, the browser plug-in for Adobe will still be left behind if you're using Firefox (uninstalling Adobe from the Windows Add/Remove Programs list removed the Reader plug-in from Internet Explorer, but not from Firefox).

Unfortunately, removing the plug-in from Firefox is a bit of a pain: To do this, type "about:plugins" (without the quotes) into the address bar, and then find the name of the file listed as the plug-in for Adobe (mine was called "nppdf32.dll") and then use Windows Explorer to browse to C:\Program Files\Mozilla Firefox\plugins and delete that file. Oh, and I had to close out of Firefox completely before being able to delete it. The next time you go to open up a PDF file with Foxit, you'll need to tell Firefox where to find the program (C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe) and check the box that tells Firefox to always open PDF files with Foxit.

To further integrate Foxit into Firefox, check out this handy tutorial.

By Brian Krebs  |  January 4, 2007; 8:35 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Internet Explorer Unsafe for 284 Days in 2006
Next: Microsoft's Achilles' Heel: Office

Comments

Hi Brian, I'm sorry it took us 36 hours to get this up into the Adobe Security Center, but best info is available here, now:
http://www.adobe.com/support/security/advisories/apsa07-01.html

This supercedes my interim coverage of the story:
http://weblogs.macromedia.com/jd/archives/2007/01/reader_javascri.cfm

Summary: It's always good to be careful when clicking on unclear links in strange sites, particularly if you don't regularly update your internet software.

tx, jd/adobe

Posted by: John Dowdell | January 5, 2007 12:42 AM | Report abuse

Thank you very much, Brian.

I didn't know that about Firefox. I very much like the look of Foxit. I've got a copy of it on a little USB thumb drive. It's so light and uninstrusive, it'll even run off one of those. But I've never installed it on my machine. Perhaps I should.

I'm afraid Adobe is one of these companies whose software just seems to bigger and bigger with time, as it adds "features" few of us want or need. Nor do they seem to have much respect for the host machine. Years ago Bloatbusters fingered Adobe eBook reader - it was adding no fewer than 49 (forty-nine) keys to the Registry:

http://radsoft.net/bloatbusters/ebook2.html

I can also recall that people used to put up instructions on the web for partially neutering Acrobat Reader (Reader) because it took so long to load and had so many web-related functions in it.

I'm more of a Mac guy, and there we have an excellent lightweight program for reading PDFs pre-installed - Preview (3MB). However, a year or so back I bought a Windows laptop from Sony, and that was fairly choked with third-party software and "trial-offer" programs I didn't want. (That included the egregious Norton Internet Security, of course: I now run the lightweight NOD32 from Eset instead). It's a Sony Vaio - perhaps I should call it a Sony Vile, because it took me - literally - hours to stop things loading on startup, to uninstall unwanted software and to clean off everything the Windows "uninstallers" left behind. Sony treat new machines like electronic trashcans: opportunities for upselling third-party trial software. The hardware is OK, but I'd never buy another from them for this very reason.

Anyway, on this machine I found Adobe actually put something in _Services_. I found searching on the web that if you uncheck this on XP the Reader will not "print" to a PDF. Well, too bad: the Mac will do that without complaint and doesn't need to load Preview on startup to do it.

I think some of the larger companies like Microsoft, Sony, Symantec, McAfee, and Adobe have lost sight of what light, tight, safe, efficient software means. This may be partly because the public has come to expect more "features" - and has been mistaught by comparative "reviews" in computer magazines to use features lists as a basis for choosing one product over another - but it's a darn good reason for casting a sceptical eye at some of the software around. There's also the facts that hard disk space is now cheap and never a problem, and that most people have plenty of bandwidth for downloads. This means people are less likely to notice when software is bloated - but they're still getting something that is likely more unstable and more unsafe because of the extra features they probably don't want.

Posted by: Mike | January 5, 2007 3:48 AM | Report abuse

I had high hopes for Foxit, but it crashed on first attempt to print...

Posted by: Bart | January 5, 2007 8:06 AM | Report abuse

Hi Brian, love the column. I would also love to see your actual "Software You Can and Probably Should Learn to Do Without in 2007" list if you have one!

Thanks!

Posted by: Zach | January 5, 2007 9:11 AM | Report abuse

Hi Brian, love the column. I would also love to see your actual "Software You Can and Probably Should Learn to Do Without in 2007" list if you have one!

Thanks!

Posted by: Zach | January 5, 2007 9:13 AM | Report abuse

Simple answer - Firefox & FoxIt PDF Reader. Even if you MUST use IE (and god knows why you would in this day and age) then FoxIt will still safely bypass this security risk.

Try it, you'll like it! ;o)

http://www.foxitsoftware.com

Posted by: Matt | January 5, 2007 9:58 AM | Report abuse

From the blog: "Unfortunately Foxit sometimes does not print a document as good as it shows it on screen, so i have to keep Adobe's hog."

Unfortunately, that is true. I have had problems with graphics - such as a map - and could not print it out. I partially solved the problem by keeping Acrobat version 4.

Posted by: Anonymous | January 5, 2007 10:44 AM | Report abuse

After reading this article, I went to the web site listed by Mr. John Dowdell (please see the first commentator) and downloaded the Acrobat Reader 8. Such a mistake!!! After installation of this software, it became apparent that all the other users/administrators settings (on our computer) has been erased. Even the contents of My Documents, My Pictures, even our Outlook set up and all its files, (Inbox, address book) have been eliminated. We cant access these data. We went to Windows Explorer, we can't find them either(the previous content of My Documents, etc.). We don't have a virus... It happened this AM after installing the Acrobat Reader 8 and uninstalling Acrobat Reader 7... Any suggestions?? I went to Adobe web site - waste of time!

Desperate and very unhappy (with Adobe product) ,

Eva

Posted by: Eva | January 5, 2007 10:59 AM | Report abuse

A couple of notes about removing the Adobe Reader plug-in from Firefox:

-- Digging through the 'about:config' listing is probably a little intimidating for an inexperienced user. You can find the name of the plug-in library by typing 'about:plugins' into the address (URL) box. (You need not be online to do this.) Scroll down the resulting screen until you find the entry for the Adobe plug-in. The library name, which (in Windows) will have a '.dll' extension, will be listed there. (On the XP machine we have here, it's 'nppdf32.dll', as Brian found.)

-- As Brian correctly notes, you must shut down Firefox to remove the plug-in. If you are worried about deleting the file, you can just rename it (I always rename ABC.DLL to ABC.YZZ so I can recognize it), and it will be effectively disabled when you restart Firefox.

Posted by: Rich Gibbs | January 5, 2007 11:12 AM | Report abuse

Rich -- You are so right. A thousand pardons. I meant to put "About:plugins" instead of "about:config" in the article. I have now changed that. Thanks for catching that and pointing it out.

Posted by: Bk | January 5, 2007 11:16 AM | Report abuse

"Eva", I'm sorry you seem to have lost all your administrator and user settings... that's certainly an unusual and alarming symptom, and I'm also not sure what might be going on there.

Losing your Microsoft Outlook inbox is definitely serious, and it would be good to get you back up and running. But I don't recall seeing such a symptom from other people yet:
http://www.adobe.com/support/techdocs/333218.html
http://www.adobe.com/support/products/acrreader.html

Let me check with my partners in Adobe Customer Service once I get into the office today, see if we can find a way to contact you and learn more about what might be happening during that installation.

tx, jd/adobe


PS: For other posters here, if you're just looking for on-screen reading of PDF, rather than the full printing and collaboration features of the free Adobe Reader, then there's currently a public beta of the free Adobe Digital Editions, a tiny downnload with a significantly attractive reading experience.
http://labs.adobe.com/technologies/digitaleditions/

Posted by: John Dowdell | January 5, 2007 12:14 PM | Report abuse

"Shame on me" !

I don't recall you offering to buy me a new computer so that I could upgrade to MS-WinXP so that I could upgrade to Acrobat Reader 8.

Posted by: Anonymous | January 5, 2007 1:42 PM | Report abuse

The Check for Updates function of Adobe Reader 7.0.8 still doesn't mention the existence of Adobe Reader 8. (I use IE7 anyway, so it's not an issue.)

Posted by: JohnJ | January 5, 2007 1:48 PM | Report abuse

Just another firm hogging attention and jumping onto the "Update Me" bandwagon. High probability that this is intentional by Adobe.

Posted by: k | January 5, 2007 4:57 PM | Report abuse

This is an issue only on the Windows platform.

Posted by: Charlie | January 6, 2007 2:20 AM | Report abuse

Wow, Foxit rocks! Instantaneous response.

It's easier to me to have used the Foxit integration tutorial that Brian mentions.

Posted by: David | January 6, 2007 3:08 PM | Report abuse

Ouch! How about The Month of Apple Bugs (MoAB) bug #6?

This one is a PDF vulnerability. While it appears in MoAB it is not platform-specific. MoAB say: "The current [PDF] specification is affected by a design flaw."

http://projects.info-pull.com/moab/MOAB-06-01-2007.html

http://groups-beta.google.com/group/moabfixes/browse_thread/thread/94ba9e19601341c7

Apparently, Adobe Reader 8 fixes this problem. But previous versions are vulnerable, and it looks as if other PDF readers besides Adobe's may be vulnerable to this one, since the fault is in the spec.

Posted by: Mike | January 7, 2007 11:22 AM | Report abuse

Just added Adobe Reader to my list of do without software (Windows Vista is on the cusp too).

What's with this bloated software? IMHO, great advances in hardware in NO way give software makers the right to create bloated software!

These bloat ware makers need to take a lesson from the likes of Foxit Reader! Great little progam! Remember K.I.S.S. (Keep It Simple Stupid)

Posted by: TJ | January 7, 2007 12:16 PM | Report abuse

Foxit is certainly smaller than Adobe Reader 8; it presents PDF documents on-screen, just as it says on the tin. But on the other hand, Adobe does respect the author's choice of styles.

I popped a fairly standard Word document (twelve pages, three hierarchical heading levels, a Normal body-text style and a handful of variants (e.g., l-r indent bold). Fonts are only Garamond and Arial, as per house style.

Adobe printed faithfully: Foxit managed the Garamond (body-text), but failed miserably on the Arial (chiefly headings). All heading levels came out identical (not so smart for visual discrimination) and a couple of paragraphs explicitly set in Arial failed to respect sizing and boldfacing correctly.

I may not be the world's greatest typographer, but it is not for Foxit to impose.

Oh, and Adobe's display looks much more like paper than does Foxit's.

Posted by: Iain | January 9, 2007 1:41 AM | Report abuse

FYI, for Adobe Reader users who have not updated to version 8, version 7.0.9 is now available via Adobe's Check for Updates.

Posted by: JohnJ | January 11, 2007 12:02 PM | Report abuse

I waited for eons for Adobe to fix a permissions vulnerability in the OSX version of reader. Perhaps the publicity on this one will make them act a little more quickly.

Posted by: Frank | January 11, 2007 3:11 PM | Report abuse

Not sure why others' Adobe FireFox plugins weren't removed when Acrobat is uninstalled - I had to get rid of Adobe 8 because it just wouldn't work on my XPsp2 system, couldn't find Adobe 7 to revert to that, luckily found FoxIt, and am living happily ever after. Reading this blog, I just checked FireFox "about:plugins" and see no sign of the Adobe so apparently it was deleted. My one beef about reading PDF is "none of the above" - that I invested my big $9.95 for the PDF995 suite and it doesn't include a plain vanilla Reader like Foxit.

Posted by: Forone | January 15, 2007 4:16 PM | Report abuse

great site

Posted by: [3!]conos | January 17, 2007 1:48 PM | Report abuse

great site

Posted by: [3!]conos | January 17, 2007 1:48 PM | Report abuse

Very interesting.

Posted by: [3!]scere | January 18, 2007 3:00 AM | Report abuse

If you are using Adobe Reader 7.0.8, bypass the 7.0.9 update, and go to 8.0, of you could be one of many that will end up with a computer that will not run anything higher than version 6.0.1.

Posted by: Mark | January 18, 2007 5:13 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company