Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts

timothy posted about 2 years ago | from the kicking-sand-in-your-face dept.

Security 56

tsu doh nimh writes with this excerpt from Krebs on Security: "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they've discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X — Adobe introduced a 'sandbox' feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."

Sorry! There are no comments related to the filter you selected.

Translating Roman Numerals... srsly??? (2)

Anonymous Coward | about 2 years ago | (#41918069)

Has the average IQ of /. readers dropped so low recently that it became necessary to translate Roman numerals??

Re:Translating Roman Numerals... srsly??? (5, Funny)

MightyYar (622222) | about 2 years ago | (#41918129)

If you ask me, this site has been going downhill ever since they dropped Latin and started posting in English.

Re:Translating Roman Numerals... srsly??? (4, Funny)

FatdogHaiku (978357) | about 2 years ago | (#41918693)

O tempora, o mores!

Re:Translating Roman Numerals... srsly??? (0)

Anonymous Coward | about 2 years ago | (#41920291)

Oh Tempura, Oh S'mores!

Re:Translating Roman Numerals... srsly??? (5, Funny)

MadChicken (36468) | about 2 years ago | (#41918145)

They would have kept one numbering system for the whole article, but "Zero-day" would have been really tough.

Re:Translating Roman Numerals... srsly??? (0)

Anonymous Coward | about 2 years ago | (#41918195)

That would be a " -day" exploit.

Re:Translating Roman Numerals... srsly??? (1)

bobthesungeek76036 (2697689) | about 2 years ago | (#41918227)

Haven't you read the memo? And from now on, everyone must translate OSX (OS-10) when posting it's name...

Re:Translating Roman Numerals... srsly??? (0)

Anonymous Coward | about 2 years ago | (#41918715)

Nope. Some theorize that OSX would translate to 11-7-10

Re:Translating Roman Numerals... srsly??? (1)

arglebargle_xiv (2212710) | about 2 years ago | (#41925243)

Some theorize that OSX would translate to 11-7-10

You're looking at it all wrong, it's actually a smiley for a dipsomaniac cyclops.

Re:Translating Roman Numerals... srsly??? (0)

Anonymous Coward | about 2 years ago | (#41921677)

no no no.

The X is a variable.

Re:Translating Roman Numerals... srsly??? (3, Informative)

guruevi (827432) | about 2 years ago | (#41918257)

Adobe themselves does it. They have Acrobat X/XI on the marketing side but installation and license calls it Acrobat 10/11

Re:Translating Roman Numerals... srsly??? (0)

Anonymous Coward | about 2 years ago | (#41921527)

Acrobat 10/11. Hmm, you mean Acrobat 0.909?

Re:Translating Roman Numerals... srsly??? (1)

OhSoLaMeow (2536022) | about 2 years ago | (#41923421)

Except for on certain Pentium systems where it would be Acrobat 0.98964

Re:Translating Roman Numerals... srsly??? (1)

Anonymous Coward | about 2 years ago | (#41918471)

Reminds me of one of the direct to DVD/TV Revenge of the Nerds sequels, where the nerds' black fraternity leader wears his Malcolm the 10th hat.

not yet been able to verify the zero-day claims (5, Funny)

fustakrakich (1673220) | about 2 years ago | (#41918119)

They can if they cough up 50 grand for a copy. By the way, is anybody getting sued for uploading a free torrent?

Re:not yet been able to verify the zero-day claims (1)

Anonymous Coward | about 2 years ago | (#41918247)

these are folks that will break a kneecap instead of a lawsuit. That may be more effective.

Re:not yet been able to verify the zero-day claims (2)

Terrasque (796014) | about 2 years ago | (#41918355)

In that case, I also have one of those thingymajigs, and I'll sell it for only 48 grand! I'll even throw in a small bridge in the bargain, for free!

Re:not yet been able to verify the zero-day claims (1)

ifrag (984323) | about 2 years ago | (#41918873)

Those purchasing it (assuming that anyone actually has) are probably interested in getting some use out of it. Anyone looking to preserve value in their investment will want as few eyes looking at this as possible.

Can't verify. (5, Funny)

Anonymous Coward | about 2 years ago | (#41918121)

Sorry, we cannot verify this zero-day exploit, the computer we tested it on isn't working right for some reason.

first? (-1)

Anonymous Coward | about 2 years ago | (#41918149)

First?

Re:first? (-1, Offtopic)

bobthesungeek76036 (2697689) | about 2 years ago | (#41918199)

Nice try. Fail!!!

This is Actually an Interesting Trend... (5, Insightful)

InvisibleClergy (1430277) | about 2 years ago | (#41918219)

If I remember correctly, Flame was first identified by Kapersky, a Russian company. In this age wherein the US Government has a cyber-warfare division, it seems as though a large amount of the interesting, practical work in Computer Security is moving to Russia.

Re:This is Actually an Interesting Trend... (4, Insightful)

Anonymous Coward | about 2 years ago | (#41918299)

Well since most of the interesting, practical work in Computer Insecurity is there as well, it makes sense.

Re:This is Actually an Interesting Trend... (1)

Anonymous Coward | about 2 years ago | (#41918547)

Most interesting, practical work in Computer Insecurity... Do you mean Stuxnet, Flame, Duqu?

Re:This is Actually an Interesting Trend... (2)

h0oam1 (533917) | about 2 years ago | (#41918633)

Maybe the US cyber-warfare division CREATED flame, stuxnet, etc. That would probably make it undesirable to be the one to first 'identify' it.

Re:This is Actually an Interesting Trend... (1)

InvisibleClergy (1430277) | about 2 years ago | (#41919057)

Yes, that's what I was implying. This also means it is important to have American antivirus companies around too, because there is a lot of cybercrime in Russia.

Re:This is Actually an Interesting Trend... (1)

EdIII (1114411) | about 2 years ago | (#41925923)

Soooo... we are operating on the principle of "He who smelt it, dealt it" in foreign policy now?

What is broken? the reader or the specs? (5, Insightful)

140Mandak262Jamuna (970587) | about 2 years ago | (#41918335)

Adobe PDF and Flash are now the two most serious vectors for malware. Most of us have switched to foxit reader. But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist. In this case, is it the reader or the specs that is broken?

High time people stop using the Adobe pdf reader, and disable the "active hyperlinks" in it if it cant be fully uninstalled. Just in case some malware manages to trick the browser into using the installed adobe reader overriding the preference to foxit reader.

Re:What is broken? the reader or the specs? (2)

Derek Pomery (2028) | about 2 years ago | (#41918533)

Foxit has its vulnerabilities too, although it helps that it isn't as commonly used.

While I do resort to Evince and if absolutely necessary, Adobe (usually just for some work form PDF), I've found that most of the time I can get by with the new PDF.js functionality in Firefox.

http://hackademix.net/2011/12/07/hulk-want-pdfjs/ [hackademix.net]
https://github.com/mozilla/pdf.js/ [github.com]

PDF.js plays nice w/ NoScript these days btw. It used to require whitelisting the site (ugh).

Re:What is broken? the reader or the specs? (1)

iMouse (963104) | about 2 years ago | (#41918841)

Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.

Re:What is broken? the reader or the specs? (2)

dkf (304284) | about 2 years ago | (#41918965)

Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.

Virtually all of those attacks are aimed at the code that integrates a Java runtime with a browser, as that's an extremely exposed part of the ecosystem. The plain old JRE is nowhere near as easy to attack (unless someone's running a moronic program, of course, but you can do that in any programming language except for ones you wouldn't use for anything serious at all) as it simply doesn't normally listen to the outside world. Other routes for doing Java things from a browser also tend to give me the willies (e.g., JNLP) but it's not really the "Java" that is the problem so much as the "run code where you can't be sure where it's from" and the alternatives aren't necessarily better.

The truly hard part of security is that it is too often antagonistic to utility, and users will virtually always pick utility over security.

Re:What is broken? the reader or the specs? (1)

NatasRevol (731260) | about 2 years ago | (#41918975)

When 2.5 billion of those devices are dumb phones, no one cares if they're attacked.

Re:What is broken? the reader or the specs? (0)

Anonymous Coward | about 2 years ago | (#41922341)

It's been a joke around the office for a while, whenever we're setting up something with Java....'Java runs on over 3 billion devices....be afraid. Be very afraid.'

Re:What is broken? the reader or the specs? (1)

ArcadeMan (2766669) | about 2 years ago | (#41918853)

I'm also wondering if Mac OS X and Preview are at risks, but as far as I know they're too "basic", i.e. dumb viewer only with no javascript and crap, so I'm guessing they're safer.

Re:What is broken? the reader or the specs? (1)

JDG1980 (2438906) | about 2 years ago | (#41918925)

But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist.

I'd be interested to see more details on this. What part of the spec is broken? It also seems to contradict common experience: the overwhelming majority of exploits are Adobe Reader-only, and don't affect other PDF readers at all. Do these other readers just not follow the spec? Is there something in there ordering that Flash/Javascript/whatever must be executed without asking the user? Unless they did something that crazy, I'm not sure how a document display spec could have inherent security holes.

No (0)

Anonymous Coward | about 2 years ago | (#41924573)

PDF is itself absolutely no security risk. It's wholly the crappy parsers/renderers. And the ability to include other insecure formats such as Flash. But nobody forces a viewer to spawn a Flash player and proper viewers such as evince just don't do that.

but wait, it gets worse (5, Insightful)

slashmydots (2189826) | about 2 years ago | (#41918441)

In the new 11 version, you can no longer turn off the "view PDF in web browser" that basically frames it within your browser like a page without you ever approving it. So any rigged PDFs get loaded automatically. You used to be able to turn it off and only open PDFs via a file download prompt if a page is trying to serve one up.

Re:but wait, it gets worse (0)

Anonymous Coward | about 2 years ago | (#41918587)

Good chance adobe deliberately has security holes in it since they work so closely with the DoD, either from the badguys or us wanting to spy on us. Double the chances. Shit like this is laughable. 99% of these forms could be done any other way. And primarily government forms is were adobe has its PDF market, businesses that are smart stick with their own proprietary formats.

Re:but wait, it gets worse (1)

Anonymous Coward | about 2 years ago | (#41918647)

businesses that are smart stick with their own proprietary formats.

Yes, Stallman has been campaigning for people to do this for years.

Re:but wait, it gets worse (2)

Billly Gates (198444) | about 2 years ago | (#41919025)

It gets worse than that my friend. Reader X supports unsigned and unsandboxed flash embedded!

So your browser will simply run it and run whatever code from an infected ad server without even your AV software being able to detect nor stop it before its too late.

Someone needs to be fired over that. Oh wait Adobe outsourced the team to India. What could possibly go wrong??

Get Foxit

Re:but wait, it gets worse (0)

Anonymous Coward | about 2 years ago | (#41928053)

Even better: use Evince: http://projects.gnome.org/evince/ or the Portable version:
http://portableapps.com/apps/office/evince_portable

Allows fill-in-the-form as well, runs on Windows and Linux
I never had any problems with it

Re:but wait, it gets worse (0)

Anonymous Coward | about 2 years ago | (#41921809)

What if you disable the plug-in(s)?

Re:but wait, it gets worse (0)

Anonymous Coward | about 2 years ago | (#41923371)

Last I checked every browser worth it's salt allows you to disable the plugin (or ActiveX control, for mediocre browsers) used to display PDFs inline, netting the same download dialog...

PDF Reader? (1)

roman_mir (125474) | about 2 years ago | (#41918605)

PDF Reader should be appropriately renamed into Yo L337 Komputa OwnZa.

Thing I've wondered about with exploit sales... (1)

Anonymous Coward | about 2 years ago | (#41918609)

How does the person paying $50,000 know he'll receive a working exploit and not, say, a .rar of the shareware version of Jill of the Jungle?

Re:Thing I've wondered about with exploit sales... (1)

camcorder (759720) | about 2 years ago | (#41919341)

Considering risk that person is putting himself in by this kind of purchase, $50k is nothing.

Re:Thing I've wondered about with exploit sales... (0)

Anonymous Coward | about 2 years ago | (#41921549)

Ripoffs certainly happen, as does stealing and reselling other people's tools etc, but basically sellers have to establish a reputation under a verified handle to do business. It's pretty similar to the situation on the silk road, except on obscure private forums and IRC networks with the participants proxying through 7 botnets.

Re:Thing I've wondered about with exploit sales... (0)

Anonymous Coward | about 2 years ago | (#41922669)

Considering the line of business of the potential buyer, who would want to have a broken knee cap or a few missing ribs to get $50k?

Foxit people! (1)

Billly Gates (198444) | about 2 years ago | (#41918949)

Adobe products are a security nightmare. It is 8 years behind even IE and XP! Just recently started signing apps? Just added a cutting edge feature called a sandbox a few months ago. Auto updates added just this year?? IE 7 had all of these.

No wonder hackers exploit this. It is a convenient way to byepass modern browser security that works across all platforms. No longer is it the case that using Firefox and going on familiar websites made you invincible. Just have unupdated flash or reader and BAM instant infection!

Anyway foxit does not execute code unless you tell it too. PDFs should only render data. Never execute flash or javascript! Flash can run without it being signed nor scanned by your AV or even sandboxed from within Reader X. Stupid. Whoever thought of that needs to be fired.

You can get Foxit from www.filehippo.com or ninite.com. Every IT professional should know about it.

Re:Foxit people! (2, Informative)

Anonymous Coward | about 2 years ago | (#41919309)

I don't get it why people just go half the way from Acrobat to Foxit. Sumatra is Open Source, small, fast and, so far hasn't failed me for any PDFs I've tried (admittedly none were of the stupid javascript online validating form crap variety).

Every IT pro should know about Sumatra.

Re:Foxit people! (1)

JDG1980 (2438906) | about 2 years ago | (#41920149)

I've tried Sumatra. Overall I like it, but I wish there was some way to get rid of the horrid yellow background. (Admittedly, you only see this if you don't have a document open.) Also, I do prefer Adobe Reader's choice of hand, text selector, and marquee zoom to Sumatra's method of only letting you use the hand if you're off the main page. And text rendering isn't quite as good in Sumatra, though that's due to the fact that it doesn't use the hacks that regular Windows text rendering does to look good on low-DPI LCDs, and it should go away once we finally get high-DPI desktop monitors in the mainstream.

Re:Foxit people! (2)

Emetophobe (878584) | about 2 years ago | (#41920311)

You can change the yellow background using the -bg-color command line argument. For example: "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0x444444

It's described in the manual here [kowalczyk.info] .

Re:Foxit people! (1)

Billly Gates (198444) | about 2 years ago | (#41920981)

I have not used Sumatra. I think fighting over between the 2 is silly like fighting over Firefox or Chrome when IE is still at 6.

I use Foxit because I am used to it. I ditched reader early last year and I needed something compatible with most PDFs and at the time FoxIT had broader compatibility. Yes Foxit does have javascript support which can be a security risk but it will not execute it without your permission first. Also the javascript is sandboxed too and you have to click an option to turn all of it on, unlike Reader. Foxit has plugins and more tools from the reviews I have read about Sumatra back in 2011.

Maybe that has changed?

But either or is better than Adobe. Integrating flash unsigned applets that your AV software can't read is inexecusable! Wow. Or a better idea could also be to use Chrome with its built-in PDF reader? I use FoxIT for many office workers because it looks like reader and is compatible iwth mostly everything.

Re:Foxit people! (0)

Anonymous Coward | about 2 years ago | (#41921073)

Foxit is free so if you are on Windows give it a try? Reader is simply dangerous as well as Flash. I find Foxit to be the most similar looking to Reader which is good for your users if you are in IT support like many slashdotters who are.

Adobe Software = Joke (0)

Anonymous Coward | about 2 years ago | (#41920231)

I'm starting to wonder if Adobe even makes credible software these days. It's nice to be able to read documents and watch animations but do we really need all this software that seems to want to update twice a week and has a new security hole every month? How can development practice be so bad that we've ended up here? This just validates my idea that any piece of software on a PC needs to be the Windows OS or Microsoft code, and not vendor installed crap and bloat. I wouldn't trust them to write a "Hello World" app without at least 400 buffer exploits.

Alternatively, switch to Linux and avoid the whole problem.

Way more complex than needed (1)

BryanWhyte (2770489) | about 2 years ago | (#41923525)

As one who has used Adobe Reader since 3.0, it really is hard to comprehend why this product continues to advance in complexity. Are there strong numbers of users out there really using the advance features of Adobe X?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?