Robert Hensing's Blog

Software Security . . . and stuff.

Adobe, Attack Surface, The way the world ends (etc.)

Adobe, Attack Surface, The way the world ends (etc.)

  • Comments 1
  • Likes

Okay - so last month I discovered that Adobe PDFs can contain Java freaking script in them AND that Acrobat has that feature turned ON by default (Edit menu -> Preferrences -> Enable Acrobat Java freaking Script). 
How could I NOT have known about this?  Did YOU know before May that PDFs could run Java freaking script?  I guess I don't spend very much time looking at PDFs or exploring the Acrobat UI.

Does anyone not remember VBA in Office being turned on by default circa 2000 and what a great idea THAT turned out to be?

Oh I'm over-reacting to this discovery you say - the Acrobat JavaScript is pretty basic and restricted and safer than the all powerful Office macro and stuff . . . but then I read stuff like this from the developer guide:

"You can enhance a PDF document so that it contains form fields to capture user-entered data as well as buttons to initiate user actions. This type of PDF document can replace existing paper forms, allowing employees within a company to fill out forms and submit them via PDF files, and connect their solutions to enterprise workflows by virtue of their XML-based structure and the accompanying support for SOAP-based web services."

and I start freaking out again.

To be fair Adobe does seem to have thought that maybe it's not great to let Javascript "initiate user actions" and party all over a users machine un-restrained like, so they introduced a safe word . . . err safe PATH . . . but only in veresion 6?

"●Safe path: Acrobat 6.0 introduced the concept of a safe path for JavaScript methods that write data to the local hard drive based on a path passed to it by one of its parameters. Generally, when a path is judged to be not safe, a NotAllowedError exception is thrown. See the JavaScript for Acrobat API Reference for more information about safe paths.

Note:Many sample scripts presented in this guide reference the local file system. These scripts generally use the path "/c/temp/", which is a safe path."

So then I got to page 20 and started freaking out some more . . . page 20 lists a bunch of things you can do with Javascript PDF Applications . . . like the ability to send emails, create new documents, control digital media, connect to databases and execute SQL statements, connect to web services and customize the UI.  And they can do all this by default in the latest Acrobat Reader I believe by the virtue of JavaScript.

So then I remember this bulletin from May . . . which is what alerted me to the presence of JavaScript parsing in Acrobat in the first place.

http://www.adobe.com/support/security/bulletins/apsb08-13.html

"This update resolves an input validation issue in several JavaScript methods that could potentially lead to remote code execution. (CVE-2007-5659)
NOTE: There are reports that this issue is being exploited."

The emphasis in bold above is clearly mine.

Reading on you also find this CVE:

"This update resolves an issue that could allow a local user to execute arbitrary code by overwriting a local file. (CVE-2007-5666)"

So much for the "safe word" err path.  I meant path!

This bulletin doesn't do much to allay my concerns about a JavaScript interpreter being enabled by default in what is probably the most widely used document viewer on the planet.

So I'm already thinking about all of this when today I read about Acrobat 9 which was announced recently I guess.
And after reading some articles on it I can't help but hear Cortana in my head saying "This is the way the world ends" with some dramatic Bungie-esque Halo3 theme music playing in the background . . .  

Why is that?  Because "For the first time, Acrobat 9 provides deep support for Adobe Flash technology, enabling users to include Adobe Flash Player compatible video and application files in PDF documents. Recipients simply need free Adobe Reader(R) 9 software to consume the content. Now, static documents can come to life as dynamic communications."

Whoa - Flash SWFs embedded and playable in PDF files (possibly with JavaScript)?  What could  *possibly* go wrong? :)  What other "cool" stuff can I do now Adobe? :)

Anyhoo . . . Adobe appears to be going through some 'interesting' times . . . they patched some code execution bugs in Acrobat that apparently were used in some targeted attacks (according to their bulletin) and we of course all heard about the Flash vulnerability being exploited in the wild last month as well . . . and while we here at Microsoft seem to be doing everything we can do reduce attack surface as much as possible and disable stuff by default . . . our competitors are busy seemingly increasing attack surface and enabling it by default even though it's becoming increasingly clear they are starting to receive some of the same miscreant love and affection that our products have been receiving for the last few years. :)

Time will tell who is making the right decisions here.

Comments
  • A to niespodzianka: Attackers exploit unpatched Acrobat flaw. Już jakiś czas temu okazało się, że format PDF nie jest tak "bezpieczny", jak przyjęło się uważać. No i jest kolejna dziura: VRT: Have a nice weekend! (PDF love). Przy okazji przypomi

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment