The more I deal with vulnerabilities in Acrobat the less patience I have with the company. You actually can take your business elsewhere.
When you budget time this coming Patch Tuesday (March 10) don't
forget to leave some in for the following day, March 11, when Adobe
will grace us with the update to the latest zero-day vulnerability in Acrobat and its Reader program
The exploits of this vulnerability don't appear to be widespread, but you have to assume they could explode any minute. After what eWEEK and others went through last month
you have to assume that PDF exploits can have a huge impact long after they are patched.
And the potential damage from this vulnerability, which has come to be known as the JBIG2Decode exploit, is huge: Didier Stevens has demonstrated this bug executing through the Adobe Reader shell extension
; all the user has to do is to open a folder (in thumbnail view) that contains a malicious PDF using the attack.
I've already hit on Adobe hard for an insufficiently aggressive approach to vulnerabilities in its own products.
In fact, for the JBIG2Decode there isn't even an effective mitigation.
used in PDFs for forms processing applications, and it's there because
block the vulnerability, just the known exploits of it.
Did you know that PDF is an open standard (ISO 32000-1:2008)? And we
have Adobe to thank for this, so give credit where credit is due. This
means that anyone can make tools to create and/or view PDF documents,
and they do. There are many companies that make PDF products for a variety of platforms.
Mikko Hypponen of F-Secure has it right: Adobe Reader has become the new IE.
(Well, I'd say it's become the old IE, but you get the point.) Back to Mikko: "For
some reason everybody seems to be using it for reading PDF files. Even
though there are plenty of free alternatives. And the alternatives are
much smaller and faster. And start up in under a minute.
OK, so let's take Mikko's advice. Furthermore, just to keep the
issue a little simpler, let's only deal with PDF viewers; there are
lots of products that compete with Acrobat itself for PDF generation,
but that's a more complex issue and the number of seats is much, much
smaller. Consider that you could replace Adobe Reader on your client
PCs with Foxit
or Sumatra PDF
. It's got a lot going for it as an idea, and it's satisfying to those of us who are impatient with Adobe.
Before you go off taking my advice, I should add that there are
clear limits to this strategy. Just because nobody is researching and
developing attacks for non-Adobe viewers doesn't mean they don't have
them. Such vulnerabilities could be developed, and if someone is
looking at a targeted attack on your organization it would make great
sense to develop one.
In fact, the third-party viewers have already been successfully exploited. As part of the research into the vulnerability exploited against eWEEK recently
, Secunia found a very similar vulnerability in Foxit Reader
It's so similar you have to wonder if the same people coded both
won't be exploitable in alternative viewers.
This strategy mimics, to a degree, that of people who get a Mac
because they're sick of the security problems in Windows. You're trying
to fly under the radar. There are some differences. Mac switchers
probably end up paying more and have fewer choices for software and
(certainly) hardware. Alternate PDF viewers "should" be plug-and-play
interchangeable with Adobe's viewer.
I wouldn't recommend launching right now into a full-blown
switchover, but I would definitely start experimenting. Pick a group
that uses PDFs in a typical way and switch them over, making sure to
let them know what you're doing and that they should let you know of
any problems. If there aren't any problems it's time to start expanding
the tests. Maybe you can even try different viewers with different
groups and see how they work out.
Or you can just sit around and wait for Adobe to fix the problems as they come up.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.