homepage Welcome to WebmasterWorld Guest from 23.20.34.25
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
PDF files now vulnerable to buffer overflow
Acrobat reader insecure across all platforms
amznVibe




msg:333422
 10:58 am on Aug 18, 2005 (gmt 0)

It is now possible to contruct a PDF file that causes Acrobat reader to allow code execution.
Well actually I guess it's always been possible, they finally decided to let us know about it:
[adobe.com...]
[kb.cert.org...]
Solution, install updated version (gee thanks)
Adobe Reader (Windows or Mac OS): Update to version 7.0.3 or 6.0.4.
Adobe Reader (Linux or Solaris): Update to version 7.0.1.
Adobe Acrobat (Windows or Mac OS): Update to version 7.0.3, 6.0.4, or 5.0.10.

Acrobat Reader 7.0.0 for Windows - direct download (13 megs) [ardownload.adobe.com]
Adobe Acrobat Reader 7.0.3 UPDATE for Windows - direct download [ardownload.adobe.com]

After you install the newer bulky versions, use this program to speedup the start process:
[fileforum.betanews.com...]
(windows only of course)

 

amznVibe




msg:333423
 11:47 am on Aug 18, 2005 (gmt 0)

Look very carefully at the link I posted. Same program. ;)

Leosghost




msg:333424
 11:49 am on Aug 18, 2005 (gmt 0)

Whoops ...red face ...There seemed to be the words shopping cart all over your link ..so I assumed pay!

Leosghost




msg:333425
 1:46 pm on Aug 18, 2005 (gmt 0)

Just noticed also that the adobe links does not support resuming ..nice ..the main file ..a 13 meg file on dialup ..about 1 hour.. ( and its gonna be running white hot with this ) and pray that there are no service interrupts ..when will they think to place this sort of stuff on servers that we can get back into ...

Almost everyone has at least the reader ..so almost everyone is at risk ..any one know any "mirrors" with "resuming"...

Adobe has always **ssed me off with this no resuming policy ...

donovanh




msg:333426
 2:16 pm on Aug 18, 2005 (gmt 0)

Maybe there's a torrent for it somewhere.

Leosghost




msg:333427
 2:30 pm on Aug 18, 2005 (gmt 0)

Server switched off at 4 megs ....now the link routes to a server with resuming so maybe they decided to relax their rules this once ..:)

RonPK




msg:333428
 4:07 pm on Aug 18, 2005 (gmt 0)

Thx for the links, amznVibe. I recently made the 5.0 version my default as the 6 version took forever to launch. So that speed-up tool looks interesting.

amznVibe




msg:333429
 6:01 pm on Aug 18, 2005 (gmt 0)

You can use the ftp site for resuming on dialup.
ftp://ftp.adobe.com/pub/adobe/reader/win/7x/7.0/enu/

What's really stupid is you have to install 7.0,
then patch to 7.0.1 then patch to 7.0.2, then .3 and .4
Insane.

Personally I chose 6.0 because it's a few megs less than 7.0 and starts
a tad faster even with the speedups (and it's "only" two patches instead of four).

I was still using 4.0.5, heh. Fastest of them all. I miss it already.

Leosghost




msg:333430
 6:30 pm on Aug 18, 2005 (gmt 0)

arrrGHHH! 13 meg download and it tells me that it needs me to upgrade my doze from 98II to XP ..no way sunshine!

No way is XP being allowed on a machine that can get to the net ...took me long enough to secure this baby ...

Have adobe signed a deal here with the sithlord to force us all to go to the OS of their choice ...scare you into buying the latest OS from their friends cos they cant keep their own code secure ...

Thats it open source PDF is being installed tomorrow ..

BTW I just received an email with the what I presume was a link to the the "Exploit" ...why else would anyone email me an ad for a 32" flatscreen monitor that needs me to click to download a PDF file to get other than the photo ...?

jchance




msg:333431
 6:34 pm on Aug 18, 2005 (gmt 0)

I just tried that acrobat reader speedup application and it worked like a champ. Acrobat fired up almost instantly whereas it used to take 5, 6 seconds.

Thanks for the link amznVibe

techrealm




msg:333432
 7:16 pm on Aug 18, 2005 (gmt 0)

It is not mandatory to update to Version 7 (and version 4 was not listed). If your like me and shoulders deep in old paid for licenses look over the listing amznVibe pointed out at:
[adobe.com...]

mattglet




msg:333433
 7:30 pm on Aug 18, 2005 (gmt 0)

Doesn't the "speed up" application just load some needed info at OS startup, rather than application startup? I could be wrong (I'm just going off memory).

Neo541




msg:333434
 8:21 pm on Aug 18, 2005 (gmt 0)

It says that it just doesn't load many of the least used plugins...You can then reenable them later if you need to.

Seems to work like a champ!

Leosghost




msg:333435
 9:47 pm on Aug 18, 2005 (gmt 0)

Techrealm ...read it again and try the following ..because ..

It may not be "mandatory" to do the upgrade to 7 ..but I can confirm both from reading the link supplied by techrealm and then ( having wondered if I was getting the gist wrong there )actually using "lower" ( I began from version 3 this morning my time ..yah!version 3!..it always was stable and did what it was supposed to ..read and wrote PDF'S in 'Doze )..( I had versions four + on other machines )than version 7 series and attacking it with the exploit code ( actually ..forcing the over run would be more accurate cos as amznVibe said it always was there ..jus no one ever bothered to look ..but easy to do .. ( on an offline machine) ..( I upgraded from series 4 to series 6 ) that only version seven is actually protected against it by the patch ( the patch won't "take" on lower versions! )..all other version users must do the "climb the update ladder" one rung at a time from within their current version ( which is what adobe are saying on those pages ) 'til they have version series seven ..then the patch will work!( again tried on another machine that uses XP ( for the purposes of emulating clients machine OS's and thus their problems ) but is not allowed to "talk to the net"...

In short all those who are not running XP are forced to do so in order to be protected from adobe's own coding mistakes ( and they will shortly own entirely macromedia ..again reducing the real choice of software providers that can run on Doze )...
**sidenote **
<Mattglet ..that is indeed all it does ..but it does it very very well and very simply for non geeks or those not entirely confident about playing around with the run on start area ...nice little proggy..does just what it says ..>
**/sidenote**
To return to the subject in hand..if you are not on at least XP and therefore able to use series 7 of the reader or the "full" package you are "arse to the wind"...the so called "patch" will do nothing for you ..go open source to read and write your PDF's ...

If Adobe would care to send in a rep to register to these fora " adobe guy" to say otherwise I am prepared to debate the issue ...

Meantime I am unamused by attempts to force anyone to go to XP ..even less when coming via 3rd parties..( to whatever degree they may be on convergent paths with Redmond .."adobosoft" anyone? )...

And yes I know they say
For users of Adobe Reader 6.0-6.0.3 who cannot upgrade to Adobe Reader 7.0.3, utilize the product's automatic update facility to install version 6.0.4,
..however you can still make your OS hang if you have done so ..so is only half patch ..on systems earlier than XP!

[edited by: Leosghost at 9:57 pm (utc) on Aug. 18, 2005]

natural number




msg:333436
 9:52 pm on Aug 18, 2005 (gmt 0)

Acrobat has always crashed my machine and I'm running 1.25 GB of ram.

amznVibe




msg:333437
 6:44 am on Aug 19, 2005 (gmt 0)

For those that want to try an alternative to Acrobat reader, there is always GhostView which is open source:
[cs.wisc.edu...]
You'll also need to install GhostScript which is the engine:
[prdownloads.sourceforge.net...]

Not as polished as Acrobat but can do a few tricks Acrobat can't
(like print and extract text from "locked" PDFs, ha)

ultimasurf




msg:333438
 7:04 am on Aug 19, 2005 (gmt 0)

I just upgraded to Adobe Acrobat 7.0 Professional from version 6. The old version always caused buffer overflow. To prevent this from happened what I did was to close the process through the Windows Task Manager (Ctrl + Alt + Delete) after closing pdf files. So far I am happy with the new version. The pdf files found on the Internet opened almost instanstly like HTML files.

motorhaven




msg:333439
 5:03 pm on Aug 19, 2005 (gmt 0)

If you're running Windows 98 you are running an 8 year old operating system. I think its reasonable to cut off support for older versions of an operating system at some point. Heck, even Redhat Enterprise stops at 5 years.

XP is no more insecure or secure than 98 (actually its probably far more secure), just more common and therefore its a bigger target. Stay behind a non-Windows firewall, get with the current decade if you're doing web development and don't complain if someone doesn't want to support your ancient OS. Be realistic.

[edited by: trillianjedi at 9:12 pm (utc) on Aug. 21, 2005]
[edit reason] See sticky [/edit]

physics




msg:333440
 5:14 pm on Aug 19, 2005 (gmt 0)

I have a full version of Acrobat 5 that came with my windows machine. There seems to be no upgrade for that though. I know it's old but it's worked so far ... guess this is the end?

physics




msg:333441
 5:19 pm on Aug 19, 2005 (gmt 0)

Oops, I missed techrealm's post. Got it. It seems strange that the update for 5 was released in 2004 though ... could this imply they've known about the problem for a year with the older versions and just not fixed the new ones?

Leosghost




msg:333442
 11:08 pm on Aug 19, 2005 (gmt 0)

actually its probably far more secure

98II - after a few years ..we got just about locked down hard ..( the world and it's dog tried to break it ..every day ..most days it broke ..and eventually all the holes got a bandaid ..so it worked ) ..

<snip>

There are 4 machines sitting next to me ..The "one that can connect" to the internet runs 98II and will not ever be installed with anything else ..because it's running 98II I can fix anything on it faster than you can download a patch for XP on dialup ..which is all that is available here ..

Plus I have the entire "windows" folder and the progfiles on CD in the drive ready to run live ..just like knoppix can ..to take over ...and If one day it catches fire I'm not gonna sob my heart out over what is now $100.00 of equipment ..

I don't expect Adobe to support older versions of 'doze ..for now they and MS are two seperate companies ..However I do expect them to patch other that the latest versions of their own software with other than a series of incremental one at a time udates ...or at least to make it clear on their update site that version 7.03 ( the only one their patch is for ) requires 2K or later and thus save those who are not running it the time and money wasted in downloading from what must be the slowest servers anywhere on the entire internet when accessed by dialup clients ) ...

Would also be nice ( as I mentioned elswhere ) If MS would not make us waste time downloading "patches" and "fixes" that only work on the English version of their OS's...apparently they still haven't taken the truoble to make ones that work on the other language vesrions ..How many languages do MS make 'doze for ..? ..and only they patch English versions ...cute PR move ;)

BTW ..I did put Adobe 7.03 on another machine that I run XP on for diagnostics ..the machine config is more powerfull and faster ..wasn't impressed at all over the series 4 ..like amznVibe said ...

[edited by: trillianjedi at 9:21 pm (utc) on Aug. 21, 2005]
[edit reason] See sticky [/edit]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved