Hopefully helpful to some:

Adobe provides facilities to convert PDF to text and to web-formats [adobe.com] - these could become a key part of PDF viewing in the near future. Email versions exist (forward to pdf2txt@adobe.com or pdf2html@adobe.com to get text or html conversions back).

For those who actually need to open the PDF before this is properly patched, be aware that the free download 'GSview' is a alternative viewer (requires ghostscript, also free download). For safety, uninstall Adobe's reader entirely first. Note that as there is no published POC it is not yet possible to be sure if any alternative viewer is safe. Perhaps converting the PDF to a Postscript file before viewing should be recommended?

Finally, if the PDF is on a website, try to use Google's HTML version feature - search by the PDF's URL and see if there's an HTML link there.

It does seem very worrying, especially considering Adobe's reponse. The notes about social engineering are spot on. I've opened PDF spam myself before. I suggest that care is taken with even trusted PDF files as it is likely that anyone exploiting this will attempt to infect other PDF files on the host system in the hope that they will be sent elsewhere.

In the end it does seem likely that repeated security flaws revolving around 'internet enabled' applications will mean we are going to see a return to the strict segregation of the internet and our applications of the type we saw five years ago due to technical limitations. If this problem continues I can't see it remaining acceptable for a media player to be able to do anything but pure streaming, or for a word processor to browse websites 'inline'.

Does this mean we should take PDFs off of our sites until the whole thing is resolved?

we are going to see a return to the strict segregation of the internet and our applications of the type we saw five years ago due to technical limitations. If this problem continues I can't see it remaining acceptable for a media player to be able to do anything but pure streaming, or for a word processor to browse websites 'inline'.

I used to run my web browser (and therefore any applications it launched) as a separate user. This is a better solution as it allows you to use applications both ways, but to restrict the vulnerable usage. I stopped doing it due to the lack of attacks that affected Linux, but I will start again if things change.

Does this mean we should take PDFs off of our sites until the whole thing is resolved?

I would say that is an overreaction. After all, if you are not malicious, and your server has not been compromised, your PDFs are safe.

If you have a lot of PDFs on your site, point people to other PDF readers, so they can feel secure (if they know about this). If everyone did this, it would give Adobe an incentive to patch quickly.

Almost everyone using a non-Windows platform, and enough Windows users to make the software worth producing, use other PDF readers already.

Don't overreact.

There is one person -who unfortunately shared it with his friends, but not widely (yet)- who knows how to attack using this alleged vulnerability (it's not been proven, nor independently verified, nor confirmed (publicly) by adobe).

Stopping the use of pdfs is about the worst possible choice at it'll drive you right towards formats such as word's ".doc". Much more vulnerabilities there, and much less platform independent.

I remember a while back that it was noticed that at that time over the past 2 years there were just a dozen or so days that there was not a publicly known unpatched buffer overflow in Microsoft's IE. Did it yield in an abandonment of IE? Did you switch to an alternate browser/vendor?
Yet, those were -as a threat- much worse in each and every instance as the vulnerability (and the exploits) were known.

As Douglas Adams says: Don't Panic.
Unless you work for Adobe, those we want to work very hard and fix it *now*.

Don't overreact.

It's never good to overreact, but in this case I firmly believe you should react. There are teams of spammers now desparately trying to find this flaw in order to exploit it before the patch arrives. If it can be found once, it can be found again. Once one of your employees opens an infected PDF file, all PDFs on his system could become infected. You wouldn't even be able to trust internally generated PDFs any more.

For commerical users, I would firmly recommend removal of Adobe Reader today from all machines, and keeping it gone until the patch is released. Rig up a machine on your intranet with a file upload form which uses ghostscript + imagemagick to convert the PDF to PNG and require all employees to use that to read their PDFs.

You can be run over while crossing the road. A tree might fall on you and kill you. But you take sensible precautions, not excessive knee-jerk over reactions.

This sounds like another scare story to whip up hysteria to me.

Matt

Probably, the only way to browse securely is to use multiple virtual machines. Use one for general browsing (that is not connected to the company network or whatever) and one for secure stuff like banking.

I find the existence of all the various buffer-overrun/data-execution vulnerabilities (that's probably what the new Acrobat one is) absolutely gobsmacking. Speaking as a programmer, I have to say the code has to be pretty damn dirty at a memory-management level. This would also explain why fixes can be slow to arrive - dirty code is a lot more difficult to fix than clean code.

Data Execution Prevention
If this is a buffer-overrun/data-execution issue, I presume some of us are protected. In XP, this feature is only enabled by default for critical Windows services. If you wish to switch this feature fully on, right-click My Computer select, properties and then Advanced¦Performance¦Data Execution Prevention. Some legit programs will fail with this feature turned on so you can create exceptions.

Data-execution exploits work by embedding program code into partially fake objects, such as image files. This is easy, the tricky part is inducing that program code to be executed. It is the actual execution of the rogue code that should be prevented by this Windows/Hardware facility.

Kaled.

I've found multiple machines to be as handy as multiple monitors. I do a lot of surfing, but security on my primary box is crucial - so most surfing, visiting of bad neighborhoods, 'iffy' downloads, and such, are done on a box I'm 'willing' to risk see compromised.

As an experiment, I decided to fully enable Data Execution Protection (XP SP2). It does actually work - a couple of my own programs now fail (I knew they would - I guess I'd better fix them). Of the major programs I've quickly tried, everything seems ok.

Kaled.

Bottom line - Trust! If you do not trust, or know the source, then do not open it.

Marshall

Bottom line - Trust! If you do not trust, or know the source, then do not open it.

Fine, until your trusted source gets infected. It could potentially take just one infected document foolishly opened by your trusted source to infect all the trusted documents. What's more, because of your emphasis on trust, even when you get infected, others will still trust your documents by reputation. Trust is the best friend of a virus - witness how many successful attacks have taken place by reading your address book and writing emails from your account to them. It's entirely because you are trusted by them.

I just noticed that the title of this thread is wrong.

It is NOT a PDF security hole, it is an Acrobat on Windows security hole.

I am not just splitting hairs. OK, most people use Acrobat to read PDFs: but by making the distinction clear you draw people's attention to the fact that they can avoid the problem by using another reader OR by using another platform.

but by making the distinction clear you draw people's attention to the fact that they can avoid the problem by using another reader OR by using another platform.

According to the original source, other viewers may have the same hole, and indeed some do (FoxIt, however requires user interaction).

I opened a PDF that was not at all what I thought it was, and closed immediately. No problems - just a very bad feeling. Sent it to my mother with a warning, and asked if she saw any threats. Her company is pretty sensitive to security, so thought it might get flagged as trouble and then provide me with some info on issues I may have given myself.

At first she couldn't open the file - when it did open, it immediately crashed her system. Ten minutes later, company server system crashed. Possibly coincidence. Possibly not. They seem to have restored both her machine and the company servers - no details yet.

Is there anywhere that one can safely send a file of unknown risk, and find out if is a threat, or if all is just coincidental?

Deleted file, emptied trash. Deleted email, emptied trash. But I still have a copy of this email and PDF on remote server. Occasionally have need to monitor company email and use a Hotmail account do so without having all that junk come into my own machine. Just do 'batch' deletions.

I'm fully updated with XP, AVG, SprywareBlaster, Spybot, and AdAware. Ran full scans and 'seem' clean, but I've seen baddies get past all of this a couple of times in the past and it made my life hell for days both times.

The antivirus companies usually provide an email address to which you can send suspect files. I did this once and received confirmation that it was a virus - they already knew about it and it was included in the next day's update. (At no time did I open the suspect file so my PC wasn't infected.)

Kaled.

Great. Not only could "trusted sources" begin sending infected PDF's, but the desktop search utilities will be helping the hackers by infecting everybody who knows not to open those dodgy attachments but forgets to disable the "index email attachments" options...