Wednesday, November 17, 2010

Another week, another Adobe security patch

Head on over, because this fixes some nasty stuff.  Even worse, it's cross platform (Windows, Mac, and Linux - it's a trifecta!):
Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog ("Potential issue in Adobe Reader"), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.

Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.
These code bases are pretty old, and the protocols (PDF, Flash) are even older.  That's where a ton of security bugs hide, in old code that contains a lot of complexity but which doesn't get executed very often.  Sadly, I don't expect to see a change soon, so stay tuned for updates in the future.

I have to say, though, that this is getting pretty confusing even for me - and that means that it's likely impossible for non security professionals.  This patch seems related to last week's, but different.  It would be nice if Adobe were able to take some of the confusion out of the process.

On the other hand, this is being exploited in the wild, so kudos to them for releasing a patch out of cycle.

Via The Register, where John Leyden adds some good background:

Updates to Adobe software are important because its software (particularly its PDF software) has been a number two target for hackers for some years. It only lags behind attacks on Microsoft applications and operating systems.

Adobe is applying a lot of effort to remedy this situation, but its efforts thus far have largely failed to impress. Part of its problem stems from the extravagantly open nature of the PDF specification, which supports all manner of scripting and embedded functionality that isn't needed in day-to-day use of the technologies, while offering opportunities for all manner of security exploits. Alternative PDF viewing applications, such as FoxIT, have also had problems on this score.
My take is that it was the 1990s tech bubble "Underpants Gnomes" software development strategy:
Step 1: Add crazy scripting capability to turn PDF into a mini Operating System.

Step 2: ???

Step 3: Profit!
 Of course, when you turn your document reader app into a mini OS, you now have OS-style security craziness.  Sigh.

1 comment:

Retardo said...

PDF is PostScript, and PostScript is a Turing-complete programming language. PS itself is from the 1980s. As for using it in PDF, that wasn't completely crazy: They needed a high-quality vector/typesetting file format, and they just happened to have one lying around.

It's a fun little language. Postfix syntax: To add 3 + 4, you push 3 on the stack, push 4 on the stack, then execute the "add" instruction. It's also a bit of a time capsule: No garbage collection, very primitive string handling, etc.

In modern terms, more of a toy than a real language, but it's small enough to cram into whatever they used for permanent memory in high-end printers circa 1982 (EPROM?).

Security just wasn't the same kind of issue back then.