Adobe Reader: your PDFs have been hacked

Oct 16, 2013   //   by Daniel Kranowski   //   Business  //  No comments yet, your thoughts are welcome

Security breaches happen so frequently now at big-name companies you can hardly call them “high profile” anymore, but I was particularly amazed to hear about the gaping hole blasted through the castle walls of Adobe. It happened back in August and was just made public in October. Here’s the boring part first: hackers grabbed passwords and credit card information on 2.9 million user accounts. I personally got an email telling me to change my password, no big deal. If I were a paying them directly for products then I’d have also gotten an email about my compromised payment information, and that would have made me sweat a bit: I’d have to call my bank, ask for a new credit card number, and check all the recent payments. But this is not really the exciting part. What really stuns me about the Adobe breach is that these hackers also stole the source code to several Adobe products, including one of the internet’s most widely used closed source software programs: Adobe Reader.

Before I go any further, let me mention the security wizards who uncovered the breach: Hold Security LLC’s Deep Web Monitoring Program found the stolen code on a hacker site, and Brian Krebs of broke the news on his blog.

So why does it matter that some bad guys have the source code to your PDF reader software? PDFs are everywhere, and Adobe Reader is the most common client to open them. On the internet, the Adobe PDF file format is so frequently intermixed with html that users might hardly notice the transition when they click a PDF link. If you have the Reader plug-in, your browser will render the PDF inline like any other web page, maybe with a short spinner delay. When you open a PDF on your filesystem or a PDF attached to an email, it launches the normal Reader application. Either way, the PDF file is set of instructions to the Reader program, so if you open it the Reader will do whatever the PDF file says to do, within the limitations of the Reader’s ability to access system resources.

It also matters that Reader was previously closed source, and suddenly became open source to only the black hat community. True open source software goes through an incubation period before it is officially blessed for use by the masses. During the incubation period, the whole world gets a chance to poke at it, to find and fix bugs, including security bugs. If the project matures enough to maintain interest, gradually it gets adopted for production use. Closed source software does not get the benefit of public inspection. So for Adobe Reader to get intimate inspection while the product is in heavy worldwide production use is, in a way, a twisted advertisement for the benefits of the open source process.

The near-term threat is that the hackers start publishing tainted PDFs. By “tainted” I mean “makes your computer very unhappy after you open it.” Even though the program is called “Reader,” it has the ability to write files to disk as well, such as PDFs with your personal annotations, or runtime cache and temp info files in the local user profile directory. It can also render url web links and access the internet to check for and download upgrades. Suppose an input PDF could be loaded with intentionally bad data that causes Reader to exercise its power of disk writes and http networking? That’s pretty much all the dangerous power you need to write a PDF that destroys or takes over the computer that opens it. I’m not saying it’s easy, but black hat attacks are all about the exploitation of hidden weaknesses, and the weaknesses won’t be so hidden when the source code is just sitting there like a book on the coffee table.

I paused a minute here to look at the PDF specification version 1.7, which has always been publicly available. This spec is over a thousand pages long. Something tells me there is an enormous list of unresolved bugs and security holes in Adobe Reader.

As the innocent bystanders, our job is to stay safe the old fashioned way: Surf on safe websites. Don’t open attachments from strangers. Install security updates from when they find and fix their bugs. Ah yes, updates. With Adobe Reader, an update can take the form of a huge download that completely replaces your old installation. Users are accustomed to this now.

This brings me to the long-term threat from the theft of Reader source code: the black hats could completely replace our existing Reader installation with their own malicious version, and we would never know. Reader periodically checks for updates, and may prompt the user to update when opening a PDF whose internal version seems newer. The bad guys could attack our DNS and spoof the server, or taint a PDF file to force Reader to update from an alternate web address. After our computer installs the bogus update, it appears to continue operating normally because all the code is still there to process PDF files, but any extra code added can turn our computer into a botnet slave. The replacement threat exists with all software that performs an online update, but it becomes a lot more possible when the software is very widely used and its weaknesses were only recently exposed to the public eye.

So now it’s a race between the lean, agile Adobe software developers and the possibly well-funded bad guys to see who can find the security holes first. The stakes are high because mission-critical enterprises use Reader: public utilities, the finance sector, the government, everyone really. And everyone remembers to apply security updates, right? In defense of Adobe, they know the software better than anybody. The bad guys are like newhires on the team and it will take them months to figure out how the source code works, if they can even figure out how to make the code compile correctly.

Even though it’s a big black eye to the trustworthiness of the formerly mild-mannered PDF file format, all is not lost. Adobe can keep patching security holes and enhance the Reader to identify tainted PDFs, like a good web form handler can reject inputs that are clearly SQL injection. As for the Reader installation itself, Adobe could also implement a self-validation step on startup, like Windows Genuine Advantage. Or rely on traditional antivirus scanning to find malicious code fragments in the installed executable files. A more radical approach would be for Adobe to admit the barn door is open already, and open source the codebase to the world. Charge enterprise support and ask the wider audience of white hats to make the product bulletproof.

Another approach for users is to ditch Reader entirely. As noted above, PDF is an open standard now, and Firefox 19+ and Chrome 6+ have their own built-in PDF viewers which you can use instead of Adobe Reader. In Firefox, go to Tools > Options > Applications > Portable Document Format (PDF) and choose “Preview in Firefox.” In Chrome, type chrome://plugins in the url bar, then disable Adobe Reader, and make sure Chrome PDF Viewer is not disabled (no need to check “always allowed”). I use the Chrome built-in PDF viewer all the time and I like it even better than Adobe Reader because it adds less visual clutter. Both Firefox and Chrome are open source projects. You could even use their built-in PDF viewers to read PDFs you’ve already downloaded simply by writing a script to load them in the browser. In Windows you would just associate this script with the PDF file extension.

But, of course, just don’t open that big scary PDF sitting in your Spam email folder…

Please share your thoughts