Sophos Cloud Optix
Adobe’s Patch Tuesday fixes are out.
This is business as usual, promised long in advance and expected toay, so there isn’t anything in it related to the company’s recent network intrusion woes. (We hope!)
There’s a RoboHelp update, discussed in APSB13-24, and fixes for Version XI of Acrobat and Reader, discussed in APSB13-25.
The RoboHelp bug allows potential RCE, or Remote Code Execution, so you definitely want the APSB13-24 patch if you’re a RoboHelp user.
The Reader XI and Acrobat XI vulnerability is a little different, and it’s just the sort of bug that Adobe could have done without right now, because it’s what is known as a regression.
If you’re on Reader X or Acrobat X, you’re not affected and can stand down from high alert. For now, anyway.
In programming, a regression is when you make new changes that inadvertently counteract various previous changes and, hey presto, a bug that you thought you’d got rid of returns.
If you like, a regression is a sort of anti-patch, where you repeat a mistake you fixed already.
Adobe isn’t giving a lot of detail away, but does say:
This update resolves a regression that permitted the launch of Javascript scheme URIs when viewing a PDF in a browser (CVE-2013-5325).
The scheme in a URI is the part at the beginning, like http://, or mailto:, that tells your browser how to get to the resource you’ve just specified.
Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this:
The hazards quickly became obvious once scammers starting luring you into “pasting the following web address into the address bar,” but including a JavaScript-based URL, not one that used HTTP.
→ There are hundreds of different legal URL schemes, from aaa: (a protocol to do with login, dealing with authentication, authorisation and accounting) to z39.50: (a search and indexing protocol that was made pointless by the web).
JavaScript-based URLs are now considered harmful in your browser’s address bar, and so browsers simply ignore them.
So will your Adobe PDF plugin, once you’ve updated.
Should you patch Reader and Acrobat?
And that raises an interesting question: should you apply this patch?
After all, some of you might be feeling a bit cagey about accepting Adobe’s patches right now.
The company just admitted that hackers were able to break in and exfiltrate 40GB of product source code from the corporate network, almost certainly including Acrobat.
What if the crooks were also able to make commits? (That’s where you save back changes so they can be compiled into the next build.)
If they did so, and their changes weren’t spotted, malicious modifications could now be part of an official release.
My own opinion is that this is highly unlikely, not least because modern software engineering tools make it comparatively easy to track the changes to the source code files in a product between builds.
Also, remember that this patch deals with fixing a regression – “repatching” a previous patch – rather than with a shepherding in a huge raft of changes throughout the product.
So it’s reasonable to assume that if Adobe’s recent unauthorised visitors really had made any malware-related modifications, they’d surely have been spotted before release.
In short, if I were an Acrobat or Reader user, I’d take the update.
Of course, as an OS X user my PDF needs are met without having Reader or Acrobat installed, so it’s easy for me to say that – a botched release wouldn’t affect me directly.
This is a pretty convoluted article. I do not know if you say yes to running the patch or no. So it isn't very helpful for doing anything but making me worried, since I have XI already. Sorry, I usually appreciate the articles, but this one, not so much.
I apologise if you're worried now. I tried to make it as clear as I could given that no-one (not even Adobe) seems to know how much to trust Adobe's software builds right now.
To summarise what I said above:
* Some people are worried about applying Adobe patches right now – what if there is code snuck in there by the crooks?
* But the patch for Reader and Acrobat doesn't seem to involve a huge amount of change, so Adobe (we hope) would have been able to review the changes thoroughly and should have seen any unauthorised modifications.
* So I think it is reasonable to assume the patches are safe.
* But I don't use Reader or Acrobat since I have OS X, and that has the PDF functionality I require built in, so it's easy for me to say that 🙂
And now, I'm afraid, *you have to make your own mind up*. I can advise you, but I can't be certain.
If you're worried, why not drop back to version X? Or use a different PDF reader/maker? (You don't say which product you have. If Reader, then there are a lot of alternatives to Adobe's offering. So trying something else is not such a wild idea.)
PS. I have added a sentence at the end to say that I'd take the update if I were an Adobe user. Hope that makes things clearer.
I don't need reader or acrobat. I got another program that can open that kind of stuff. That said I wish they would fix their flash so that we have less problems with it.
I wish we could abandon flash and move to better alternatives.
If you use it mainly for watching videos or listening to podcasts, HTML5-based browsers (all of them these days?) can pretty much spare the need for Flash.
Mind elaborating on how?
I thought you were forced to use Flash for a lot of Youtube's videos (I enabled HTML5, but not every video supports it yet).
Well, I said "pretty much"…maybe just stick to watching videos that are transcoded for HTML5 players?
Like, ahhhhh, Sophos 60 Second Security, every Saturday – the latest security news with a twist of humour and a tolerably small sprig of cynicism. I've heard it's excellent 🙂
You could always install Flash and only turn it on when you really need it. (That's what I do, when I want to check that the Flash version of 60 Sec Security plays correctly. Then I turn it off again. Not quite the same as disavowing it altogether, but it works for me.)
Haha.
Guess that would be the best way to go right now.
Thanks for a lucid and informative article (as usual). I appreciated the explanation about URI schemes. I also appreciate knowing that Reader X and Acrobat X aren't affected.
I too use Preview for most everyday PDF functions, but I occasionally author encrypted, user-fillable forms in Acrobat Pro X. It has never been clear to me what was the advantage in going to Acrobat Pro XI. Now it's clear that there was at least one disadvantage. 😉
Paul wrote: Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this: javascript:alert('Popup')
Uhhh, this still works on MSIE8, the latest version offered for Windows XP (which is still in support.)