The Decline and Fall of the Adobe PDF
If you haven’t already heard yet, there’s another security vulnerability in the Adobe’s widely used portable document format (PDF). What’s different this time around is that the security hole affects not only a single vendor’s product (still looking at you, Adobe), but many alternate products that utilize the PDF specification itself. Take a look at the two links below to see how one newly discovered vulnerability has morphed into something far more dangerous:
Initial Report: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
For those disinclined to wade through the technical discussion, they essentially state that it is now possible for an attacker to modify a PDF file, any PDF file, in such a way as to embed executable code that will run upon opening a document. User’s receiving and opening such a file a user will still be presented with a prompt requesting permission to launch the code, something an intelligent and informed user should recognize as an immediate red flag, but, as the examples in the above links illustrate, an attacker can modify part of the language of the prompt to be something as apparently benign as “Click OK to view this PDF”. As most uninformed users will blow past such prompts without so much as a second’s pause to consider the actual content, the probability of a successful exploit is high. If such a user allows the code to execute, it can do pretty much whatever an attacker wishes it to do: Erase files, launch malware installers, or, as the second link explains, infect every other PDF on the system by applying an incremental update that allows new executable code to be injected into previously saved, and previously clean, PDF files. It’s the “I Love You” virus all over again.
PDFs used to be a great and fairly secure way to shoot a static copy of a document around the web. The “Portable Document Format” was initially considered such a safe way to swap docs that many user conceptually considered it a “Protected Document Format” as well. As Adobe had simultaneously released its Acrobat Reader software as a free download, more and more people became exposed to the format’s charms, and hooked on its value. The format grew hugely popular, and Adobe saw its prestige and reputation flourish as PDF became a near de facto standard for document exchanges in the business world.
Then something changed.
Someone at Adobe looked upon the successful standard they had created, and decided it wasn’t good enough. There seemed to be a perception that their hugely popular, and proprietary, format might also serve as a means to expand their market share into areas where they lacked historical experience. They began making incremental changes to the PDF specification to add additional functionality, a lot of which had very little to do with viewing a document. It seems as if Adobe got it into its head to move the humble PDF from the realm of “just a document format” into the realm of “content delivery platform”, a sort of replacement for the web. PDFs could suddenly “do” things. Programmatic form automations appeared, followed shortly by the addition of scripting capabilities that could trigger external utilities, or display animations or video. The PDF specification itself began to bloat as developers squeezed in more and more functionality that went well beyond the scope of the original idea of a simple and “safe” document file format.
End users began to notice the changes as Adobe’s PDF viewer application, Acrobat, began to suffer from ridiculously longer and longer load times. Competitors arose to challenge Adobe’s dominance, and many succeeded simply on the promise that their software was light years faster than Acrobat. And yet Adobe continued to pack even more features into the specification. It began to appear as if Adobe, sensing the criticism, decided that rapid development was better than thoughtful development, and that no one at the company seems to have sat still long enough to ask themselves whether all of these new capabilities a features were needed. A tremendous amount of development time, energy, and money was being expended to satisfy the needs of niche users, at the expense of the needs of regular users just looking for a static file format.
Then the security woes began.
Along with the addition of all the new features to the PDF specification, Adobe seemingly simultaneously unleashed a host of serious vulnerabilities on its users. The company got so caught up with expanding the format they simply forgot to pay attention to the basics of programming security. Zero-day attacks appeared with alarming regularity, and the company’s initial responses were, to be generous, feeble at best. An update mechanism was introduced, but done in such a heavy handed way that end user security was actually reduced by the ridiculous demand that a document viewing application have full administrative privileges. Then the updates themselves began introducing new vulnerabilities, and end users began to see increasingly disturbing reports that the file format they had come to depend upon might not be a friendly as they had been led to believe. People would perform a recommended update, only to discover within hours that there were vulnerable once again. Adobe further aggravated the issue by advising users that one way they could avoid one vulnerability was to disable a feature that rightfully should have never been installed in the first place. This was followed shortly after with a recommendation that people refrain from opening received PDF files, a statement that flies directly in the face of the purpose of the format itself! Today’s revelation that things are getting even worse from a security perspective has finally brought me to a point where it has become painfully necessary to draw a line in the sand.
Adobe, enough is enough. It’s time for you to start getting your shit together.
As users, we are fed up with the endless stream of bad bout your products coming from security researchers. We are sick and tired of seeing what was once a venerable format destroyed by the cancerous growth of new features that have nothing to do with viewing a document being added just for the sake of having them. We can no longer find the time in our days to devote our undivided attention to this one product, simply because we have a need, and in some cases a requirement, to keep our enterprises safe. It is no longer feasible for us to keep telling our users, “Don’t worry, one day they’ll get it right. Just be very careful and don’t open any PDFs you didn’t expect, even if a core part of our business depends upon them.” You are treading dangerously close to the line where your customers will stage a revolt. It is time for you, Adobe, to fix these problems, rather than expect your customers to “grin and bear” them. We are sick and tired of endlessly tiptoeing around your mistakes. The PDF exchange, once considered so safe to be nearly carefree, is now a veritable minefield, and you have still not risen to the challenge of addressing our concerns.
The way I see it, there are a couple of things that you can do. The first is to declare an immediate feature freeze on the the ENTIRE Acrobat product line, and any “companion” software plugged into it, pending a full and thorough security review. No new features, and no new releases, until every single line of software code has been physically examined, tested, and reviewed for both suitability of purpose and overall security. The second is to institute a formal review of the entire PDF specification with the goal of making an honest evaluation of whether or not all of the features present are of “critical need” or simply to satisfy niche users. Features falling into the latter category, should be removed or folded into an alternate product. Lastly, if unwilling to do either of the above, at least show your customers a little mercy by developing and releasing a stripped down version of the Acrobat Reader that does not include any of the dangerous features currently making our lives miserable. A “minimalist” application such as this would go a long way towards bringing the format back into the fold of safety and simplicity.
I suffer no illusions that my personal opinions in this matter will carry any weight beyond the context of this blog post. I can, however, state with some certainty that my opinion is in line with that of many others who have grown tired of what we perceive as a lack of sensible direction on the part Adobe’s upper management. Because of their lack of leadership, they have alienated this one customer, and while that alone may not be enough to give them pause, they should at least consider the possibility that there are others who may feel the same way. For my part at least, I can no longer recommend that any Adobe products be used.
It’s high time the portable document format returned to being just a document format.