Since Adobe Reader 9.0 just got out, let me give you an explanation why it is useful to update.
Adobe Reader 8 has a feature to save memory, which is a good purpose in itself, if it wouldn't go a bit too far. When you open your first PDF, a full instance of Adobe Reader is opened, but whenever you - or anyone else in your WindowStation - open additional files, parts of the already open instance are used.
This in itself is no problem on single-user machines, but as soon as more than one person is using the computer, or more specifically if one person is using the computer using multiple accounts, a PDF opened with restricted rights can gain the rights of the first Reader instance, e.g. administration rights.
Let's for example assume the situation we tried to address through our AlterEgo application, since it allows easy reproducing of the problem: most users are using administrator privileges for their daily work, and with the Internet being source number #1 for any kind of malware, the sensible move is to use browsers under the privileges of a separate, restricted, user account. The Linux world has been using this concept for decades in an even stricter sense: using a restricted account for daily work and sudo-ing tasks that require administrator privileges (for this safer scenario, the exploit will work as well, the attached example would just have to be adjusted by switching roles). In the Windows world, sudo is implemented through runas.exe.
Now, you would assume that if your browser is running restricted, any PDF you view on the net, like those worms reappearing every few months targeting new exploits (for example this latst one), would run restricted as well. But if you did open a PDF as an administrator before, the PDF opened in the Reader plugin fully integrated into your browser will open with privileges of the administrator account as well. To test, try to save it through your browsers Save function and you'll only be able to see the restricted users documents folder, but from the plugins Save button, you'll be able to see and save in the administrators home folder.
Attached to this post is a batch file to automate demonstration of this.
The danger of it? Depends on how many Windows administrators (And those who do not even know they are) do actually try to protect themselves, since if their browser would run on an administrator account as well, there's nearly no further elevation possible either way. The ugly thing is that Adobes single-user operating system approach to this reduces security exactly for those users who try to work safer in the first place.
Sorry it took me so long to post this proof of concept; as you might've seen I wanted to some weeks before, but communicating with Adobe was one big nuisance. If you're a paying owner of any Adobe product, you probably have already encountered their support department, which I rank #1 in arrogance among any commercial company I've been in contact with so far. People there seem to get paid by closed case, so that solving a problem is an absolute negligibility. Cases are closed after copy'n'pasting irrelevant text. Errors on the website are not forwarded to be fixed, e.g. if an email form is too exhaustive and rejects valid email addresses, the recommendation would be to create a new email address to contact Adobe. Only after nearly a dozen emails of begging to listen, they acknowledged and fixed the bug. Not that they would've informed me about a bug fix of course, but todays test on Reader 9 showed that it is not reproducible any more.
My conclusion: should you ever hear anyone from Adobe complain about pirated Photoshop copies on the net, give them a healthy laugh - my full understanding goes to everyone who doesn't want to be humiliated by these guys when requesting the paid-for support. Wait, did you expect a conclusion about the bug? Well, the bigger the bug, the more people between you and the ones who understand a bit about security issues, there's nothing new on that front really.
Adobe Reader 8 has a feature to save memory, which is a good purpose in itself, if it wouldn't go a bit too far. When you open your first PDF, a full instance of Adobe Reader is opened, but whenever you - or anyone else in your WindowStation - open additional files, parts of the already open instance are used.
This in itself is no problem on single-user machines, but as soon as more than one person is using the computer, or more specifically if one person is using the computer using multiple accounts, a PDF opened with restricted rights can gain the rights of the first Reader instance, e.g. administration rights.
Let's for example assume the situation we tried to address through our AlterEgo application, since it allows easy reproducing of the problem: most users are using administrator privileges for their daily work, and with the Internet being source number #1 for any kind of malware, the sensible move is to use browsers under the privileges of a separate, restricted, user account. The Linux world has been using this concept for decades in an even stricter sense: using a restricted account for daily work and sudo-ing tasks that require administrator privileges (for this safer scenario, the exploit will work as well, the attached example would just have to be adjusted by switching roles). In the Windows world, sudo is implemented through runas.exe.
Now, you would assume that if your browser is running restricted, any PDF you view on the net, like those worms reappearing every few months targeting new exploits (for example this latst one), would run restricted as well. But if you did open a PDF as an administrator before, the PDF opened in the Reader plugin fully integrated into your browser will open with privileges of the administrator account as well. To test, try to save it through your browsers Save function and you'll only be able to see the restricted users documents folder, but from the plugins Save button, you'll be able to see and save in the administrators home folder.
Attached to this post is a batch file to automate demonstration of this.
The danger of it? Depends on how many Windows administrators (And those who do not even know they are) do actually try to protect themselves, since if their browser would run on an administrator account as well, there's nearly no further elevation possible either way. The ugly thing is that Adobes single-user operating system approach to this reduces security exactly for those users who try to work safer in the first place.
Sorry it took me so long to post this proof of concept; as you might've seen I wanted to some weeks before, but communicating with Adobe was one big nuisance. If you're a paying owner of any Adobe product, you probably have already encountered their support department, which I rank #1 in arrogance among any commercial company I've been in contact with so far. People there seem to get paid by closed case, so that solving a problem is an absolute negligibility. Cases are closed after copy'n'pasting irrelevant text. Errors on the website are not forwarded to be fixed, e.g. if an email form is too exhaustive and rejects valid email addresses, the recommendation would be to create a new email address to contact Adobe. Only after nearly a dozen emails of begging to listen, they acknowledged and fixed the bug. Not that they would've informed me about a bug fix of course, but todays test on Reader 9 showed that it is not reproducible any more.
My conclusion: should you ever hear anyone from Adobe complain about pirated Photoshop copies on the net, give them a healthy laugh - my full understanding goes to everyone who doesn't want to be humiliated by these guys when requesting the paid-for support. Wait, did you expect a conclusion about the bug? Well, the bigger the bug, the more people between you and the ones who understand a bit about security issues, there's nothing new on that front really.