Jesus Christ, where to begin?

This is going to be a long thread but let me get the important points out of the way.

There was a recent Security Threat Watchlist poll on a well trafficked Information Security site, prompting security admins to vote for what was going to be the biggest security nightmares of 2010.

#1 Adobe

#2 Adobe

Adobe's Acrobat & Flash took top two slots.

And yes, you read that right; Adobe Acrobat. As in PDFs.

Little known fact about PDFs; Adobe originally designed them to be a *replacement* for HTML. The original vision was to have entire websites posted online in PDF format. A heady ambition, that. But if you look closely, you can see the functionality is all there; hyperlinks, image imbedding, as long as you have Acrobat installed as a browser plugin, you can basically navigate a well architected PDF document exactly like it was a website. There are even some functions that you cant have in a website, such as digital signatures when "signing" forms, certain math abstractions are capable within the PDF platform itself, so on and so forth.

So it might not surprise you to find out that you can embed Javascript in PDFs.

What you might very well be surprised to find out, however, is that Javascript is enabled by default in Acrobat.

Why is this a problem, you ask?

Lets ask Google:

Results 1 - 10 of about 1,300,000 for javascript security exploit. (0.32 seconds)

Javascript is one of the most easily abused vectors for websites in history. In fact, one of the primary reasons why Google ends up blacklisting sites is because of malicious javascript being detected.

So it came as some shock to the security community when someone discovered that a PDF sent to an obscure government email address around December 1 passed all the anti-virus scanners with flying colors, but still managed to download and install malware when opened in Acrobat.

Discreet alarms were raised. Adobe was notified and a public announcement was made, warning everyone that Javascript was enabled by default in Acrobat and PDFs were being used to perform targetted attacks.

And this is where things get really, *really* fucked up.

A few days before Christmas, Adobe released a press statement acknowledging the issue.

And then, it sent all its dev teams home for the holidays.

Stop and read that again; Adobe understood the threat, publicly acknowledged its existence, and knowing full well that one of the most ubiquitous computer file formats in existence could be manipulated to attack fully patched computers, sent their programmers home to celebrate their holidays without releasing a patch.

Their advice was to disable Javascript but the original public disclosure announcement indicates quite clearly that this isnt even an effective prophylactic measure!

Now Adobe are saying we can all expect a patch "in the coming weeks".

And in the meantime, all anyone can do is block PDFs at their mail servers and firewalls.

Which is happening all over hell and gone, right now.

The general assumption as it stands is that 2010 is the year that *all* Adobe products get blacklisted on all Corporate and Government IT deployments.

I will be outlining some of the nightmare scenarios that have made Flash a dirty word as well in coming posts, I need to take a long hot shower first tho.

I believe that .pdfs were how the Chinese government got into Google.cn and viewed the header, but supposedly not the contents, of emails related to Chinese civil rights activists- prompting Google to announce they're leaving China. The cool thing is that apparently Google's security team hacked into a server used by the attackers and discovered the other 20 major US companies that had been attacked.

I have some semi-conflicting details on Project Aurora (the targetted PDF attacks) and whether or not it actually had anything to do with the google hacks (plural). Aurora definitely was responsible for the Adobe intrusion however.

Im waiting for confirmation on some of the background regarding the activist/google hacks, there are some discrepancies in the public info that make no sense to me at this point.

For example, the activist email hacks had nothing to do with google.cn. They were perpetrated almost a year ago IIRC and were simple phishing attacks against known activists.

Also google originally implied that proprietary code had been compromised from the google.cn office based attacks, a detail thats been scrubbed completely from all PR since.

So it sounds like Google is in full PR/Spin mode here and trying to leverage the event in an effort to undo the damage their compliance with Chinese law had on their public image here.

god damn this forum is a great idea.