Tuesday, March 30, 2010

PDF freezes Reader, unless it's opened...

Two months ago, I approached Adobe with a legitimately-generated PDF, i.e., created by Adobe products, that caused Adobe Reader to freeze. I asked for a place to submit the file, never received a response, so I am attaching that file here. If I contacted by an Adobe representative who wishes to examine the file, I will provide the password. Permission is not given for any other use.

Steps to duplicate:

* Double-click the document, OR open Reader and attempt to open the document before 6-15 seconds have transpired.

* It does NOT matter whether the document is opened in a browser, a different OS,?a different bit-depth, or Reader version.

Workaround:

* Open the PDF after Adobe Reader (in this case 9.1.2) has been running for 6-15 seconds, regardless of OS, bit-depth, browser, or Reader version.

If anyone else has experienced a similar issue, I would love to know what might lead to the above-described behavior. If I can then duplicate it, I would be happy to assign points. Unfortunately, the attached file must be kept as a private communication between Adobe and myself.

PDF freezes Reader, unless it's opened...

This is not an avenue for technical support. You need to pay Adobe for technical support for Reader. The cost I believe is $39 for a single incident.

PDF freezes Reader, unless it's opened...

Technical support implies that I need them to fix the problem for us, which I did not specify. We worked around the issue before I made the first report.

My concern lies in the fact that it appears to be ridiculously easy--with commercial Adobe products--to generate malformed documents that can bring YOUR system to its knees with no effort whatsoever on my part. Imagine if someone were to tie a browser exploit into a timed delivery of the above document; you'd have to terminate all associated?processes, and you'd be left with little proof.

Since we've already paid for CS2 through?CS4, Adobe Pro, Flash, Photoshop--and in some cases multiples of each--I still remain somewhat surprised that an offer of assistance from the security-oriented community goes nowhere, and a request for a place to submit a candidate exploit is mistaken as a request for support. It's been at least 60 days from initial notification, which surpasses many ethical reporters by at least 1/3.

The offer to submit still stands. I see no reason to publicize the problem at this time.

So this is actually an issue with Acrobat, not Adobe Reader??Then maybe you should use the Acrobat support channels.?(I don't know the details, but since you paid for the product, it may include free product support?)

Or if it is a security issue, as per you last post, then I don't think the Adobe Reader forum is in any way able to help.

With an experienced and patient laugh, no (though it's also affected), and again: it's not a request for support. Perhaps I should put this into the perspective from which I appeared:

http://www.blackhat.com/

http://www.defcon.com/

http://isc.sans.org/diary.html?storyid=6541

If it's unclear why I'm referencing those links, this response may be short enough to encourage a slightly different focus.


Edit: I didn't immediately see Pat's note about security, but after considering that I'd failed to approach this in a way that facilitates forum assistance, a bit of focused digging revealed the following links:


* http://blogs.adobe.com/psirt/atom.xml

* http://www.adobe.com/security/


So as not to be a person who never resolves his own threads for the benefit of others, anyone with a security issue--finding no response via standard customer service or here (understood inappropriate, but I had no other information)--may wish to use [Report a security issue] at the second address, above. Approached sideways, there's some use in both responses, so I'm marking both as helpful and punting this topic. Professionally and prolitely: thank you for your input.

Message was edited by: Infotech Capital. Marked as answered.

No comments:

Post a Comment