The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

The impact of this flaw increases exponentially because of Acrobat’s wide deployment.  The Portable Document Format (PDF) associated with Acrobat is nearly ubiquitous, and the Reader version is included with nearly every OS downloadable off the Internet, bought in stores, or pre-loaded on shipping systems.  Plus, it’s a standard IT deployment in corporate desktops.   This vulnerability touches them all: Windows, Linux, Mac, Solaris and other Unix variants, and as mentioned earlier, practically every version and release of Acrobat.  

This is not the first time Adobe’s best known product has faced this type of publicity.  A February 2009 flaw, also designated by Adobe as critical, was finally patched March 18th.  That flaw only affected versions 7, 8, and 9.  Numerous other flaws have been found in the past.

One big fear?  Not that this will result in an increase in the number of “zombies”, or computers controlled remotely that form the basis of so-called botnets, which will happen.   But more importantly the directed or fully targeted attacks on corporations and their privately held information.  The recently released, 2009 Verizon Data Breach Report cites 72% of attacks are either directed or fully targeted, where attackers select an entity in an effort to compromise machines within the institutional environment.  This could imply further attacks and breaches in the financial sector, such as those perpetrated against Heartland Payment Systems,  the medical community, like the recently announced 8M+ Virginia Prescription Monitoring Program records currently held for ransom, or even public utilities such as the US power grid.

Another consideration – software built on or around Acrobat.  In the security world, the National Security Agency created a product called NetTop, meant to allow simultaneous connections to multiple classified networks.  Thin client implementations of this sort of multi-level desktop existed within government contractors’ repertoire’s for quite some time, but the NSA’s NetTop took it one step further.  Information could be processed between the levels, creating something called a Cross Domain Solution (CDS).   The processing between the NetTop CDS levels would be handled by separate privileged applications based on COTS products.  

One of the products chosen – a seemingly benign, older version of Adobe Acrobat without all the bells and whistles – albeit probably adjusted and renamed past recognition.  The JavaScript processing vulnerability is probably not even exploitable on the NetTop system because of numerous mitigations such as likely security policies and best practices installation defaults.  But without an enterprise traceability matrix documenting how specific requirements are met, many people might overlook such a nested installation of a program within a product and not even put it on the list to be tested.  This is a great example of how wide our security and privacy processing net must be cast, the amount of detail necessary to detect a problem, and how far consequences may reach.

As far as the Acrobat vulnerability goes, Adobe’s instructions are:

To minimize the risk until an update may be found, disable JavaScript following the instructions below:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

A simultaneously announced similar flaw dealing with javascript and the Custom Dictionary appears to affect a much smaller grouping of Adobe Acrobat products.  That flaw has yet to be confirmed by Adobe, but only targets Acrobat Reader 8.1 and 9, and should be mitigated through the same disabling of JavaScript.

The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency.  SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation.  An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia.  She was heading to her new office at the British Embassy.

A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”

The agencies took the first steps by defining data handling policies and measuring/reporting against them.  An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working.  The obvious question – why was encryption not used for this sort of situation?

The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today.  Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption.  The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux.  The British Intelligence folks have their hands in a few secured systems as well.

Encryption ought to be just another wicket in the engrained security processes of an intelligence operation.  In fact, encryption ought to be a requirement for every organization that processes private or mission critical information.  Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”

As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection.  Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it.  If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.

It seems the bill wasn’t broad enough, or perhaps the descriptions of what was happening were distorted.  Actually, the New York Times reports,

[T]he N.S.A. had been engaged in “overcollection” of domestic communications of Americans. They described the practice as significant and systemic, although one official said it was believed to have been unintentional.

From a network perspective, this sort of mistake is easy to make.  When dealing with network or Internet routing, (which is what allows the wiretapping to copy/redirect traffic) something called a bit-mask looks for specific patterns in Internet addresses, signifying the originator or destination of the traffic.  The bit-mask is essentially a secret decoder ring included in a cereal box – drop the first 4 characters and read the next 12.  And it’s not just one bit-mask that’s controlling the data collections – it’s likely hundreds or thousands of rules differentiating satellite traffic from ground, international calls vs. local exchanges.  I’ll give them the benefit of the doubt on this one.  Policy and change control will keep many of these problems at bay, and the Times story suggests that the Department of Justice verified the over-collection issue has been rectified.

Within the same story, the Times reports on potential abuses of power.  Should the NSA have followed the same protocols and procedures with everyone, even a Congressman?  When exceptions are made, people’s judgment may cloud a real problem – Robert Hanssen anyone?  It’s really a non-starter, as this was before the Protect America Act, and there was no court that authorized the taps.  Someone made the right choice.

Admiral Dennis Blair, the Director of National Intelligence, responded to the allegations says in a statement:

Under these authorities the officers of the National Security Agency collect large amounts of international telecommunications, and under strict rules review and analyze some of them. These intercepts have played a vital role in many successes we have had in thwarting terrorist attacks since 9/11. On occasion NSA has made mistakes and intercepted the wrong communications. The numbers of these mistakes are very small in terms of our overall collection efforts, but each one is investigated, the Congress and the courts are notified, corrective measures are taken, and improvements are put in place to prevent reoccurrences.

Let me clear, I do not and will not support any surveillance activities that circumvent established processes for their lawful authorization and execution. Additionally, we go to great lengths to ensure that the privacy and civil liberties of U.S. persons are protected.

They’re doing a hard job, and no one could envy them.  But there is an erosion of civil liberties going on, and we all must keep watch of the watchers.  Even innocent mistakes could be costly.

Since the War on Terror unavoidably leads to investigation reinforcements in foreign countries, not only American citizens have to worry about seeing a special entrance ticket in the NSA life-streaming machinery. While text mining algorithms are tested to retrieve suspicious correlations between individuals, events and places, full-time employees are doing the job that no advanced piece of hardware can do at this time – listening to telephone conversations that expose people lives without their consent.

In particular, European citizens may feel utterly concerned by the NSA’s data usage that may only be accomplished from the collection of records without their explicit consent. Indeed, why would some of them be preoccupied at the higher level by the present surveillance of their movements? These same Europeans were not phased at all by third party wiretapping?  A better understanding of today’s global communication network may help in realizing how far ISPs can go in transferring signals emitted or received by individuals located all around the world to government agencies.

Nonetheless, wondering how putting together this tremendous amount of data would help in the fight against terrorist plans remains a fair question since it didn’t prevent the 9/11 attacks. One could say the collection was not big enough in 2001 as opposed to the plethora of sources revealed in the documentary.  The 9/11 hijackers were well-known and their activities tracked, but without the wider surveillance, their intentions were most likely never unveiled.

The transcripts for the Spy Factory make the documentary even more valuable.