PDF Virus Spotted

Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."

Buffer Overflows, Kernel Patches, & Fucking Trolls

[szomb]

Jeez, what kind of fucking moron are you?

Can you name an OS that has /never/ had a widely known remotely exploitable total-compromise vulnerability? It ain't Linux, *BSD, Solaris, or any other Unix.

BTW, does your favorite OS distribute fixes that can patch the currently executing kernel in memory without taking the system down, in the event of a kernel bug?

The problem, for the billionth time, is not Microsoft (at least not this time). The problem is the clueless fucks who are trying to admin these servers. "24/7 environments"? You're a moron. Any environment that wants to be 24/7 damn well better have high availability and redundant machines that can cover when one goes down. You can put off a patch+reboot but can you put off a disk crash? What about someone using the hole you put off patching to compromise the machine and eat your data?

There ought to be a strain of Code Red that just fucking kills the admin who left the machine vulnerable to it, or at least puts in a pink slip for him.

Re:Slashdot should buy some integrity

umm integrity from an anonymous coward - i mean come on now do you have no sense of irony

Re:Apply the same arguments to other areas of safe

[rediguana]

I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.

You know, I would actually have to say I'm starting to agree with this view. I think it is time for consumers to work with governments to form suitable regulation for the greater good of society. The development of open formats and software would go a long way to support this. I can't see it happening in the US any time soon though, MSFT is paying too much tax!

Re:PDF Virus a *Proof of Concept*, not a real thre

[Bonker]

Well, the Code Red exploit was once a proof of concept. I still have the original post from the NTBugtraq list outlining the vulnerability...

I think we're going to come to the point where *any* embeddable-type document is going to be prone to infestation. We're almost there. We just need to add .swf, .psd, and the complex audio formats coming out. Play a Music Stream from Real and get a virus!

Re:here ya go, ya goofballs

[imadork]

Thanks for the info. Slashdot was the last place I thought I'd get a useful spelling and grammar lesson!

Re:Not worried

[JediTrainer]

I use some of the ones other users kindly mentioned, in addition to a wonderful Java PDF library called iText

It's nice to be able to produce the things from a Java Servlet dynamically.

so what

Any file can be dangerous, even postscript (you can even build a webserver in postscript) it just depends on what oyu do with the file

Did Sklyarov write this virus?

[thebitninja]

Seems to me that this is a very opportune time for an ethically motivated hacker to whip out a PDF virus, perhaps in protest to heavy handed lawsuits against Adobe!

Re:Did Sklyarov write this virus?

[Troy+Roberts]

First, I think you did not say what you meant. And Secondly, under no reasonable set of ethics does it become ethical to be a terrorist.

Re:Did Sklyarov write this virus?

[thebitninja]

You are absolutely correct, I did not say what I meant to say. I cussed and cursed immediately on hitting that submit button.

You are double correct re terrorism. More correct would be some unethically motivated ethical hacker or perhaps morally unethical moral hacker or maybe even a moral and ethically motivated unethical hacker =)

Re:here ya go, ya goofballs

[pmz]

And I had just been through this on another thread:

There isn't a Latin plural form of "virus", so "viruses" it is!

Follow the link in the parent post. This is really true!

What about a good book ?

[Quazion]

Decrypt a ebook version of a very good selling book to .pdf put your typical subseven trojan in it and spread it on the net and you can go start DDoSing within days, thanks adobe....

Damn i am lame.....

Re:A PDF virus?

[BilldaCat]

the grammer nazi would have a field day with you.

I hate to see what the spelling nazi would do to you.

Paying for viruses?

[MouseR]

"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, director of Acrobat product management. "The code in Acrobat that recognizes attachments does not exist in Reader."

So, when you pay for the enhanced version of Acrobat, you get infected. It should be the other way around... Adobe just doesn't understand business (as MicroSoft does).


(Disclaimer: a bit of sense of irony and humor is required prior to moderating this post).

Does anyone actually *read* these before posting?

[rufus+t+firefly]

It states, clearly, that you need Acrobat, not Acrobat Reader to be at risk. Most people I know use Acrobat Reader, not Acrobat.

But the way this story was posted, it sounds like every PDF you view has the capability to infect your computer.

Re:Bah

Just simple use a mac...you'll be ok...vbscripts...haha..

Oh, shoot.

[Noryungi]

This is just beautiful. One of the few file type you could trust under the MS platform is now compromised, by another VB programmer to boot.

On the other hand, a few points are worth noting:

• This is not dangerous, unless you use Adobe Acrobat, and not the reader.
  I use Acrobat, but under the Macintosh, so I am safe.
• This is a Microsoft-only virus. If you run Adobe Acrobat Reader (or XPDF) under Linux or BSD, or something, you are probably safe.

On the other hand: "[...] Adobe doesn't currently plan to prevent VBScript or other files from running."

I say this is just another reason to boycott Adobe! It's just turning into another Microsoft.

I also think the XPDF programmers should add security features to their (excellent) software, as well.

Just my US$ 0.02...

Re:Oh, shoot.

[BradleyUffner]

But Adobe doesn't currently plan to prevent VBScript or other files from running.
To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their opinion, we will do what they want."

The reason Adobe isn't preventing vbscript to run it that thier customers WANT to run vb script. If they prevented VB scripts from running then thier customers would not be able to sue the product for what they want. Adobe says if customers want VB script blocked then they will block it. It's not like they are just saying "we don't care".

A PDF virus?

[Mr_Silver]

Unless i've read this totally wrongly, its not really a PDF virus - more a VB(S) virus embedded in a PDF file.

If that is the case, then practically any program that can embedd other files is suddenly going to be flagged as having a virus, when in reality, its just the same old software (VB and VBS) causing the same old problems (reading outlook email addresses and so forth) ...

Or am I missing something?

Re:A PDF virus?

[JCMay]

I think the definition from Whatis is wrong.

The Whatis definition you quote is more along the lines of what I would call a Trojan Horse, not a virus. Trojan Horses require active participation on the part of the victim in order to work, much like the mythic/historic horse did. All the things of late that the media have called virii I would categorize as Trojan Horses.

Would not a classic definition of "virus" be more along the lines of:

A piece of programming code that spreads itself automatically, without cognizant human interaction, to multiple computer systems by attaching itself either to data files to be shared (MS-Word virii, etc) or system startup data of removable media (boot-block virii, etc).

True virii are more dangerous than Trojan Horses since users are not aware of their operation. They're silent in their operation until the damage is done (payload is used).

I can imagine that auto-play home-burned CD-ROMs are a fertile ground for true virii which could attach themselves to the burning software, and become part of every bootable or auto-starting CD made from then on, for example.

Re:A PDF virus?

[Lizard_King]

totally wrongly
the grammer nazi would have a field day with you.

a virus is (from www.whatis.com): A virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event. A virus is often designed so that it is automatically spread to other computer users. Viruses can be transmitted as attachments to an e-mail note, as downloads, or be present on a diskette or CD.

its just the same old software (VB and VBS) causing the same old problems
dude, VisualBasic and VBScript are programming languages. Using your logic, you could have one hell of an argument against C or assembly language from the good ol' days. It just so happens that these programming languages allow relatively inexperienced coders to write some powerful stuff

Re:A PDF virus?

[BlowCat]

Adobe must have licensed this virus technology from Microsoft.

Re:A PDF virus?

[jesser]

Data formats (eg txt, doc, html, pdf) often embed files or scripts. The problem is when the script isn't sandboxed well and so it can do something you didn't think it could do: eg html scripts can read the contents of other html files in the same directory if they know the name of the html files, and doc macros / pdf embeds used to be able to do anything the user could do.

all your pdf...

[jlemmerer]

... are belong to us
I don't understand so much of the pdf standard.... but does it execute only when read by a specific reader, e.g. adobe acrobat, or is it independant of the pfd reader And furthermore, how long will it take before .txt files will carry viruses. I for myself will switch back to pen and paper. (AD&D persuaded me to do so, de P&P version is clearly superior to the digital one)

What you say?!?

Use Linux and you won't have any virus problems? That's absurd!

In other news....

[Greenrider]

In other news today, Adobe announced the existence of the "Rotten" PDF virus.

According to virus expers, the Rotten virus compromises the security of the PDF format by replacing each letter with one thirteen places from it in the alphabet.

Re:In other news....

[mini+me]

You think that's bad, wait until you get infected by the "Rotten" PDF virus twice!

Re:Adobe legal defense

[jmv]

They're gonna yell out "You see what happens when people reverse-engineer our software ?".

Quite the opposite. When writing a PDF virus you're not reverse engineering or circunventing anything. However, if there's a virus in an e-book, you can't study it because then you'd be violating the DMCA and the virus writer can sue you and have you put in jail. Cool isn't it?

Not a problem

[JediTrainer]

This particular thing, as mentioned by many already, only affects Acrobat, not the Reader. I'd be more worried about this: http://www.kb.cert.org/vuls/id/31554, which has, of course, been patched by Adobe last November already.

Poetic Justice

Adobe can stick that where it doesnt fit, so much for them protecting thier precious document protocol

haha

Don't even disinfect your PDF's

[Fatal0E]

Or Adobe will call the FBI up on yo ass!

not a threat

[pricorde]

just a VB Script embedded in pdf. And the free Acrobat Reader version is not affected, only the Acrobat Writer.

Re:Bah

Fortunately, as we all know, the majority of users is using Linux, FreeBSD and other UNIX incarnations made by Fortune 500 corporations like VA Linux and Redhat. Who would seriously use a small and little-known solution like Windows? Dem worms and viruses are nothing to be afraid of.

The same mistake

[rosta]

"Adobe doesn't currently plan to prevent VBScript or other files from running"

wow... That's the second company who'd rather have visual basic support then protection... and the first one owns a monopoly...

I have to wonder how hard it would be... I mean, can't they at least have default support for that sort of embedded automated stuff turned off? That way, the huge majority of people who use Acrobat would have no problem, which would prevent the virus from spreading at a significant rate...

Why don't they just turn support for embedded stuff off, by default, and have a simple switch/notification system to allow it to be easily reenabled?

Re:The same mistake

[konmaskisin]

"wow... That's the second company who'd rather have visual basic support then protection... and the first one owns a monopoly..."

Adobe has a "monopoly" too, walled off by patents ... it's just that it's on PostScript and PDF so it isn't as noticeable. They're going to get more agressive defending it too.

My other posts explain it all ;-)

Re:Bah

[Lizard_King]

Besides embedded programs there isn't much that can get executed by the system

(gulp) This should raise some concern, no?

Use Linux (and use Python) and you should have no problem

wheh! I got worried there for a second...I can already see the hords of people downloading the latest distro's to avoid a potential .pdf virus threat. Let's be a bit realistic here.

rot13

[Mr+Krinkle]

Don't worry though th VB script uses ROT13 twice so that noone will notice that THIS IS JUST A SCRIPT. This is the exact same as most of the other virii going around. Just if you have adobe writer(not just reader which is all most people have) and you clik to execute a script within the document it can execute itself and spread. Yes this is kind of interesting but as far as worms go the number of people that are going to spread this is much less than the danger by one spread from acrobat reader.

PDF Virus Spotted. Spotted?

[martyb]

What have those virus writers done NOW?

"PDF Virus Spotted". Spotted? SPOTTED?!? What's next? Stripes? Or, shudder, PLAID?! :^)

Re:...and whoever cracked this virus is heading to

[null-loop]

Quote from the Bugtraq mailing list (not by me!) :

What this means is that virus scanners will now need to "reach inside" PDFs to scan encapsulated files. But what -- as I'm sure our Russian friend Dmitri would ask -- if the PDF is encrypted? Wouldn't the virus checker have to defeat the encryption to see the encapsulated file? And would it be an illegal "circumvention" mechanism if it did?

--Brett Glass
I think Brett raises a very good point here.

Re:Safety Regulations for Software

[tomcounsell]

One could see a role for regulation of software is sold in binary form but not for that sold / distributed as source code

This would be based on the principle that with source code the user could check (or get another independent 3rd parties to check) the software themselves whereas a user is unable to similarly verify binary distributions

In such a way regulation could work in favour of the open source movement ....

Re:Sort of...

[san]

err. i mean pdflatex..

Sort of...

[PingXao]

I just went through this not long ago. If you browse the contents of the postscript file and see strings like "BitmapFont" then you're SOL. There's no way to alter a postscript file if the bitmapped Type 3 fonts have already been embedded in it. Typically, these files will convert to {DF and look fine when printed but really crappy if you look at them on-screen.

I have downloaded numerous postscript files over the years and it always amazed me that even though I had a substantial installed base of Type 1 fonts, they were not being used whenever I converted a .ps file to .pdf.

The .ps file must be generated so as to call explicitly for Type 1 fonts. The way I do this on Linux is to start with the raw tex files. If you have documentation you are trying to convert ultimately to a PDF, it sometimes helps to put a line like

\usepackage{ae}

in the top-level tex file. Perhaps one of the strangest things I have ever seen is that this line:

\usepackage[T1]{fontenc}

paradoxically is an instruction to NOT use T1 fonts when creating the postscript doc! The "ae" package includes the so-called "almost European" font set which is freely available. In contrast, there is quite a bit of tex documentation coming from Eurpope where the "ECM" fonts are used. As far as I can tell, there are no freely available Type 1 fonts for ECM. Most linux systems will have ecm fonts, but as Type 3 only (thus the crappy on-screen quality). The "ae" fonts are a reasonable facsimile of the ecm fonts and they are freely available. HTH

Re:Sort of...

[san]

Or you could try pslatex: works like a charm, esp. if you use

\documentstype[times]

Postscript is a complete language

[coyote-san]

Postscript is a complete language, the only reason it doesn't make a good viral platform is that the standard library is extremely limited (some disk I/O, no network I/O iirc) and there's no well-known way to call external libraries.

But make no mistake - it would not be hard to define an extension which allows PS functions to call native libraries. This is the type of extension that could be easily added to support some purpose, without consideration of how this will increase the risk of a viral load.

Finally, to ask the obvious question of why you would do extensive programming in PS, the reason is simple - it allows your file to adjust itself to the printer. E.g., you might have a file which contains meteorological information on a map. If you print the file on a standard printer you get two dozen reports. But if you print it on a large format printer, you get 4x as much information because the file knows it can push additional information onto the map. Or you might get basic information on a monochrome printer, and additional information on a color printer where you can provide visual distinction between the layers.

In some limited cases, you can even have the PS file compute its own content. I've seen that done with some fractal graphics - you might send a <1k file which causes the printer to sit and think for an hour. Great stuff for confusing MCSEs - the print queue says it's printing a 1k file, but it's been churning away for looooon time.

Re:Postscript is a complete language

[nchip]

mandelbrot in postscript: (from http://www.students.tut.fi/~warp/MandScripts/ )

51 1 551
{ /x exch def
111 1 721
{ /y exch def
y 521 sub
201 div
x 301 sub
201 div
1 index
1 index
31 -1 1
{ /n exch def
1 index
dup mul
1 index
dup mul
1 index
1 index
add
/d exch def
sub
4 index add
3 1 roll
2 mul mul
2 index add
d 4 gt
{exit} if
} for
pop pop pop pop
n 31 div
setgray
x y moveto
1 0 rlineto
0 1 rlineto
-1 0 rlineto
fill
} for
} for

Re:Postscript is a complete language

[Borogove]

I've been thinking about this for a while (after playing with GILT).

Lack of I/O facilities means you couldn't create a postscript file that could replicate, but you could still potentially cause a bit of havoc. For example, create a postscript file that uses the random number generator to either print an amusing poster (99.9% of the time) or print several pages of dirty pictures (0.1% of the time). People will print the amusing document, send the file to all their friends, and eventually someone will get into trouble.

And you can thank...

[dave-fu]

...feature creep. What does anyone need Javascript or anything "dynamic" in a PDF for, anyhow?
When people start applying the KISS principle judiciously, things will get a whole lot safer.

Re:And you can thank...

[garoush]

"...feature creep. What does anyone need...."

A strong argument. So lets see, with your logic, why would anyone need cars; won't horses do it. Why would anyone need comfortable swing chairs; wouldn't wooden chair do it? Why would anyone need TV; isn't radio enough? I can go on and on. But those are the thing that as we evolve we ask more of -- at a cost.

Re:And you can thank...

And to show what twats moderators are, you get a lower score than the original Bozo!

Re:And you can thank...

[LetterJ]

Why Javascript in PDF? Ever pay taxes? Javascript in PDF works well for forms that have to be printed and mailed, but they'd prefer typed entries to handwritten. It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation. Just because you don't have a need for a feature in PDF doesn't mean that it wasn't necessary or isn't useful to someone.

Re:And you can thank...

[thrig]

Because it's easy to develop spiffy applications using Microsoft products on the server side of things.

Was forced to convert fiscal people at work over to Windoze boxes when the central people at work decided it would be swell to rewrite the clunky old terminal interface to the Human Resources database et. all (that anything could access) to be JavaScript and ActiveX up the ying yang (which only IE 5+ on Windows could use).

That there is progress for you...

Re:And you can thank...

[LetterJ]

Many, many forms, both in government and business require that the exact layout be used on all copies. The layout is chosen to meet accessibility regulations, etc. That part is non-negotiable. So, these forms traditionally are printed out and available by mail, or in person. Then Adobe comes up with PDF. This electronic file that retains the exact printed layout and can be downloaded or placed on CD-ROM. So, some agencies start using it. Folks download the file, print it out and send it in. Ahh, but some of those folks filling it out have incredibly illegible handwriting. Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.

Throughout all of this, the data is NEVER sent to any server at all. The agency is still requiring a printed copy of the filled out form. Keep in mind that in many cases, these forms are published by a government agency to be submitted to folks other than the agency itself. Prime example: the US W-4 form for income tax deductions from a paycheck. The form is submitted to the employer. The IRS makes up the PDF form and you fill it out and give it to your employer. The IRS isn't involved other than providing the proper form.

As far as having built a Javascript 'application', yes I have. Not relevant to the discussion. The original post attacked not the implementation, but the very idea of Javascript in PDF. Your attack on Javascript has to do with a poor implementation in Javascript. I don't care what scripting language is used, the concept is valid and that's what I was defending.

Improper implementations of a concept do NOT invalidate the concept itself. The concept must be evaluated on it's own merits.

Re:And you can thank...

[kimihia]

Thanks you for saying that.

Validation should be server-side, pages should work, and be accessible to everyone. And US government agencies have an extra responsibility.

(I just checked the section 508 website. They are using the ALT tags for holding long descriptions. Tut tut. And they have a big spiel about Javascript requirements and popping up new windowss. Both are naughty evil things to do. Hypocrites.)

Re:And you can thank...

[mark_lybarger]

the original poster seems to be referring to the integration of 2 separate entities to form something that's way out of wack. the car and horse example just seems pretty unrelated. what were horses combined with to create the car?

how about, why the hell would anyone need a friggin' SUV? when they can have a car/truck/van/jeep? there's many other gas guzzlers out there, and certainly other types of "family size" vehicles. so why the SUV? oh yeah, the off road adventure!

i agree with the other poster who mentioned that we've already got an interactive form available for the users, seems like someone is trying to get the circle in the square.

Re:And you can thank...

[warpeightbot]

Why Javascript in PDF?

Y'know, if it was Javascript, it wouldn't be so bad. But according to this ZDNet article, it's VBScript.

Need I say more?

I think I will, just to get the point across. From the article:

But Adobe doesn't currently plan to prevent VBScript or other files from running.

To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their opinion, we will do what they want."

WTF???

Why do you need total access to the entire machine inside a document reader? I can understand wanting Javascript; LetterJ's example of the "smart" IRS form is a good one. But a VBScript engine...

blink, blink

Ye gods.

There ain't but one way to get the specs on how to implement/link to one of those things.

I think I shall leave the explanation as to why Adobe is Officially Evil as an exercise to the reader.

Go ahead, mod me down all you want, but word will get out....

Re:And you can thank...

So now people can post to slashdot from the same computer they use to do their unemployment forms. Too funny.

Re:And you can thank...

[SCHecklerX]

It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation.

And all of those things could be achieved with an online form, processed and verified on the backend that the administrators have *FULL* control over. Have you ever written a javascript 'application?' Did you know that the '+' symbol is used for both string concatanation and for addition? And usually, javascript will pick the wrong operation : 2+2='22', for example. Yeah, that's how I want my tax information calculated, NOT!

This is almost the same shit I just had to go through with Pennsylvania's braindead online unemployment comensation registration. They did EVERYTHING as a FSCKING javascript/ActiveX client side app. UGH! It is so broken that I ended up just downloading a text form from the web site and faxing that in.

Can someone please explain to me why anybody, ESPECIALLY A GOVERNMENT AGENCY, would write things so heavily dependent on client-side tools?

Below is the letter I wrote to them:

...doesn't work at all under Netscape, Mozilla, Lynx, Links, KFM or Konqueror on linux.

I did not test Netscape or Mozilla under Windows or Macintosh, but the problems could be there as well.

In IE under windows, it caused a GPF 3/4 of the way through, and in several instances did not load properly, not allowing me to fill out fields that were required. Also in IE, your code causes a security alert on *EVERY PAGE* when using Microsoft's default security settings.

WHY are you depending on so much client side code for what amounts to nothing more than a series of forms that are used to feed a back end database? There is NO EXCUSE for a GOVERNMENT AGENCY to be excluding all types of people (including the blind, or the poor who could be accessing your page from a text-only, no javascript browser) from filing for UC Benefits online. It is simply unacceptable.

I am very disappointed in what you have slapped together to file claims online, and hope that you fix it for future unemployed folks who would like to file their claims themselves online, saving everyone time and effort.

Yes, simple javascript can save some time by providing immediate feedback for data verification to the end user...but you depend far too heavily on it. What about people who are using browsers with no javascript enabled at all? They cannot file online. This also breaks a very basic security rule: You can't trust things coming from a client. ALL DATA should be verified on the backend itself.

Since your application is totally useless for me, I decided to use a fax fill out form instead (linked on the same page as the electronic application). Well, it's a week later, and I haven't heard anything, so I called the Lancaster Unemployment Office. The representative there informed me that the preferred method is to file over the telephone, as faxes "can get lost, or sit on someone's desk for a week before being processed." Lovely. Why is the preferred (telephone) method not stated on the web page?

Please re-write the online application. It can be a great tool to file online, but the way it has been done is error-prone and excludes a rather large set of people from using it. These people are then forced to use other methods, causing the entire system to be much less efficient.

Re:And you can thank...

Validation could be done by using passive methods, although format would need to have support for that. However... PDF was not designed to be interactive application. Why SHOULD people be able to "fill in" a PDF-document? The idea was to have a print oriented document format, so print the damn thing out, fill it in and send.

Really, leaving back doors (ability to run scripts) to allow doing things creators didn't know/have time to implement is a very very VERY bad idea.

Alternatively, if you really think it isn't all that bad idea (which, by the by is bad idea in itself), then at least make the scripts run in a sandbox a la Java's applet sandbox. Let them be able to modify document structure, but not modify local file systems (for example).

(posting as on AC since writing from a public terminal)

Re:And you can thank...

[blamanj]

As other posters have pointed out, dynamic documents can be extremely useful.

What I don't understand is, why continue using technologies with known flaws when reasonable solutions already exist? There has been a lot of work put into the security features of Java. If you don't like the language, why not at least leverage the research put into to creating a safe "sandbox" for execution.

Re:And you can thank...

[LetterJ]

My reply wasn't intended to address the virus per se, but the implication that Javascript has no place in PDF.

As far as Javascript in PDF not manipulating the PDF itself, I quote from Adobe's docs on Acrobat Forms Document Model,

"They basically mirror the Acrobat Forms components and give the forms developer a way to access these components programmatically in order to query and change their properties. In addition to defining forms specific objects, there are additional generic objects that allows the developer to access the underlying document and perform certain actions on it."

Re:And you can thank...

[Troy+Roberts]

I think your example does not represent the reality of the situation. Javascript or VBScript embedded in a PDF file do not manipulate the PDF document. Well not with out essentially having a version of the acrobat libraries available.

These are just attachments. It is essentially using a PDF file as and archive. Which, I must agree with the originator of the thread. If you want to archive a group of files together, use software for that like ZIP and leave the "attachments" (aka arhiving) out of acrobat.

Troy

Re:And you can thank...

In some other context that might be a valid point, but in this case it makes no sense. How about adding a javascript capability to your car's computer system (that controls engine's fuel injection). Someone might find good use for that, right? Let's connect it to a network via wireless link. Why? We are no amish people, progress, right? But let's not bother with preventing access from anyone; someone might have good ideas for how to 'improve' fuel injection (or steering, or whatever your computer is able to control). And anyone who asks "why" is just a luddite.

From security perspective, there is an old EE saying (rule of thumb even) that sums it up pretty well: "There is no such thing as a free feature". In context of designing CPUs, for example, it meant that even if current generation of a CPU had just enough room to cram in one more instruction ("just so we wouldn't be wasting that space") on silicon chip, don't do it. In future revisions it's baggage; you will _have to_ support it. It has to work ok as people are likely to use it by now (someone somewhere). It might be that now it would _save_ lots of money if we could remove it... So don't put it in if you really don't need it. In security, every new feature is a potential security risk. Adding more features means more work with security inspections (assuming those are done of course).

Re:And you can thank...

[mosch]

The Pennsulvania Unemployement Compensation Registration worked fine for me, back in April. It sounds to me like maybe you were just a little stressed out about losing your job and had a little misplaced aggression.

Re:And you can thank...

Could it be that you don't have a job cause you're a whiny little biatch? I'll have fries with that, thanks.

Call it what it is, a Microsoft Virus

[Ice+Tiger]

Look at the ingredients needed to make this work, Microsoft OS, Microsoft VBScript, Microsoft Outlook.

All it takes is to run vbscript in a sandbox!!! Don't divert the blame for this thing from the root cause.

Re:Call it what it is, a Microsoft Virus

this just in

Microsoft causes cancer and RSI and contibutes to sexual deviancy (as all of these are blamed on the PC and such like and as MS products run on PC's then they must be the root cause of all evil)

Now fuck off back under the rock you came from and grow up child - go and recompile your kernal

Re:Only in Acrobat

This story is FUD. I guess the people that moded up the comments that omit the fact that this doesn't affect the reader didn't bother to read the story. This is typical Slashdot windows-phobia reaction.

Re:Postscript virus

[WillAdams]

Display PostScript also made some interesting things possible---there were .eps files one could put in NeXTMail docs which would take over the windowserver on the receiving machine when they were opened.

Also, look at www.this.net/~frank for a description of ``Akira'' a project to study and provide a solution for that sort of thing.

NeXT did provide an option to turn off the public windowserver though, as well as to run .eps files safely.

William

actually no

[unformed]

the plural of virus is virii.

according to your logic, the plural of bus should be bui, but we all know it's actually buses

and the plural of Gus, should be Gui, but know what a GUI is, and the plural of Gus' should be Gus' kids.

Who's the dickwad now?

Re:actually no

and plural of "unformed" is "turkeys"...

Re:Some thoughts...

[rediguana]

And another thought, if pdf's can now carry executable code (even though it can't execute in Reader), is there the possibility of a buffer overflow exploit in the reader that would allow the executable code to be executed on the machine running the Reader?

Apply the same arguments to other areas of safety

[FreeUser]

Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.

Where is the balance?

This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.

Allow me to paraphrase:

"Typical customers want to be able to board the plane without delay. Typical customers want to be able to take as much baggage as they luck, up to and including the Steinway. Unfortunately, typical customers don't want to die horribly in a plane crash -- bugt they don't seem to be willing to sacrifice their features for it.

Where is the balance?"

Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.

Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).

Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.

I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.

Don't worry Adobe has this well in hand

[Diamon]

They've already invited Zulu to a tech convention in Las Vegas ;)

here ya go, ya goofballs

[Heywood+Yabuzof]

please read and stop this nonsense: plural of virus

Re:I send you this pdf...

what you say??

It's Stallman's fault

A virus found in a PDF, huh? All that means is that someone could have run a copy of the GPL through Acrobat Distiller...voila! Instant virus embedded in PDF.

what's next?

[Gobeur]

viruses for Word documents? :P

It's the second .pdf virus

[behindthewall]

I thought the DMCA was already a pretty big virus payload.

Re:Some thoughts...

[ethereal]

Better question - if you can embed VBS in a PDF file, can you embed other kinds of scripting? How about embedding a shell script or perl script? Is the PDF format really cross-platform enough for that to work correctly?

Re:adobe strikes again

[Black+Parrot]

> Who even needs a way to execute scripts OF ANY KIND in a .pdf file?!

Don't jump to conclusions, man. I'm writing a new UNIX clone in PDF, so you can port your favorite UNIX apps to your favorite document viewer.

I expect to have gv running under PDFIX by this weekend.

Lowest Common Denominator: AOL on Windows 95

[BigBlockMopar]

Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.

That's all relevent, and I would stop just short of calling it a feature creep.

But, on the other hand, on a government webpage, the mandate of which being to bring make government services more accessible, shouldn't they stay with simpler, more reliable, and better supported mechanisms?

Maybe I'm unclear, but how does Acrobat get the information back to the PA gov't? Do you *fax* the form back, meaning that the unemployed dude has to have both a fax and a computer (or at least a computer and a scanner)? Remember, unemployment services will have a broad sector of people using it - not all of 'em will be computer geeks who have a scanner/fax handy.

The other option: does Acrobat have the mechanisms to send the information back to the server? Is it encrypted? That'd be fairly personal information to be going across the wire.

Acrobat isn't supported in a default Windows install. And, let's face facts, the lowest common denominator is AOL on Windows 95. While my mother has a real dial-up connection, she's at brower and e-mail only sophistication. She called me because someone sent her a PDF file, and had no idea what it was. I led her through downloading Acrobat Reader, but she got so frightened by all the installation options that she gave up, despite me telling her, "Mom, just click OK".

The only thing I can think of to provide that level of functionality would be a good old HTML form. IE 2.0, which shipped with NT 4.0, supports it. The biggest hurdle is at least 56 bit encryption - what generation of browser started to include that by default?

Bells and whistles are good, when they work. But, again, the cross-section of users *who are paying to use this service* (after all, it's *their* tax money) should be able to make use of it. Truck Driver Joe might not know anything outside of his small, clearly-defined AOL prison cell.

Embedded files in the PDF

[nquartz]

Actually, this feature in Acrobat began as a plug-in back in version 3, and was integrated into the full package with v 4. It's extremely useful with prepress workflow and asset management. What it allows us to do is:

1. have an immediately viewable, printable representation of any archived document, accessible to whoever we want it to be over the web, and
2. have almost instant access to the native application files that created the document, in case a file must be modified or updated. Like the Pagemaker file, graphic images and fonts.

The feature really functions not much differently than, say, using WinZip to compress files into an self-extracting archive. Decompress an .exe with a virus, and boom, you have a virus.

But really, it shouldn't be that difficult for Adobe to put a little option on the feature to disable vbs access, should it? As far as I can tell, there's absolutely no vbs out there that should need a viewable, printable PDF mother file.

Re:Embedded files in the PDF

[Delphis]

Heh.. I thought you said:

As far as I can tell, there's absolutely no vbs out there that should need a viewable, printable PDF, mother f*****.

Any sort of scripting or executable code should be left out of PDFs. Why people let their companies be run by the damn marketdroids is beyond me. They should just keep PDF as a DOCUMENT format instead of trying to get 'clever' with it. Jeez Adobe, you'd think that was obviously a BAD idea with MS Word docs.

The features of Adobe Acrobat should be confined to .. Adobe Acrobat! .. Why embed stuff in the PDF files? .. leave the program code in the program and the data in the file. Just to save a couple of clicks maybe? how sad.

Re:Sigh...

... if we had a space plane.

Re:Not worried

[Hank+Chinaski]

the adobe one
get it here

Actually, PDF was designed for viewing

[kaszeta]

Most people only have the viewer for obvious reasons so only a small number of people would be affected. Of course adding VBScript execution to the viewer would be just plain Stupid since PDF files are designed to be PRINTED and not viewed on screen...

While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.

PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.

That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.

Don't try to figure this out!!!

[SpookComix]

WARNING: If you try to figure this virus out, you will be charged with reverse-engineering and thrown in the pokey!

I say, if this threat is real, let Adobe wallow in it until they rot: At least ten times as long as the innocent victims they try to fuck over.

--SC

Postscript virus

[wiredog]

Has anyone ever heard of a Postscript virus?

Actually, yes. About ten years ago there was a postscript virus that Did Things to printers. I forget how it worked (it was 10 years ago) and, IIRC, it wasn't very dangerous. Spread through .ps files that accompanied some shareware as I recall.

Re:Postscript virus

[mmontour]

About ten years ago there was a postscript virus that Did Things to printers

There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).

http://catless.ncl.ac.uk/Risks/10.32.html#subj1
ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/po stv.txt
http://www.sevenlocks.com/password/pspass.txt

I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.

Re:Postscript virus

[oman_]

Yeah.. all sorts of crazy things are possible..
I'm the postscript guru at work and I've done all sorts of crazy things when I was bored..

Here's something that you should NOT send to a HP Postscript printer :)

%!PS-Adobe-2.0 ExitServer
%%BeginExitServer: 0 serverdict begin 0 exitserver
%%EndExitServer

serverdict begin () exitserver

/show{/zzdx(fu)def dup(Fu)search{pop pop pop/zzdx(Fu)def}if dup
(FU)search{pop pop pop/zzdx(FU)def}if
dup zzdx search{pop pop dup length 2 ge{dup(c)0 get 0 exch put(k)
0 get 1 exch put show}{pop show}ifelse}{pop show}ifelse} bind def

Re:Postscript virus

[oman_]

Oh yeah.. here's the fix:

%!PS-Adobe-2.0 ExitServer
%%BeginExitServer: 0 serverdict begin 0 exitserver
%%EndExitServer

serverdict begin () exitserver
/show systemdict /show get def

DMCA's bitch

[The+Other+Nate]

All y'all goin' to jail, now!
Circumventing the PDF format by discussing it's weaknesses.
Say hi to Skylarov for me.

Impossible

[alen]

How can it be? A virus in pdf? Only Microsoft products support viruses. Everything else is secure. A virus written for a non-microsoft product. Yeah right. What will they think of next?

More Fun News for Adobe and PDF

[jjr]

First thier wonderful security(rot 13) was been "hack". Now thier that format carries viruses but I guess the effect will not be that bad since it only effects acrobat not acrobat reader. Maybe it is time for a new format well I guess we will see if someone cooks one up :). Have fun

Re:Not worried

[11223]

Download KDE2.2 - the new printing system lets you print directly to a PDF from any KDE application. They also have a Print to Postscript and Mail PDF option. Otherwise, ps2pdf works wonders.

PDF Virus Violated DMCA

[Kengineer]

NEWS FLASH::

PDF Virus Violates DMCA! Heralded as an "encryption circumvention device for adobe technology!"

Look Everyone! I made the requisite "DMCA Violation Joke" that appears in EVERY THREAD now, and gets modded to Funny 5 even though we've heard it 15,604 times before.

.. kengineer

Some thoughts...

[rediguana]

If pdf's are supposed to be cross-platform and portable, then wtf are they putting executable code in them?

Isn't the whole idea of using pdf's to avoid using word documents and the associated risks?

And doesn't the article say "including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program"? Doesn't that mean that it's not a VBS issue, rather the design of Acrobat?

Right, nothing for it but to let adobe know your thoughts. email adobe with product improvement suggestions! - like remove the ability to include executables. If Adobe don't do something about this, then they have lost their competitive advantage as a document format.

Re:Only in Acrobat

Well, someone has to create those PDF's...so at least them...

Re:Adobe legal defense

[White+Shade]

so... what... security by obscurity? I think we ALL know how well THAT works.

just hiding the source code from people won't stop anything. It might delay the inevitable, but it won't stop anybody from producing another one; it's been done once, it can, nay, WILL be done again.

*Especially* because people will know that it's
possible..

A virus that affects...

[part!cle]

adobe's pdf file format? I can say for all of the concerned citizens ou there that i believe thatMUA HAH AHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH AHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH AHAHAHAHAHAHAHAHA

I send you this pdf...

[lavaforge]

In order to have your advice.

Re:I send you this pdf...

All your base are belong to us.

Adobe legal defense

[ant-1]

They're gonna yell out "You see what happens when people reverse-engineer our software ?".

And Sklyarov will have its 50th birthday in jail, and the DMCA will be thouroughfully enforced.

Who wrote this virus, by the way ?

Re:Adobe legal defense

[tb3]

Check the second link. The author is 'Zulu' and he says he from Argentina. He gives us the full source code for the damn thing. He also specs out a number of other possible senarios for viruses in PDf files. If Macafee, Symantec, et al were on the ball, they'd be checking sites like this, so they could nip these things in the bud. But then they'd never get their names on CNET and ZDNET every other day.

Me? Cynical?

Re:Adobe legal defense

[peccary]

Worse... Adobe approached the virus-checking companies first, before releasing this technology. That's what tipped Zulu off that there might be something there to be exploited. So -- Symantec were way ahead of Zulu on this one.

Re:Adobe legal defense

[tb3]

No, I was thinking more of a pre-emptive strike; fixing the anti-virus software before the thing becomes widespread. Instead, they seem to be closing the barndoor after the horse has left.

I've got no problem with them sharing the source code, hell, I think it's a good thing. I'm just suprised an virus writer would do it.

Re:Adobe legal defense

Isn't Sklyarov out on bail?

Oh Great

[mESSDan]

I can see the headline now: Code Peachy Virus Hits!

Related CNet Story

There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry

From the support desk

[alnapp]

Dear users,
Please ignore anything we may have said about 'Safe file attachments'. In fact, do not open any of your e-mails, ever again, and, to be safe, just stay in bed.
Thanks

Re:From the support desk

[RWC09]

I guess we should all start using that VERY SAFE and UNBREAKABLE e-book now instead of this messy pdf format!

Re:From the support desk

[refactored]

Sounds like they first need to say a big sorry to and then hire a certain russian programmer to secure their stuff....

Bah

[eAndroid]

I know the PDF format decently well (I'm writing a PDF library) and I don't think that this is a threat. Besides embedded programs there isn't much that can get executed by the system. Has anyone ever heard of a Postscript virus? That would probably be needed to make a PDF virus.

However if there is a PDF virus it'll probably just take advantage of a buffer overflow problem in the Windows version of Acrobat Reader. Use Linux (and use Python) and you should have no problem.

Re:Bah

Postscript is a full programming language, it wouldn't surprise me if a virus could be written in it. But since postscript is mostly executed by printers, the effects of such a virus should be limited, maybe it would tie the printer up by going into an infinate loop, or waste a ream of paper or change the LCD readout to read "Hacked by Chinese" or something

adobe strikes again

[White+Shade]

Wow, adobe has struck the Slashdot headlines *again*, and with news that's just as bad, if not worse, than anything else so far...

I noticed this:
"But Adobe doesn't currently plan to prevent VBScript or other files from running."

And the first thing that comes to mind is "gosh, what a totally stupid policy." All they have to do is NOT pass executable data to the script software...

Who even needs a way to execute scripts OF ANY KIND in a .pdf file?! The whole point of a pdf is that it is supposed to give you exactly what you get on the paper page, in a platform-independent fashion.. Your printed manual can't execute attachments, can it?! All the joys of excessive featuritis..

On another closely related hand, Isn't it great that we can get Outlook macroviruses with out even opening the attachent in outlook? Just think of the thousands of stupid office workers who are going to start spreading macroviruses without even realizing it... Teaching them not to use attachments in OUTLOOK has been hard enough.. to cope with Acrobat as well?! Damn near impossible....

*sigh*

Re:Do they WANT virii^H^Huses?

[imadork]

Does BASH check scripts to see if they are malicious? Do Perl scripts run in a sandbox? Nope, but if you're running scripts with the proper permissions and unser the proper user in UNIX, it limits the amount of damage you can do. That's what I meant by the OS taking care of security. NT is better at this than Win9x, but not as good as most Unix distributions (assuming you don't run everything as root.)

More like...

[dave-fu]

...I can weld wings onto my car. Does it mean I'm now the proud owner of a flying car?
Oh. You mean I should have engineered this sort of thing from the start rather than grafting it on as an afterthought? Get the funk out!

Re:Not worried

[|guillaume|]

Just for the information, what are all those nicer and cheaper ways to create pdf documents?

Thanks,
Guillaume

OK, all together now

For the kids on the short school bus who didnt quite get it the first 5 or 6 times...

Dmitry's software did NOT unencode PDFs. PDF formatting has NOT been broken. His software decoded the eBooks format INTO PDF format.

About time Adobe was put in their place

This is what they get for underhanded way they managed to get Dmitry jailed. This is the beginning of the end for pdfs. An alternative needs to be found for replacing pdf files.

Do you really think MSoft pays lots of tax?

[juuri]

MSoft is a big company with very smart accountants. Like most big companies they heist our country's tax system for a big ride every single year, so it is we the people who pay the bulk of the taxes even though we have less rights these days than do companies.

Check this:
http://www.fool.com/portfolios/rulemaker/2000/rule maker000217.htm

Re:Do you really think MSoft pays lots of tax?

[Grishnakh]

I don't think he was referring to payments to the IRS. Obviously, companies like MS don't pay a dime to them. Instead, they make large payments, er, "campaign contributions" and the like to our elected officials and other members of government and the judicial system in order to get their way. You and I might call that bribery, but to MS it's a "tax".

Another Selling Point For Mac OS X/Linux

There ain't no god damn VBScript available in the Operating System which this virus appears to take advantage. I am so sick Windows and swiss cheese security. Instead of tracking ssecurity holes in Windows, it might be time to listing components that are actually secure -- save a lot of time and effort.

Re:Not worried

[generic-man]

Are there any ways to make PDF files that don't look like total garbage? ps2pdf is nice in that it's free, but it uses bitmap fonts. Documents print just fine, but they're damn near unreadable on screen. Is there a way to use vector fonts in ps2pdf?

Only in Acrobat

[JerryKnight]

It doesn't affect the reader, just the high-dollar Acrobat, so how many people will this really affect?

Re:Only in Acrobat

[JerryKnight]

personally, i use the printer method.

ps printer->ps file->ghostscript(w/ghostview)

A little roundabout, but free.

Its only in the Source PDF's

[barnaclebarnes]

It seems like it is only in the files used to create PDF's (or only affects those that are using the PDF creator software) which really limits its scope.

Most people only have the viewer for obvious reasons so only a small number of people would be affected. Of course adding VBScript execution to the viewer would be just plain Stupid since PDF files are designed to be PRINTED and not viewed on screen...

/b

Oops ...

[Genoaschild]

Time to use Ghost Script.

2 words:

[joshwa]

Electronic Workflow.

Dynamic PDF stuff is *necessary* for those of us writing workflow applications in industried (e.g. financial services, insurance) where the complexity of forms requires lots of dynamic calculation and database interaction and the regulatory requirements all but make sure we cannot deviate from existing paper forms design. Plus, eventually we must produce documents for customers to sign, and to be archived, and to be audited, so PDF is the best choice.

Yes, for many industries the JS/ODBC stuff is unnecessary (and, if you'll notice, this bug only affects those with full acrobat, not acrobat reader), but for others it's critical.

Re:2 words:

Not to flame, but really, PDF wasn't and isn't a good interactive 'document' format. It would be nice to have such a format (perhaps an extension of PDF), that would have support for input format definitions. Still, it shouldn't just run whatever scripts there are indiscrimately. Either have a decent set of rules (and associated messages) so that application ("viewer") can do validation, or have a severely restricted version of a scripting language, only capable of accessing carefully limited set of data.

Re:2 words:

[satch89450]

Dynamic PDF stuff is *necessary* for those of us writing workflow applications...

Buzzzzzzzzzz! WRONG ANSWER.

Before you reflexively hit the "reply" button, consider that I implemented just this sort of complex form application with lots of dynamic calculation and database interaction, and I don't get even CLOSE to PDF until it's time for the user to print the document...then my web site sends the PDF document (sans attachments, active scripting, whatever) to the Web browser for printing.

Isn't Excel usually the choice for this sort of thing?

Re:Do they WANT virii^H^Huses?

[purplemonkeydan]

But, since most users can't tell a good VBscript from a bad one, It's the job of the operating system (or failing that, the scripting languages' interpreter) to make sure scripts can't do anything malicious when accessed in normal mode. Since Windows and VBScript doesn't do this, I consider them broken.

Does BASH check scripts to see if they are malicious? Do Perl scripts run in a sandbox?

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

[Mr.+Slippery]

How do you justify blaming M$ for a worm that exploits a vulnerability that was publicized and patched more than a month before said worm came into being?

Let's say that the XYZ Automobile Corporation knowingly uses cheap, sub-standard components in their brakes. A bunch of people die. XYZ issues a recall. Before you manage to fit a trip to the XYZ dealer to handle the recall (the 12th since you bought the car) into your busy schedule, your brakes lock up and you die a horrible fiery death.

Is XYZ Automobile Corporation responsbile? Can your grieving survivors sue their corporate asses off? I should hope so. The determining factor is not the recall, it's that they knowingly used sub-standard components.

M$ has some smart developers working for them. The fact that they continually turn out insecure crap is not due to ignorance or inability on their part; it's a conscious business decision to attempt to maximize their profits by fucking over the end user.

Re:Why use Acrobat anyway?

[Vic]

Then we come to the windows users hmm... good question. If you print to file in windows, doesn't that become a postscript too? And there probably is a port of 'ps2pdf' for windows, and if not I doubt it would be too hard to do that, or maybe there is a similar software. Anyway, it CAN be done obviously...

When you print to a file in Windows, it just creates a bianry file that your printer can understand. Essentially the exact same stream of stuff that would be sent to your printer directly. This *can* be postscript, but only if your printer is postscript.

Before I set up networking at home, my roomate would print to file using the Canon BJ200ex driver on his Win95 machine, copy that file to disk, and bring it to my computer. From my Linux box, I could do something like 'cp whatever.prn /dev/lp0' which would just send that raw file to the printer. It was definitely NOT postscript.

If you want postscript in Windows, you can just use the generic postscript printer driver. I'm not sure if ps2pdf exists in Microsoftland, but it's probably out there....

But now I have networking and Samba running....no more sneakernet. :-)

Cheers,
vic

Re:Flaw in your argument

[Shotgun]

Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful

Your words are prophetic.

We here all know that Microsoft releases swiss cheese software. They put the blame on 'hackers' and the sheeple eat it up. But they now have the answer with their phone-home software. The will now start claiming that security holes all come from unofficial software.

Look for M$ to start lobbying for all software to be government regulated. This will basically wipe out Open Source, shareware, and the small time coders, all in one fell swoop.

Re:Not worried

[skt]

You can download it, but you have to either have Adobe Acrobat installed (not the reader) or have to prove ownership of Acrobat somehow. I can't really remember. As other people have pointed out, just printing to a ps file in windows and then running it through ps2pdf works very well for creating pdf files.

Re:Not worried

[wik]

I just bought a copy of Acrobat in order to make PDFs with forms. I haven't seen any free software that has this capability yet. Does anyone know of anything that can do this?

I get a fairly large number of forms from an unnamed government agency that likes to scan their forms as bitmaps and make them downloadable. Unfortunately, there are no text fields where information can be entered unless I doctor them with acrobat.

Your ad homonim foolishness aside

[FreeUser]

I won't go into a long discourse on the niavite of dissaciating information with its impact on the physical world, except to rebut a couple of the more blatently silly comments you made:

The most a computer virus can do is cause loss of data or money.

Tell that to the patients who died as a result of a "bug" in the software which was controlling the radiation therepy equipment used in the treatment of their cancer that erroneously delivered a lethal dose.

Tell that to the aircraft pilots which had their passenger jet flip upside down due to a bug in their computerized autopilot (thankfully the plane was empty and they were able to recover ...barely).

Computers, and information, have real-world effects which can and do affect, even destroy, real, physical lives, and viruses are as capable of destroying lives as "bugs."

Something market forces are perfectly capable of dealing with and something which government should stay far away from.

Ever heard of the SEC? FTC? Even the markets themselves, which you seem to so laude as a panacea, require rather detailed and ongoing government intervention in order to function at all.

Other holes in this argument abound, including the fact that, in the United States at least, money is required to obtain even nominal medical care, not to mention food and other basics. Destroying one's livelihood is often tantamount to destroying lives ... there's that real world, physical impact again.

The argument about the loss of fissionable nuclear material is a strawman.

No, it isn't. It is a verifiable, and verified, event which resulted from extreme incompetence and negligence on Microsoft's part, exacerbated by their indefensible unwillingness to acknowledge, much less take responsiblity for, their own product's shortcomings. Furthermore, it is a perfect example of how information and its destruction can, in fact, potentially endanger millions of lives, and why government regulation requiring certain minimum standards in quality control and security are not at all unreasonable.

Indeed, you rebut your own point in the next sentence you write:

"Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences."

... which is why we have safety regulations for everything from medical equipment to aircraft to automobiles to elevators, because those bugs can have harmful consequences, whether they are bugs in software, firmware, or hardware. And why minimum standards for software quality and security aren't so unreasonable after all.

Re:Your ad homonim foolishness aside

Why don't you move to China where the government controls everything, commie?

Can the Norton folks scan for it too?

[cdn-programmer]

[quote from the artical]

"Through an agreement with Adobe announced in June, McAfee's software is able to scan PDF files, Gullotto said. However, as with other virus types, the software isn't always able to catch new viruses until its definitions are updated."

Does this mean Adobe can sic the FBI on the Norton programmers and send them off to the can?

Re:Do they WANT virii?

[HiThere]

Considering that it's adobe, I hope they drown in them. But do remember that the pdf format is one that they are currently trying to replace.

If they can convince enough people that pdf is too dangerous, then they may be able to switch them over to the ebook standard. Because that's safer.

It is likely to be a long time before I trust adobe to do anything honorable. It's likely to be a long time before I trust them again for anything. I think a partial requirement would be a total change in upper management. And that wouldn't be sufficient. That's just necessary.

Re:Not worried

[Diomedes01]

I usually create my PDF files using pdflatex. With this, I can also generate dvi and PostScript files at the same time. If someone can't read one of those formats, then they're brain dead.

What a coincidence...

[melchior88]

Adobe arranges for the charging and jailing of an individual who exposed flaws in its ebook encryption. Shortly afterwards we discover that their principal product is now a potential security threat. What an astonishing coincidence....

PDF explosion

[billcopc]

Rosenbaum said. "It's only been in the last 18 to 24 months that PDF...use has really exploded."

Could this be somehow related to the fact that so many open-source free-beer PDF writers have cropped up ? Heck, anyone can throw together a PDF on demand with Perl or PHP plugins. Once again, the irony is that every non-Adobe alternative is immune to these virii. The masses have embraced PDF, and will now suck it from the creator :)

I wrote that!

I wrote that!

It was done is response to some fractal dragons done in forth in Byte magazine, about 10 years back. I also did a star trek script program (printed random sentences like "Spock: Most illogical", "Scotty: The engines canna take it cäptn" etc.), and I also did Koch's triangle in postscript.

Not to mention the one I never ran (on my own printer, but happily published on bulletin boards:) that trashed the EEPROM by reading/writing endlessly ...

sales_worldwide

Not worried

[JediTrainer]

From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"

I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.

Re:Not worried

[SCHecklerX]

An easy way in any system that has ghostscript installed is to simply send your output to a file, and then run ps2pdf on that file.

Of course, I believe everything will be stroked this way (instead of using postscipts built in fonts and positioning), and the file could get kindof big, but it does work. I'm doing this with my resume at the moment.

Re:Not worried

[Rashkae]

Ghostscrip can create PDF files, and is availabe for Windows and Unix. I believe Word Perfect 2000 also had export to PDF abilities. (To create a pdf file with ghostscrip in Windows, you first need a PostScript file. You can create one by installing a PostScript printer driver and configuring to to print to disk.)

Re:Not worried

[tonyj]

Ghostscript comes with a Postscript to PDF converter. So you're only problem is to get Postscript documents. On a Windows PC, all you need to do is add a driver for any PostScript printer and then check the "Print to File" box. Rename the file to have a .ps extension since Windows will force .prn and then you're set.

On UNIX or Linux, generating a .ps is generally easy and ps2pdf is included in the ghostscript distribution.

Re:Not worried

What is a good postscript printer driver under windows?

Re:Not worried

[abischof]

FreePDF purports to convert documents to PDF for free, via a faux-printer-driver (for Win32). I have yet to try it, but its setup does look kinda complicated.

Re:Not worried

[SCHecklerX]

So it does the same thing that ps2pdf does, but in a much more complex way?

Re:Not worried

[DrSkwid]

I use reportlab for python

http://www.reportlab.com/

for creating reports of live data suitable for printing

Re:Not worried

[Jucius+Maximus]

"I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far."

Maybe Adobe invented this thing and is trying to crack down on pirated copies of Acrobat.

Re:Not worried

OSX

Re:Not worried

[Auckerman]

"Just for the information, what are all those nicer and cheaper ways to create pdf documents?"

Just go to Adobe's web site and downloaded their print to PDF software. They used to have a MacOS version (which is what I use), but it seems to be gone. They do seem to still have a Windows version (PDF writer, irrc)

Re:Not worried

[Borogove]

> the adobe one

...there's a hole in my bucket

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

[Master+Bait]

Because they are stupid enough to have a buffer overflow problem in the first place! And since just about every Microsoft 'fix' requires a reboot, 24/7 environments put off doing these 'fixes'.

First spotted in 1998

Well.. This possible design-flaw, allowing PDF-viruses (virii??) isn't actually news anymore. In fact, it ceased to be news in 1998; Gisle Hannemyr's homepage - last updated in February 1998

Re:Why use Acrobat anyway?

[savaget]

If you want postscript in Windows, you can just use the generic postscript printer driver. I'm not sure if ps2pdf exists in Microsoftland, but it's probably out there....

Under Ghostscript/Ghostview for Windows this can be done.

Re:Do they WANT virii^H^Huses?

[jiheison]

One programmer's malicious script is potentially another programmer's utility.

It makes no sense to dilute programming/scripting languages just becuase some people abuse their functionality. How about we water down all languages so that no one can write viruses ?

credit where credit is due please

[twitter]

Acrobat lets people embed different file types within a PDF, including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program, Gullotto said.

Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.

Yes, this is another VBS exploit, and java does not desrve your FUD. New features have their place, VB and VBS don't.

All readers should run in jails

[Animats]

This is an OS problem. All "reader" and "player" programs invoked from browsers should run in jails. This should have been done years ago.

Re:Do they WANT virii?

They don't want virii. They might want "virus" or "viruses". Even I don't know the 'correct' plural, but I know from age old Slashdot wars that it definitely is not "virii".

-- Latin Nazi

Bugtraq advisories

[p3d0]

Here is a link to the Bugtraq advisory for this, as well as a fairly insightful reply, both of which come from my own submission of this story which was rejected six hours before this one was accepted, not that I'm bitter.

Comment from Adobe

[erichtn]

Here's an unofficial comment I got from an Abode rep, fwiw:

This is exceptionally OLD "news"!

Note that the ONLY way any attachment of this type requires you to respond OK to a dialog put up by Acrobat that warns you first that you are accessing an attachment. It cannot execute stealthly! Unlike self-executing VBScripts or other attachments in Outlook (as opposed to Eudora and similar email clients), PDF attachments don't self-execute! And to execute them, you must respond OK to the warning screen.

Furthermore, MacAffee is adding code to their virus checkers to look inside PDF files to ferret out such bombs as they would come into your system. Thus, the risk in reality is quite low.

Slashdot should buy some integrity

Why cant slashdot not call this what it is, a Microsoft Outlook/VB virus spread via a PDF.
Is slashdot buying into the Microsoft "I didnt do it" line?

Filesystem access threats using .ps and .pdf...

[gd23ka]

For a virus to infect a system and spread by propagating through files exchanged among users it must be able to access the filesystem.

Adobe Postscript does have provisions for allowing a postscript program access to the filesystem: See section 3.8 of the Adobe Postscript Language Reference manual "File Input and Output".

Of course it is up to the postscript interpreter to implement this functionality and even if implemented limit it to certain files and directories. This is not be an issue if the postscript program is run (= printed) on a postscript printer.

As opposed to a postscript, PDF is neither a programming language nor are there any functions to access the filesystem. However, one way to render a PDF file is by prepending PDF interpreting postscript code which in turn is executed by a postscript interpreter. If so, embedded Postscript XObjects containing postscript code per section 4.10 of the Adobe PDF Reference 2.0 are executed.

Already in 1998

[lynet]

The norwegian site Digi published an article today pointing to this interesting article about CAVEAT CLICKER: Adobe PDF and Trojan Horses - published by Gisle Hannemyr back in 1998...

Sincerely, Rune

Karma

[Sternn]

Like no one saw this coming? I mean, if anyone deserves this, Adobe looks like a prime candidate. I mean, after all, trying to find out HOW a virus attacks from a PDF file and trying to STOP it could land you in prison for 5 years...

What is surprising . . .

[Badgerman]

Is that Adobe didn't find a way to blame Sklyarov or someone else and have them arrested - which seems much easier than addressing actual issues.

Ever thought anti-virus people make viruses?

[Milican]

This quote from the article makes me think so

"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer," Network Associates' Gullotto said.

OK, so how did you guys get it? Must have been internal then.. anyway, my conspiracy theory.

JOhn

It was obvious

[Hugonz]

Well, you know. PDF is derived from Postscript (TM) and PS is a programming language.

Like any good book will tell you, if you are masochistic (spl?) enough, you could write a compiler or a shell in PS.

Just my 2 cents here.

Hugo

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

[cyclist1200]

How do you justify blaming M$ for a worm that exploits a vulnerability that was publicized and patched more than a month before said worm came into being? That's just putting the cart before the horse. I'm no fan of Gatesville, but I can't blindly denigrate them for something they fixed before the threat reared its ugly head.

Inside the mind of government...

[Big+Sean+O]

...it's very dark.

But seriously, here's my diatribe on government internet projects (from the trenches).

The main reason that government on-line projects suck is because they want to deliver their services on-line and they don't have the in-house talent to make it so. (How many webmasters YOU think are in the building department of a medium-sized city? The answer is: ZERO)

So, the well-intentioned civil servants hire computer consultants. Sometimes the consultants are teen-aged webmasters that work for peanuts and they positively rock! But sometimes governments hire consultants. Usually these projects have high ideals but are woefully underfunded. This means that the consultants, in order to come under budget, don't have time to effectively review the problem domain.

Do we know where this is going? Yep:

• Lack of requirements analysis
• Scope creep
• Consultant tries to make the client happy, but forgets about the real 'customer' (the end user).
• Use of chrome to dazzle the unsophisticated client
• Delivery of weak goods

If the consultant is particularly unethical they will say (after the project is out of cash) that they're just working on a 'prototype' and that more money would be needed in order to deliver what was originally promised.

In a climate like that, it's a miracle that any of these Government projects get completed. Sometimes the client falls for it... Repeat until sickened... diatribe off...

Re:Apply the same arguments to other areas of safe

[donutello]

Have you even begun to understand the difference between a human life and data? They are entirely different things - even if a geek who has never stepped out of mommy's basement can't tell the difference.

The federal government should regulate areas where there is a potential for irrecoverable loss i.e. life or limb. Market forces don't play well there because nothing can compensate for those losses. Computer virii are a whole different beast. The most a computer virus can do is cause loss of data or money. Something market forces are perfectly capable of dealing with and something which government should stay far away from.

And just because market forces don't seem to work in the direction YOU like it, doesn't mean they don't work at all.

The argument about the loss of fissionable nuclear material is a strawman. Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences.

...and whoever cracked this virus is heading to ja

[melquiades]

If Adobe's past actions are any indication, whoever figured this thing out is in deep doo-doo. The coderz article says:

The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm"

So somebody's cracked the PDF format, and is now distributing a method of circumventing copy protection on a popular document. This is, of course, a federal crime under the DMCA. I'd advise whichever security expert figured this password out to flee to the safety of Russia immediately.

Re:Scaremongering alive and well; film at 11

[spookyfluke]

Scary thing is that many will get bitten. Doesn't your company have a marketing department? :)

Sigh...

[Bob+McCown]

It's clear that if Adobe modified future versions of Reader so that it could read attachments embedded in PDF files, the program could fall victim to Peachy's descendents.

Yea, and if the moon is made of green cheese, we could fly up there and eat it...

No biggie

[zunix]

Not only that reader users (i.e. everybody) cannot be armed by this virus, even if you're using the full acrobat and you're not stupid, you'll probably not get it.

Assume you have acrobat and you open an infected file with it, you'll get an alarm box that says something like "open attachment i_love_you.vbs?". If you hit "yes" then you probably deserve what you're getting. This is very similar to email worms, be careful and your chanses of survival increase dramatically.

Yeah? Well you shut up!

Re:No biggie

[Delphis]

Judging by the intelligence of the average marketroid though, that's the sort of user to be making PDFs, then it'll become yet another headache for IT departments everwhere. Granted, you're a moron if you open unknown/unverified attachments but there's a hell of a lot of morons out there. :/

Dissecting PDF to fix it is ILLEGAL! Ask Dimitry!

See folks, this is why reverse engineering needs more protection than being "not declared illegal", but needs to be affirmed specifically as "being legal". Closed source software with it being illegal to disassemble is setting up the world for debacles like the Code Red worm, which, IMO, Microsoft is partly responsible for financially. MS hides source so this worm can eat up 20% of all internet bandwidth nationwide. What do you thing all that bandwidth collectively costs? MS should pay part of that bill.

Virus or lame trojan?

[melatonin]

The problem is that anything can be attached to a PDF (executables, VBscript), and these things can be viewed using Acrobat. Does Acrobat run these things automatically, or what?

Otherwise, it's no more of a virus than sending a VBscript to someone who uses Eudora.

Acrobat at work

[B0bRoy]

I'm using Adobe Acrobat at work, but why bother? Virus at work helps me spend more time in reading the newspaper and Slashdot :)

Read the story

[Kondoor]

This virus doesnt even effect Acrobat, it is only spreadable by using a non-adobe product to create pdf files, and only if you integrate apps in the pdf document. I don't think people should get all that worked up about this.

Ben Affleck on virii

I read a quote that actor Ben Affleck made while in rehab. He said "PDF virus's are long-standing, ill-fated, viruses of the plentitude variety. I imagine that if the algorythyms, polymorphisms, and general demogoguery used while inhaling were taken in flux, virii like this could be evacuated from a user's large bowel. Piece together the first and last from the hexoctogramaphic fortitude that is Adobe, and you will surely find a plethora of stigmas associated with programatically associating the first-born virii of two or more disreputable virii, and then you understand the concoction of a memorable stalemate of a tricktocolicker that we find ourselves in."

re: pdf creation

[jdog44]

Er.. most Adobe products will save to PDF format. They also have virtual printers available, so you can 'print to PDF' from most programs. (at least they have on my MAC for the last 6 years or so...) Try a google search for "PDF Printer"

I worry

[twitter]

There are plenty of companies mirred in MS legacy stuff that are using this as a way out of printer dependency. Immagine a real virus overwriting corporate document databases. Millions of man hours could be wasted in minutes, even with a good backup policy.

Re:Apply the same arguments to other areas of safe

The alternative seems to be more of the same, which is clearly not acceptable.

Or, we could just let these proprietary businesses feature-creep themselves into oblivion through screw-up after screw-up, and go on our merry way in the open source world.

Flaw in your argument

[FreeUser]

So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who develop virus code.

That is difficult to say (who can quantify how many potential virus writers are deterred by threat of jailtime? Greater than zero alsmost certainly. Greater than a hundred, a thousand, a million? We really don't know.) However, once again an example from the physical world makes the issue rather clear:

"So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who commit acts of arson."

Clearly fire codes were necessary to prevent disasters such as the Chicago fire (which wiped out the entire city in the 19th century and is believed to have been started not by an arsonist, but by simple accident). Laws which punish crimes are often not sufficient to protect the public from negligence on the part of product manufacturers, or even negligence on the part of consumers.

Consider the Ford Pinto, which was prone to explode (violently) when rear-ended. Ramming a Ford Pinto from behind, even by accident, is illegal. Nevertheless that was insufficient to prevent accident which resulted in numerous fiery explosions and needless deaths, nor was it sufficient to get Ford Motor Company to change a design they knew was flawed to begin with. Lawsuits and, yes, additional government regulation were necessary to bring public safety up to an acceptable level. The Free Market and outlawing actions which exacerbated the unsafe conditions which the manufacturers negligence had left in place were very obviously not enough.

So too does it appear to be with software. Some minimal level of security needs to be required. If the industry cannot police itself and the free market isn't up to the task of weeding out the negligent (and both certainly appear to be the case here), then government regulation for the common good is not at all unreasonable.

Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful (as with, for example, building codes in most cities and FAA regulations). It is incumbant on us as software engineers and Free Software advocates to be out in force, involved in creating any such regulations, such that they are helpful to the industry (and the industry must, by definition, include Free Software) and not detrimental.

I guarantee if we're not, someone else will step up to the plate. Indeed, with the FBI outages and attacks on the White House I'm surprise this process hasn't begun already.

Re:Flaw in your argument

[david.johns]

I just realized something that terrifies me.

If I publish a utility that can be used to pirate materials in addition to distribute legal data, and it's popular (think Napster), it's not long before I'm shut down for 'contributory infringement' of copyright, eh?

If I publish a utility that can be used to spread viruses in addition to distribute legal data, and it's popular (Outlook, for instance), it's a 'feature.'

I hate our legal system.

Re:Apply the same arguments to other areas of safe

[Transwarp+Conduit]

Actually, I'm not entirely convinced that the industry is incapable of policing itself... rather, I think the problem is that the industry has little incentive to do so, given that they've been able to sell their software - even "professional" packages like Acrobat, Premiere, Windows 2000 Server, etc. - under layers of liability disclaimers that most other industries could never get away with. Micro$oft, Adobe, et al. don't have to care whether or not their software has huge, gaping security flaws that can let any 12-year-old "3733T D00D" wreak havoc anytime he feels like it, because they're insulated from any liability even if they knew about the flaws months in advance and failed to correct them. With that in mind, I think you could go a long way towards fixing these problems simply by abolishing, as a matter of law, the software industry's ability to sell shrink-wrapped consumer products as though they were used cars. :)

Who cares? Nothing new here.

[juhaz]

It's just .vbs virus, nothing pdf-specific here, except social engineering, this thing could just as well ride on a compressed file to avoid catch by vbs filters, yet, do I see headlines on slashdot about viruses in zip, bzip2, tar, gzip, compress, arj, rar, ace, lha..... and whatever of the bazillion formats? No, even though they are actually far more dangerous - anyone has a program to open those files, while only a few people use Adobe Acrobat.

You make an interesting point

[FreeUser]

Most established companies love to see regulation in their industries, particularly when the regulations only affect their competitors.

This is an interesting, and valid, point. It would not be at all farfetched for Microsoft to be deliberately negligent in its security, then use a regulatory body and its own involvement in the regulatory process to undermine the ability of smaller upstarts to compete, perhaps even make it impossible for Free Software to become "licensed" at all.

A frightening thought. I fear, however, that simply wishing the government would stay away won't suffice, so I suspect we'll want to be very involved in whatever process does emerge, and it is IMHO almost certain something will emerge from these debacles. It would behoove us to be proactive in making sure whatever form any involvement by our government takes is conducive to the creative freedom and technical progress which Free Software makes possible, lest we all be subjected to Microsoft's notion of "freedom to innovate," which in truth has little to do with freedom or innovation.

Re:Apply the same arguments to other areas of safe

[Anm]

Don't police the virii writers. Police the commercially developed software companies to implement good testing policies and react quickly when problems are found.

And in my opinion, it is not the government that should be doing this, but insurance companies. If companies started purchasing insurance in computer and data safety, then it would be the role of the insurance company to evaluate systems, software, and maintance routines, providing bottom-line discounts to more secure systems. This would make consumers more aware of their potenital holes and choose better software. Thus, the market pressure should encourage companies to take responsibility for the security problems in their products in order to meet insurance standards.

Not my original idea, but I don't have a source.

Anm

Re:Apply the same arguments to other areas of safe

[King_TJ]

So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who develop virus code. Do you see it helping stop the creation and spread of virii? Nope! Why? Several reasons... but first and foremost, the United States has no authority to police the entire world. Virus code is usually written someplace other than in the U.S. - and sneaks across the Internet, which doesn't have borders.

U.S. government can't enforce regulations on anything that's not an established, legitimate industry anyway. Even if you got them to regulate security and quality standards for commercial software, it wouldn't have any meaning in the open-source, freeware, or shareware world.
(Or are you proposing that they slap a cease and desist order on any teenager who decides he or she would like to write a firewall program in their spare time, to learn more about TCP/IP and sockets?)

BLOODY LAMENESS FILTER WILL FEEL MY WRATH

If you are doing this more or less regularly, you can ask [8]Stephan Kulow for direct access to the CVS. But be aware that more and more users will slow down the CVS access for all developers, so we want to keep the number of people with direct CVS access reasonably small. But feel free to ask!

Idiots can't or won't read...

[Ryan_Terry]

Users with the full version of Acrobat will have to exercise caution when opening attachments to PDF files. However, opening attachments isn't automatic: A cautionary dialog box asks if the user wants to proceed.

Haven't they learned yet that the idiots who spread these virii don't read waning messages. If they were paying attention they wouldn't be spreading these things around.

We don't need anti-virus software, we need a cure for stupidity.

Did US Marshalls knock on Network Associates door?

[bill_mcgonigle]

Were they coming for Vincent Gullotto?

There's an interesting bit in the c|net story:

Through an agreement with Adobe announced in June, McAfee's software is able to scan PDF files, Gullotto said.

I thought PDF was a nice, open standard. Why would anybody require an arrangement with Adobe to parse it? Was there some sort of DMCA threat? Did success here make them overconfident regarding Dmitri?

Why use Acrobat anyway?

[danEger]

When I want to make a PDF-document, I make it look like I want it to look like with any application, let's say Abiword, I print it to a file (postscript) and then I run a little nifty that comes with Slackware called 'ps2pdf'. There we go.

Then we come to the windows users hmm... good question. If you print to file in windows, doesn't that become a postscript too? And there probably is a port of 'ps2pdf' for windows, and if not I doubt it would be too hard to do that, or maybe there is a similar software. Anyway, it CAN be done obviously...

-Hans

Just like MS (not a troll!)

[SpookComix]

But Adobe doesn't currently plan to prevent VBScript or other files from running.

To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their opinion, we will do what they want."

According to many ./ers, this is exactly Microsoft's opinion, and the very problem that has opened the door to the worst virii on the Internet: The company is writing software with features that their customers want--no matter if they pose security risks or not.

Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.

Where is the balance?

--SC

Re:Do they WANT virii?

[jiheison]

Seems to me that VBScript is working just fine. Since when is it a scripting language's job to enforce security? If PDF allows mailicious script to run, it is PDF that is broken.

wow!

[twitter]

those must have been some popular printers!

Re:Apply the same arguments to other areas of safe

[bXTr]

I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.

I would love to agree with you on this, but I probably would not have a job anymore if I did. If I took my responsibility as an IT professional seriously, I would tell my users, "No.", if I knew what they wanted would put the company in some jeopardy. Unfortunately the rules of being an IT professional are:

1. The customer is always right.
2. Otherwise, see rule #1.

From the parent article: The company (Microsoft) is writing software with features that their customers want--no matter if they pose security risks or not.

By that logic, the GCC people should be raked over the coals as well. They created a compiler suite that allows people to write software with buffer overflows and race conditions. :)

Re:Do they WANT virii?

[spektr]

After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!

So true! And that's also the reason masturbation is safe - all those virii spread per sex, because it's so much more popular!

I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular.

Yea, imagine the proud geek who can say from himself that he managed to get syphilis...

PDF Virus a *Proof of Concept*, not a real threat

[Phoukka]

As many have already noted, the embedded VBScript will only run when triggered by someone double-clicking on the file annotation included in the PDF while using the full version of Acrobat. Thus, the virus is not particularly dangerous.

The social engineering, however, is pretty amazing. The author has created a neat little PDF "game" that people will want to double-click. And, as he wrote in the text file linked above, he wrote it as a proof of concept. The worm doesn't do much except spread itself using Outlook. I think the scary part, the point the author wanted to make, is that you can embed all sorts of fun things in a PDF file. Some other virus writer could make a new version that does something nasty after it emails itself to every address it can find in your Outlook folders.

Yes, the threat level is low, due to the required combination of software and social engineering. But just because the combination of software is rare doesn't mean that we should disregard the possibility.



Now for a display of massive ignorance: I wonder what a PDF virus could do on a system whose GUI is based on PDF (Mac OS X)?

News Flash

[t_allardyce]

NEWS FLASH

It's been discovered that electronic mail, known as email, can contain an 'attached' file. "This file could contain anything, from a simple document to a dangerous virus." warned a computer expert. Software companies including Microsoft, are investigating. A spokesman said "The email can trick people with lower than average IQs to 'open' the attachment and run the file on their computers. In other news, the famous PDF format developed by software giant Adobe inc. has been found to contain a similar problem.

THIS JUST IN - scientists at MIT have discovered a new and dangerous way that virii can spread: the world wide web! Yes, you thought it was safe, but an investigation has revealed that files containing virii can be 'downloaded' onto users' computers from websites and ftp-archives. "All it takes," said a professor working on the investigation "is a website to tell you that you should download a program, that file could contain anything!" However, skeptics claim that computer virii can also be circulated through the use of computer disks, CD-ROMs, and other computer media. They warn users of particularly dangerous virii such as the "Microsoft Windows XP Trojan", a virus that claims to be an operating system, but in actual fact takes control of the users machine. Also a new virus known in the 'cyber' world as an "eBook" a scam that charges approximately a dollar to allow the user to download a book, which is subsequently deleted 10 hours later.

However, one man Jim-Bob Jones, has come up with a revolutionary method to banish computer virii to the history books. "It's simple", he claimed "All you need to do, is round up all dumb people, and shoot them!" This may seem Draconian to some, but as people battle to control their PCs, it may seem to be the only option.

-tfga

NO SUCH WORD AS "VIRII" YOU FUCKED UP DICKWAD!

It's "viri".

cactUS -> cactI
radiUS -> radiI
nucleUS -> nucleI
fungUS -> fungI
locUS -> locI
alumnUS -> alumnI
stylUS -> stylI
focUS -> focI

virUS -> virI

Any questions?

Re:PDF Virus a *Proof of Concept*, not a real thre

[rediguana]

Yes, the threat level is low, due to the required combination of software and social engineering. ...

And basic risk management factors probability and consequences. It only takes a nasty virus trashing a few users and the risk comes back up

Of couse

[garoush]

Once something becomes popular and wildly used, it can not be "immune to viruses".

So the way I see it, PDF is now becoming the second most used document format after MS Word. Maybe, just maybe, it will crack a hole in MS Word.

Re: Postscript

[marcusatwork]

Actually you probably could write a postscript virus that deleted/renamed files:

Look at the ghostscript man page for the option '-dSAFER'

"Disables the 'deletefile' and 'renamefile' operators and the ability to open files in any mode other than read-only. This may be desirable for spoolers or other sensitive environments where a badly written or malicious PostScript program must be prevented from changing important files."

Which is why most tools that use ghostscript open PS files with the SAFER flag set.

Re:Do they WANT virii^H^Huses?

[imadork]

Seems to me that VBScript is working just fine. Since when is it a scripting language's job to enforce security?
Ultimately, it's the user's job to make sure his system doesn't get hosed. But, since most users can't tell a good VBscript from a bad one, It's the job of the operating system (or failing that, the scripting languages' interpreter) to make sure scripts can't do anything malicious when accessed in normal mode. Since Windows and VBScript doesn't do this, I consider them broken.

If PDF allows mailicious script to run, it is PDF that is broken.
So Acrobat Reader should analyze VBScript and be able to tell us when an attachment is about to hose the system? In that case, why not build that functionality into Windows or VBScript? Then they wouldn't be broken.

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

Is that kind of like having a web page "autoexecute" when you view it?

If the outlook mail autoexecutes visual basic scripts or activex controls, then, fuck yeah, it is.

Re:That's amazing.

[DavidJA]

PDFs came with their own e-mail client In acrobat 4 or 5 try File/Send Mail.

That's amazing.

[dave-fu]

It sounds like you just described a web page to me.
Also, it's high time that PDFs came with their own e-mail client so I don't have to go through the pesky details of saving and attaching and that horrible rigamarole. And a web browser so I can go fact-check or check m-w.com before I'm done.
I demand these features in PDF. Just because no one needs them and other applications already do them doesn't mean they shouldn't put them in... right?

Re:That's amazing.

[glitch!]

Also, it's high time that PDFs came with their own e-mail client ...

... And a virus checker :-)

Not a problem (was PDF Virus Spotted)

It's not a problem for me; I'm not going to be giving Adobe any money until the CEO has the text of the First Amendment tattooed on his forehead. This datum just makes my boycott less painful.

Scaremongering alive and well; film at 11

[twoflower]

This is scaremongering, pure and simple. It's not a virus -- it's a stupidity test.

To get caught, you have to open a .PDF file that someone sends you, in Acrobat (not Acrobat Reader), and then open an attachment to the PDF -- for which Acrobat will first issue a warning.

If you still manage to get bitten by this, you fail. Please leave the human race at this point.

Twoflower

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

[jesser]

Do outlook users still have the option of having mail autoexecuted upon downloading? (the "preview feature") Still broken, IMO.

Is that kind of like having a web page "autoexecute" when you view it?

Fix the security hole, not the fact that you can view a message by left-clicking on it once.

"Active" Documents, anyone?

[TicTacTux]

Geez - till now I thought that just 'peekin at them bytes' won't do me any harm. After all, [Acrobat¦YourFavouriteViewer] opens the file, reads all the bits and bytes and according to that paints something meaningful on the screen. Dont't need no stinkin' wiggling icons and animated Initials!
I abhor the day when I open a book (MS Press, maybe?) and after twenty seconds of 'being idle' (i.e. not turning a page) a banner pops up and suggests I'd have a beer.

We do not want active contents, we want meaningful information.

Re:Apply the same arguments to other areas of safe

[seichert]

Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.

Most established companies love to see regulation in their industries, particularly when the regulations only affect their competitors. Very few politicians care about your personal safety, your computer security, or anything of the like. Their only goal is to stay in power, they will use regulations as yet another political tool. Government imposed safety regulations result in more adults with a child's mindset.

The fact of the matter is that your average Windows user does not care about security. They do not care to learn about security, they do not care to deal with security. They expect the IT department to deal with it, or Microsoft to deal with it. Most of these mail everybody the virus in the outlook address book are no big deal to most people. So what, they got a few extra e-mails. Even if the virus mails their quicken files to everybody, they probably still won't care. By asking for regulation you are trying to get the government to impose your preferences and values on everyone else. By inviting more regulation into the industry, you will eventually see regulations that you do not believe in (like say the DMCA). What will you do then?

Viruses or Virii, it's all the same

[LatJoor]

In terms of linguistics, which is concerned with actual usage rather than "proper" usage (it's descriptive rather than prescriptive), writing "virii" is just fine. Why? Because people do it. Oversimplification of linguistic rules from other languages when applying them to words from that language is a common linguistic phenomenon which can be seen, for example, in modern French as it relates to Latin. After all, if we don't speak Latin, how can we be expected to decline Latin nouns properly? In fact, classical Latin was never a household language, it was always a construct of grammaticians that came into being under the influence of Greek writing and had little to do with everyday usage. On the other hand, we should always feel perfectly free to anglicize foreign words, it's perfectly acceptable and often makes us better understood. My main point is that we shouldn't argue over such points of language in terms of who's right and who's wrong, because any word in common usage is inherently correct. That includes "ain't." (But I still like reading about the actual Latin declension of "virus.")

Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr

[matrix29]

Yep. Too stupid Microsoft antics.

All one needs do it save an HTML address in a file, rename "MicrosoftIncompetencePopup.jpg .html" (or whatever you choose with "Name.JPG .HTML" tagged on). Outlook Express opens the file instantly thinking it's a viewable JPG, but also opens the file as a HTML web page (like clicking a www.link.com tag). God I hate Microsoft.

Re:PDF Virus a *Proof of Concept*, not a real thre

[iankerickson]

Yes, it's a proof of concept... for now.

After being invoked, the worm already has the code to find arbitrary files and create new files. If the problem of invoking the virus sidesteps the social engineering -- tricking the viewer into clicking on a game -- then it could move on to the following:

- scan all disks and shares for PDF files and insert the trojan and worm code into all of them.

- save a DLL, Acrobat plugin, or postscript dictionary into Acrobat's directories, permanantly modifying Acrobat's behavior. It could then infect every PDF viewed and saved from then on.

- Trojan Acrobat Distiller, which is just a glorified PS/EPS -> PDF RIP. Like most RIPs, the PostScript VM gets its settings by interpreting ASCII PostScript code in some startup files. You might be able to "infect" Distiller to trojan all PDF files it's used to create.

- Trojan Distiller watch folders. The *.options, prologue.ps, or epilogue.ps could be infected with the worm to create infected PDFs.

Of course most people don't have the full Acrobat, let alone Distiller, unless they traffic in warez or do graphics work out of their house. But DTP/Publishing houses are different. Almost every Mac on this floor has the full version of Acrobat AND Distiller AND Microsoft Outlook. And if you have Office installed, guess what? You're Mac has VB on it. It's just a matter of crafting the script to not depend on Windows file paths. Then there's the shops that use Windows NT for their DTP/Pre-Press workstations...

We get many, many PDF files from AP and ad designers from outside the company. If this worm improved its triggerability, it might get as bad as Word macro viruses. That's all that's holding it back.

>>Now for a display of massive ignorance:
>>I wonder what a PDF virus could do on a
>>system whose GUI is based on PDF (Mac OS X)?

I don't know. On Display PostScript GUIs, the widgets themselves are literally snippets of PostScript code. The difference between PostScript and PDF code if that PDF code _is_ PostScript, but it must be completely inline. No loops, conditionals, procedure calls, or recursion. So ability of PDF itself to do this is limited.

However, if DPDF on MacOS X supports embedding foreign files in the PDF code, then the answer is "It's hunting season! And we're hunting Macintoshes!" faster than you can say Elmer FUD. Any widget on the GUI might be able to contain either the worm or a link to the worm, depending on what you had to do to invoke it. This PoC worm needs you to click on it. So you might be able to trojan a DPDF widget to execute the worm on a mouseclick. An improved worm might execute by just being viewed, like JavaScript code in a webpage or email.

But Apple has to license DPDF from Adobe for real money per copy sold, so in a negotiation to keep the cost down and license a less featureful version, the answer is probably no, or at least, not yet.

Virus Risk LOW

"also, because file annotations are only available in the full version of Acrobat, this worm will not run in Acrobat Reader."

sure thing, billions of people actually have Acrobat Reader, but how many people actually have Acrobat full ? not many (in comparison) I would guess.. So I'd say, whilst it's a nice anarchistic dream, the actual threat of this virus is quite low.

embedded into a .txt file?

[ElderKorean]

That's a new one on me.
How do you embed something into a .txt file?

The other formats allow embedding and linking to files, but not the humble old .txt file.

Unless there's a new .txt file out there!!!

Ian.

Do they WANT virii?

[imadork]

In the ZDNET Article, it has this statement:

Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.

I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.

Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.

After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!

Re:Do they WANT virii?

[Eryq]

The fault lies somewhere between the two, but a little closer to VBScript:

The VBScript engine being used by the PDF interpreter should provide a sandbox in which untrusted scripts (e.g., scripts embedded in PDF email attachments) can be run.

Having a script interpreter (or a virtual machine) support different access permissions for different classes of apps (signed and trusted, unsigned, etc.) is exactly akin to having an operating system support different access permissions for different users.

This is how (and why) Java's security manager works for things like applets.

Re:Do they WANT virii?

you're an inane fuck. go buy a brain

Has Slashdot declared war on Adobe ?

[q-soe]

This may seem trivial but i am wondering if /. has declraed war on Adobe as well as MS ?

This article is not new and PDF files are vulnerable if you launch an embedded attachment, but then again so are MS Word, etc etc.

All this shows is that if you go looking for something bad then you are going to find it if you look hard enough, and i think the skylarov case means everyone would like to 'get' adobe

(im not commenting on the merits of the case - but i will say that i think both parties are at fault, skylarov for cracking a proprietry format and adobe for over reacting in a big way - the thing is the PDF format IS proprietary - you need adobe software to make it and view it there fore they have the right to protect their copy right but i think they way they and the US gov went about it is heavy handed and stupid - this guy is not some desperate hacker)

But the thing is the medias coverage of non threats like this, minor threats to the home user like code red and things like good times, michelangelo, hackers defacing web pages etc etc and blowing these said events up to be the end of the world as we know it builds hysteria in the general populace who then call for the govt to crack down on these 'terrorists' - thus they carry out heavy handed actions.

If we all dont watch out we are in for a nother McCarthy like era but instead of reds under beds we will have hackers under the table!!

Re:Buffer Overflows, Kernel Patches, & Fucking Tro

[satch89450]

BTW, does your favorite OS distribute fixes that can patch the currently executing kernel in memory without taking the system down, in the event of a kernel bug?

Oh, you shouldn't hoist yourself that far above the rim of the foxhole, you're such a tempting target...

By the way, the answer to your question is that there are several operating systems that let you fix problems without bringing the whole machine to its knees. My very first OS, IBM System/360 MVT, let you change all sorts of stuff "on the fly," including supvervisor call modules -- all you needed to do was down the services affecting the change. Most of the reboots were due to running critical utilities that required that OS MVT be shut down completely to performanc regular maintanence, such as -- wait for it -- disk pack defragmentation.

There were a number of embedded systems in which the majority of the services were disk-resident, being loaded and run on request or on demand, depending on the complexity of the system. Even device drivers (except the hard disk and the console) were loadable modules.

Which leads to the answer that most of you were expecting, but were wondering when I would get to it. Linux has moved to loadable modules for many, many kernel functions, and I expect that the trend will continue rather than abate. The original move to kernel modules was to relieve the strain of building very, very large monolithic kernels for workstation and server environments. The current trend is to let package distributors include everything under the sun, and let the user (or the system, when it is smart enough) load the right module on demand.

I look forward to the day when the only thing that is part of the base kernel is...the console and the disk driver.

Dmytri's Revenge?

Lets have a LOT more of these.....