Slashdot Mirror
PDF Virus Spotted
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
Jeez, what kind of fucking moron are you?
/never/ had a widely known remotely exploitable total-compromise vulnerability? It ain't Linux, *BSD, Solaris, or any other Unix.
Can you name an OS that has
BTW, does your favorite OS distribute fixes that can patch the currently executing kernel in memory without taking the system down, in the event of a kernel bug?
The problem, for the billionth time, is not Microsoft (at least not this time). The problem is the clueless fucks who are trying to admin these servers. "24/7 environments"? You're a moron. Any environment that wants to be 24/7 damn well better have high availability and redundant machines that can cover when one goes down. You can put off a patch+reboot but can you put off a disk crash? What about someone using the hole you put off patching to compromise the machine and eat your data?
There ought to be a strain of Code Red that just fucking kills the admin who left the machine vulnerable to it, or at least puts in a pink slip for him.
Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
Well, the Code Red exploit was once a proof of concept. I still have the original post from the NTBugtraq list outlining the vulnerability...
.swf, .psd, and the complex audio formats coming out. Play a Music Stream from Real and get a virus!
I think we're going to come to the point where *any* embeddable-type document is going to be prone to infestation. We're almost there. We just need to add
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
If that is the case, then practically any program that can embedd other files is suddenly going to be flagged as having a virus, when in reality, its just the same old software (VB and VBS) causing the same old problems (reading outlook email addresses and so forth) ...
Or am I missing something?
Avantslash - View Slashdot cleanly on your mobile phone.
Where is the balance?
This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.
Allow me to paraphrase:
Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.
Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).
Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.
I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
The Future of Human Evolution: Autonomy
Wow, adobe has struck the Slashdot headlines *again*, and with news that's just as bad, if not worse, than anything else so far...
.pdf file?! The whole point of a pdf is that it is supposed to give you exactly what you get on the paper page, in a platform-independent fashion.. Your printed manual can't execute attachments, can it?! All the joys of excessive featuritis..
I noticed this:
"But Adobe doesn't currently plan to prevent VBScript or other files from running."
And the first thing that comes to mind is "gosh, what a totally stupid policy." All they have to do is NOT pass executable data to the script software...
Who even needs a way to execute scripts OF ANY KIND in a
On another closely related hand, Isn't it great that we can get Outlook macroviruses with out even opening the attachent in outlook? Just think of the thousands of stupid office workers who are going to start spreading macroviruses without even realizing it... Teaching them not to use attachments in OUTLOOK has been hard enough.. to cope with Acrobat as well?! Damn near impossible....
*sigh*
ìì!
About ten years ago there was a postscript virus that Did Things to printers
o stv.txt
There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).
http://catless.ncl.ac.uk/Risks/10.32.html#subj1
ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/p
http://www.sevenlocks.com/password/pspass.txt
I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.
Why Javascript in PDF? Ever pay taxes? Javascript in PDF works well for forms that have to be printed and mailed, but they'd prefer typed entries to handwritten. It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation. Just because you don't have a need for a feature in PDF doesn't mean that it wasn't necessary or isn't useful to someone.
The Glass is Too Big: My Take on Things
It doesn't affect the reader, just the high-dollar Acrobat, so how many people will this really affect?
Catapultam habeo. Nisi omnem pecuniam tuam mihi dabis, ad tuum caput saxum immane mittam.
How do you justify blaming M$ for a worm that exploits a vulnerability that was publicized and patched more than a month before said worm came into being? That's just putting the cart before the horse. I'm no fan of Gatesville, but I can't blindly denigrate them for something they fixed before the threat reared its ugly head.
...it's very dark.
But seriously, here's my diatribe on government internet projects (from the trenches).
The main reason that government on-line projects suck is because they want to deliver their services on-line and they don't have the in-house talent to make it so. (How many webmasters YOU think are in the building department of a medium-sized city? The answer is: ZERO)
So, the well-intentioned civil servants hire computer consultants. Sometimes the consultants are teen-aged webmasters that work for peanuts and they positively rock! But sometimes governments hire consultants. Usually these projects have high ideals but are woefully underfunded. This means that the consultants, in order to come under budget, don't have time to effectively review the problem domain.
Do we know where this is going? Yep:
If the consultant is particularly unethical they will say (after the project is out of cash) that they're just working on a 'prototype' and that more money would be needed in order to deliver what was originally promised.
In a climate like that, it's a miracle that any of these Government projects get completed. Sometimes the client falls for it... Repeat until sickened... diatribe off...
My father is a blogger.
So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who develop virus code.
That is difficult to say (who can quantify how many potential virus writers are deterred by threat of jailtime? Greater than zero alsmost certainly. Greater than a hundred, a thousand, a million? We really don't know.) However, once again an example from the physical world makes the issue rather clear:
"So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who commit acts of arson."
Clearly fire codes were necessary to prevent disasters such as the Chicago fire (which wiped out the entire city in the 19th century and is believed to have been started not by an arsonist, but by simple accident). Laws which punish crimes are often not sufficient to protect the public from negligence on the part of product manufacturers, or even negligence on the part of consumers.
Consider the Ford Pinto, which was prone to explode (violently) when rear-ended. Ramming a Ford Pinto from behind, even by accident, is illegal. Nevertheless that was insufficient to prevent accident which resulted in numerous fiery explosions and needless deaths, nor was it sufficient to get Ford Motor Company to change a design they knew was flawed to begin with. Lawsuits and, yes, additional government regulation were necessary to bring public safety up to an acceptable level. The Free Market and outlawing actions which exacerbated the unsafe conditions which the manufacturers negligence had left in place were very obviously not enough.
So too does it appear to be with software. Some minimal level of security needs to be required. If the industry cannot police itself and the free market isn't up to the task of weeding out the negligent (and both certainly appear to be the case here), then government regulation for the common good is not at all unreasonable.
Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful (as with, for example, building codes in most cities and FAA regulations). It is incumbant on us as software engineers and Free Software advocates to be out in force, involved in creating any such regulations, such that they are helpful to the industry (and the industry must, by definition, include Free Software) and not detrimental.
I guarantee if we're not, someone else will step up to the plate. Indeed, with the FBI outages and attacks on the White House I'm surprise this process hasn't begun already.
The Future of Human Evolution: Autonomy
Really, leaving back doors (ability to run scripts) to allow doing things creators didn't know/have time to implement is a very very VERY bad idea.
Alternatively, if you really think it isn't all that bad idea (which, by the by is bad idea in itself), then at least make the scripts run in a sandbox a la Java's applet sandbox. Let them be able to modify document structure, but not modify local file systems (for example).
(posting as on AC since writing from a public terminal)
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.
I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.
Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.
After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!