Slashdot Mirror
PDF Virus Spotted
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
Jeez, what kind of fucking moron are you?
/never/ had a widely known remotely exploitable total-compromise vulnerability? It ain't Linux, *BSD, Solaris, or any other Unix.
Can you name an OS that has
BTW, does your favorite OS distribute fixes that can patch the currently executing kernel in memory without taking the system down, in the event of a kernel bug?
The problem, for the billionth time, is not Microsoft (at least not this time). The problem is the clueless fucks who are trying to admin these servers. "24/7 environments"? You're a moron. Any environment that wants to be 24/7 damn well better have high availability and redundant machines that can cover when one goes down. You can put off a patch+reboot but can you put off a disk crash? What about someone using the hole you put off patching to compromise the machine and eat your data?
There ought to be a strain of Code Red that just fucking kills the admin who left the machine vulnerable to it, or at least puts in a pink slip for him.
Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
Well, the Code Red exploit was once a proof of concept. I still have the original post from the NTBugtraq list outlining the vulnerability...
.swf, .psd, and the complex audio formats coming out. Play a Music Stream from Real and get a virus!
I think we're going to come to the point where *any* embeddable-type document is going to be prone to infestation. We're almost there. We just need to add
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I hate to see what the spelling nazi would do to you.
BilldaCat
"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, director of Acrobat product management. "The code in Acrobat that recognizes attachments does not exist in Reader."
So, when you pay for the enhanced version of Acrobat, you get infected. It should be the other way around... Adobe just doesn't understand business (as MicroSoft does).
(Disclaimer: a bit of sense of irony and humor is required prior to moderating this post).
On the other hand, a few points are worth noting:
I use Acrobat, but under the Macintosh, so I am safe.
On the other hand: "[...] Adobe doesn't currently plan to prevent VBScript or other files from running."
I say this is just another reason to boycott Adobe! It's just turning into another Microsoft.
I also think the XPDF programmers should add security features to their (excellent) software, as well.
Just my US$ 0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If that is the case, then practically any program that can embedd other files is suddenly going to be flagged as having a virus, when in reality, its just the same old software (VB and VBS) causing the same old problems (reading outlook email addresses and so forth) ...
Or am I missing something?
Avantslash - View Slashdot cleanly on your mobile phone.
They're gonna yell out "You see what happens when people reverse-engineer our software ?".
Quite the opposite. When writing a PDF virus you're not reverse engineering or circunventing anything. However, if there's a virus in an e-book, you can't study it because then you'd be violating the DMCA and the virus writer can sue you and have you put in jail. Cool isn't it?
Opus: the Swiss army knife of audio codec
This particular thing, as mentioned by many already, only affects Acrobat, not the Reader. I'd be more worried about this: http://www.kb.cert.org/vuls/id/31554, which has, of course, been patched by Adobe last November already.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Or Adobe will call the FBI up on yo ass!
BOSTON SUCKS!
Besides embedded programs there isn't much that can get executed by the system
.pdf virus threat. Let's be a bit realistic here.
(gulp) This should raise some concern, no?
Use Linux (and use Python) and you should have no problem
wheh! I got worried there for a second...I can already see the hords of people downloading the latest distro's to avoid a potential
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Postscript is a complete language, the only reason it doesn't make a good viral platform is that the standard library is extremely limited (some disk I/O, no network I/O iirc) and there's no well-known way to call external libraries.
But make no mistake - it would not be hard to define an extension which allows PS functions to call native libraries. This is the type of extension that could be easily added to support some purpose, without consideration of how this will increase the risk of a viral load.
Finally, to ask the obvious question of why you would do extensive programming in PS, the reason is simple - it allows your file to adjust itself to the printer. E.g., you might have a file which contains meteorological information on a map. If you print the file on a standard printer you get two dozen reports. But if you print it on a large format printer, you get 4x as much information because the file knows it can push additional information onto the map. Or you might get basic information on a monochrome printer, and additional information on a color printer where you can provide visual distinction between the layers.
In some limited cases, you can even have the PS file compute its own content. I've seen that done with some fractal graphics - you might send a <1k file which causes the printer to sit and think for an hour. Great stuff for confusing MCSEs - the print queue says it's printing a 1k file, but it's been churning away for looooon time.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
...feature creep. What does anyone need Javascript or anything "dynamic" in a PDF for, anyhow?
When people start applying the KISS principle judiciously, things will get a whole lot safer.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Where is the balance?
This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.
Allow me to paraphrase:
Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.
Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).
Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.
I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
The Future of Human Evolution: Autonomy
Adobe has a "monopoly" too, walled off by patents ... it's just that it's on PostScript and PDF so it isn't as noticeable. They're going to get more agressive defending it too.
My other posts explain it all ;-)
Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.
That's all relevent, and I would stop just short of calling it a feature creep.
But, on the other hand, on a government webpage, the mandate of which being to bring make government services more accessible, shouldn't they stay with simpler, more reliable, and better supported mechanisms?
Maybe I'm unclear, but how does Acrobat get the information back to the PA gov't? Do you *fax* the form back, meaning that the unemployed dude has to have both a fax and a computer (or at least a computer and a scanner)? Remember, unemployment services will have a broad sector of people using it - not all of 'em will be computer geeks who have a scanner/fax handy.
The other option: does Acrobat have the mechanisms to send the information back to the server? Is it encrypted? That'd be fairly personal information to be going across the wire.
Acrobat isn't supported in a default Windows install. And, let's face facts, the lowest common denominator is AOL on Windows 95. While my mother has a real dial-up connection, she's at brower and e-mail only sophistication. She called me because someone sent her a PDF file, and had no idea what it was. I led her through downloading Acrobat Reader, but she got so frightened by all the installation options that she gave up, despite me telling her, "Mom, just click OK".
The only thing I can think of to provide that level of functionality would be a good old HTML form. IE 2.0, which shipped with NT 4.0, supports it. The biggest hurdle is at least 56 bit encryption - what generation of browser started to include that by default?
Bells and whistles are good, when they work. But, again, the cross-section of users *who are paying to use this service* (after all, it's *their* tax money) should be able to make use of it. Truck Driver Joe might not know anything outside of his small, clearly-defined AOL prison cell.
Fire and Meat. Yummy.
- have an immediately viewable, printable representation of any archived document, accessible to whoever we want it to be over the web, and
- have almost instant access to the native application files that created the document, in case a file must be modified or updated. Like the Pagemaker file, graphic images and fonts.
The feature really functions not much differently than, say, using WinZip to compress files into an self-extracting archive. Decompress anBut really, it shouldn't be that difficult for Adobe to put a little option on the feature to disable vbs access, should it? As far as I can tell, there's absolutely no vbs out there that should need a viewable, printable PDF mother file.
--Any sufficiently reliable magic is indistinguishable from technology.
While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.
PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.
That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.
I say, if this threat is real, let Adobe wallow in it until they rot: At least ten times as long as the innocent victims they try to fuck over.
--SC
You read fiction? I write it! Lemme know what you th
Actually, yes. About ten years ago there was a postscript virus that Did Things to printers. I forget how it worked (it was 10 years ago) and, IIRC, it wasn't very dangerous. Spread through .ps files that accompanied some shareware as I recall.
Best Slashdot Co
Download KDE2.2 - the new printing system lets you print directly to a PDF from any KDE application. They also have a Print to Postscript and Mail PDF option. Otherwise, ps2pdf works wonders.
If pdf's are supposed to be cross-platform and portable, then wtf are they putting executable code in them?
Isn't the whole idea of using pdf's to avoid using word documents and the associated risks?
And doesn't the article say "including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program"? Doesn't that mean that it's not a VBS issue, rather the design of Acrobat?
Right, nothing for it but to let adobe know your thoughts. email adobe with product improvement suggestions! - like remove the ability to include executables. If Adobe don't do something about this, then they have lost their competitive advantage as a document format.
In order to have your advice.
There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry
Dear users,
Please ignore anything we may have said about 'Safe file attachments'. In fact, do not open any of your e-mails, ever again, and, to be safe, just stay in bed.
Thanks
Get the EULA T-shirt
I know the PDF format decently well (I'm writing a PDF library) and I don't think that this is a threat. Besides embedded programs there isn't much that can get executed by the system. Has anyone ever heard of a Postscript virus? That would probably be needed to make a PDF virus.
However if there is a PDF virus it'll probably just take advantage of a buffer overflow problem in the Windows version of Acrobat Reader. Use Linux (and use Python) and you should have no problem.
I can't spell or type, but that doesn't mean I'm unusually stupid.
Wow, adobe has struck the Slashdot headlines *again*, and with news that's just as bad, if not worse, than anything else so far...
.pdf file?! The whole point of a pdf is that it is supposed to give you exactly what you get on the paper page, in a platform-independent fashion.. Your printed manual can't execute attachments, can it?! All the joys of excessive featuritis..
I noticed this:
"But Adobe doesn't currently plan to prevent VBScript or other files from running."
And the first thing that comes to mind is "gosh, what a totally stupid policy." All they have to do is NOT pass executable data to the script software...
Who even needs a way to execute scripts OF ANY KIND in a
On another closely related hand, Isn't it great that we can get Outlook macroviruses with out even opening the attachent in outlook? Just think of the thousands of stupid office workers who are going to start spreading macroviruses without even realizing it... Teaching them not to use attachments in OUTLOOK has been hard enough.. to cope with Acrobat as well?! Damn near impossible....
*sigh*
ìì!
Does BASH check scripts to see if they are malicious? Do Perl scripts run in a sandbox? Nope, but if you're running scripts with the proper permissions and unser the proper user in UNIX, it limits the amount of damage you can do. That's what I meant by the OS taking care of security. NT is better at this than Win9x, but not as good as most Unix distributions (assuming you don't run everything as root.)
It doesn't affect the reader, just the high-dollar Acrobat, so how many people will this really affect?
Catapultam habeo. Nisi omnem pecuniam tuam mihi dabis, ad tuum caput saxum immane mittam.
Electronic Workflow.
Dynamic PDF stuff is *necessary* for those of us writing workflow applications in industried (e.g. financial services, insurance) where the complexity of forms requires lots of dynamic calculation and database interaction and the regulatory requirements all but make sure we cannot deviate from existing paper forms design. Plus, eventually we must produce documents for customers to sign, and to be archived, and to be audited, so PDF is the best choice.
Yes, for many industries the JS/ODBC stuff is unnecessary (and, if you'll notice, this bug only affects those with full acrobat, not acrobat reader), but for others it's critical.
Let's say that the XYZ Automobile Corporation knowingly uses cheap, sub-standard components in their brakes. A bunch of people die. XYZ issues a recall. Before you manage to fit a trip to the XYZ dealer to handle the recall (the 12th since you bought the car) into your busy schedule, your brakes lock up and you die a horrible fiery death.
Is XYZ Automobile Corporation responsbile? Can your grieving survivors sue their corporate asses off? I should hope so. The determining factor is not the recall, it's that they knowingly used sub-standard components.
M$ has some smart developers working for them. The fact that they continually turn out insecure crap is not due to ignorance or inability on their part; it's a conscious business decision to attempt to maximize their profits by fucking over the end user.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful
Your words are prophetic.
We here all know that Microsoft releases swiss cheese software. They put the blame on 'hackers' and the sheeple eat it up. But they now have the answer with their phone-home software. The will now start claiming that security holes all come from unofficial software.
Look for M$ to start lobbying for all software to be government regulated. This will basically wipe out Open Source, shareware, and the small time coders, all in one fell swoop.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
I won't go into a long discourse on the niavite of dissaciating information with its impact on the physical world, except to rebut a couple of the more blatently silly comments you made:
...barely).
... there's that real world, physical impact again.
The most a computer virus can do is cause loss of data or money.
Tell that to the patients who died as a result of a "bug" in the software which was controlling the radiation therepy equipment used in the treatment of their cancer that erroneously delivered a lethal dose.
Tell that to the aircraft pilots which had their passenger jet flip upside down due to a bug in their computerized autopilot (thankfully the plane was empty and they were able to recover
Computers, and information, have real-world effects which can and do affect, even destroy, real, physical lives, and viruses are as capable of destroying lives as "bugs."
Something market forces are perfectly capable of dealing with and something which government should stay far away from.
Ever heard of the SEC? FTC? Even the markets themselves, which you seem to so laude as a panacea, require rather detailed and ongoing government intervention in order to function at all.
Other holes in this argument abound, including the fact that, in the United States at least, money is required to obtain even nominal medical care, not to mention food and other basics. Destroying one's livelihood is often tantamount to destroying lives
The argument about the loss of fissionable nuclear material is a strawman.
No, it isn't. It is a verifiable, and verified, event which resulted from extreme incompetence and negligence on Microsoft's part, exacerbated by their indefensible unwillingness to acknowledge, much less take responsiblity for, their own product's shortcomings. Furthermore, it is a perfect example of how information and its destruction can, in fact, potentially endanger millions of lives, and why government regulation requiring certain minimum standards in quality control and security are not at all unreasonable.
Indeed, you rebut your own point in the next sentence you write:
"Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences."
... which is why we have safety regulations for everything from medical equipment to aircraft to automobiles to elevators, because those bugs can have harmful consequences, whether they are bugs in software, firmware, or hardware. And why minimum standards for software quality and security aren't so unreasonable after all.
The Future of Human Evolution: Autonomy
Considering that it's adobe, I hope they drown in them. But do remember that the pdf format is one that they are currently trying to replace.
If they can convince enough people that pdf is too dangerous, then they may be able to switch them over to the ebook standard. Because that's safer.
It is likely to be a long time before I trust adobe to do anything honorable. It's likely to be a long time before I trust them again for anything. I think a partial requirement would be a total change in upper management. And that wouldn't be sufficient. That's just necessary.
I think we've pushed this "anyone can grow up to be president" thing too far.
From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"
I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.
Yes, this is another VBS exploit, and java does not desrve your FUD. New features have their place, VB and VBS don't.
Friends don't help friends install M$ junk.
This is an OS problem. All "reader" and "player" programs invoked from browsers should run in jails. This should have been done years ago.
Here is a link to the Bugtraq advisory for this, as well as a fairly insightful reply, both of which come from my own submission of this story which was rejected six hours before this one was accepted, not that I'm bitter.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Like no one saw this coming? I mean, if anyone deserves this, Adobe looks like a prime candidate. I mean, after all, trying to find out HOW a virus attacks from a PDF file and trying to STOP it could land you in prison for 5 years...
-Sternn
This quote from the article makes me think so
"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer," Network Associates' Gullotto said.
OK, so how did you guys get it? Must have been internal then.. anyway, my conspiracy theory.
JOhn
Campaign for Liberty
How do you justify blaming M$ for a worm that exploits a vulnerability that was publicized and patched more than a month before said worm came into being? That's just putting the cart before the horse. I'm no fan of Gatesville, but I can't blindly denigrate them for something they fixed before the threat reared its ugly head.
...it's very dark.
But seriously, here's my diatribe on government internet projects (from the trenches).
The main reason that government on-line projects suck is because they want to deliver their services on-line and they don't have the in-house talent to make it so. (How many webmasters YOU think are in the building department of a medium-sized city? The answer is: ZERO)
So, the well-intentioned civil servants hire computer consultants. Sometimes the consultants are teen-aged webmasters that work for peanuts and they positively rock! But sometimes governments hire consultants. Usually these projects have high ideals but are woefully underfunded. This means that the consultants, in order to come under budget, don't have time to effectively review the problem domain.
Do we know where this is going? Yep:
If the consultant is particularly unethical they will say (after the project is out of cash) that they're just working on a 'prototype' and that more money would be needed in order to deliver what was originally promised.
In a climate like that, it's a miracle that any of these Government projects get completed. Sometimes the client falls for it... Repeat until sickened... diatribe off...
My father is a blogger.
Have you even begun to understand the difference between a human life and data? They are entirely different things - even if a geek who has never stepped out of mommy's basement can't tell the difference.
The federal government should regulate areas where there is a potential for irrecoverable loss i.e. life or limb. Market forces don't play well there because nothing can compensate for those losses. Computer virii are a whole different beast. The most a computer virus can do is cause loss of data or money. Something market forces are perfectly capable of dealing with and something which government should stay far away from.
And just because market forces don't seem to work in the direction YOU like it, doesn't mean they don't work at all.
The argument about the loss of fissionable nuclear material is a strawman. Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences.
Mmmm.. Donuts
If Adobe's past actions are any indication, whoever figured this thing out is in deep doo-doo. The coderz article says:
The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm"
So somebody's cracked the PDF format, and is now distributing a method of circumventing copy protection on a popular document. This is, of course, a federal crime under the DMCA. I'd advise whichever security expert figured this password out to flee to the safety of Russia immediately.
Me? Cynical?
www.lucernesys.comHorizon: Calendar-based personal finance
There are plenty of companies mirred in MS legacy stuff that are using this as a way out of printer dependency. Immagine a real virus overwriting corporate document databases. Millions of man hours could be wasted in minutes, even with a good backup policy.
Friends don't help friends install M$ junk.
So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who develop virus code.
That is difficult to say (who can quantify how many potential virus writers are deterred by threat of jailtime? Greater than zero alsmost certainly. Greater than a hundred, a thousand, a million? We really don't know.) However, once again an example from the physical world makes the issue rather clear:
"So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who commit acts of arson."
Clearly fire codes were necessary to prevent disasters such as the Chicago fire (which wiped out the entire city in the 19th century and is believed to have been started not by an arsonist, but by simple accident). Laws which punish crimes are often not sufficient to protect the public from negligence on the part of product manufacturers, or even negligence on the part of consumers.
Consider the Ford Pinto, which was prone to explode (violently) when rear-ended. Ramming a Ford Pinto from behind, even by accident, is illegal. Nevertheless that was insufficient to prevent accident which resulted in numerous fiery explosions and needless deaths, nor was it sufficient to get Ford Motor Company to change a design they knew was flawed to begin with. Lawsuits and, yes, additional government regulation were necessary to bring public safety up to an acceptable level. The Free Market and outlawing actions which exacerbated the unsafe conditions which the manufacturers negligence had left in place were very obviously not enough.
So too does it appear to be with software. Some minimal level of security needs to be required. If the industry cannot police itself and the free market isn't up to the task of weeding out the negligent (and both certainly appear to be the case here), then government regulation for the common good is not at all unreasonable.
Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful (as with, for example, building codes in most cities and FAA regulations). It is incumbant on us as software engineers and Free Software advocates to be out in force, involved in creating any such regulations, such that they are helpful to the industry (and the industry must, by definition, include Free Software) and not detrimental.
I guarantee if we're not, someone else will step up to the plate. Indeed, with the FBI outages and attacks on the White House I'm surprise this process hasn't begun already.
The Future of Human Evolution: Autonomy
Most established companies love to see regulation in their industries, particularly when the regulations only affect their competitors.
This is an interesting, and valid, point. It would not be at all farfetched for Microsoft to be deliberately negligent in its security, then use a regulatory body and its own involvement in the regulatory process to undermine the ability of smaller upstarts to compete, perhaps even make it impossible for Free Software to become "licensed" at all.
A frightening thought. I fear, however, that simply wishing the government would stay away won't suffice, so I suspect we'll want to be very involved in whatever process does emerge, and it is IMHO almost certain something will emerge from these debacles. It would behoove us to be proactive in making sure whatever form any involvement by our government takes is conducive to the creative freedom and technical progress which Free Software makes possible, lest we all be subjected to Microsoft's notion of "freedom to innovate," which in truth has little to do with freedom or innovation.
The Future of Human Evolution: Autonomy
When I want to make a PDF-document, I make it look like I want it to look like with any application, let's say Abiword, I print it to a file (postscript) and then I run a little nifty that comes with Slackware called 'ps2pdf'. There we go.
Then we come to the windows users hmm... good question. If you print to file in windows, doesn't that become a postscript too? And there probably is a port of 'ps2pdf' for windows, and if not I doubt it would be too hard to do that, or maybe there is a similar software. Anyway, it CAN be done obviously...
-Hans
Worse... Adobe approached the virus-checking companies first, before releasing this technology. That's what tipped Zulu off that there might be something there to be exploited. So -- Symantec were way ahead of Zulu on this one.
To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their opinion, we will do what they want."
According to many ./ers, this is exactly Microsoft's opinion, and the very problem that has opened the door to the worst virii on the Internet: The company is writing software with features that their customers want--no matter if they pose security risks or not.
Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.
Where is the balance?
--SC
You read fiction? I write it! Lemme know what you th
As many have already noted, the embedded VBScript will only run when triggered by someone double-clicking on the file annotation included in the PDF while using the full version of Acrobat. Thus, the virus is not particularly dangerous.
The social engineering, however, is pretty amazing. The author has created a neat little PDF "game" that people will want to double-click. And, as he wrote in the text file linked above, he wrote it as a proof of concept. The worm doesn't do much except spread itself using Outlook. I think the scary part, the point the author wanted to make, is that you can embed all sorts of fun things in a PDF file. Some other virus writer could make a new version that does something nasty after it emails itself to every address it can find in your Outlook folders.
Yes, the threat level is low, due to the required combination of software and social engineering. But just because the combination of software is rare doesn't mean that we should disregard the possibility.
Now for a display of massive ignorance: I wonder what a PDF virus could do on a system whose GUI is based on PDF (Mac OS X)?
You think that's bad, wait until you get infected by the "Rotten" PDF virus twice!
I've got no problem with them sharing the source code, hell, I think it's a good thing. I'm just suprised an virus writer would do it.
www.lucernesys.comHorizon: Calendar-based personal finance
Ultimately, it's the user's job to make sure his system doesn't get hosed. But, since most users can't tell a good VBscript from a bad one, It's the job of the operating system (or failing that, the scripting languages' interpreter) to make sure scripts can't do anything malicious when accessed in normal mode. Since Windows and VBScript doesn't do this, I consider them broken.
If PDF allows mailicious script to run, it is PDF that is broken.
So Acrobat Reader should analyze VBScript and be able to tell us when an attachment is about to hose the system? In that case, why not build that functionality into Windows or VBScript? Then they wouldn't be broken.
PDFs came with their own e-mail client In acrobat 4 or 5 try File/Send Mail.
It sounds like you just described a web page to me.
Also, it's high time that PDFs came with their own e-mail client so I don't have to go through the pesky details of saving and attaching and that horrible rigamarole. And a web browser so I can go fact-check or check m-w.com before I'm done.
I demand these features in PDF. Just because no one needs them and other applications already do them doesn't mean they shouldn't put them in... right?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
In terms of linguistics, which is concerned with actual usage rather than "proper" usage (it's descriptive rather than prescriptive), writing "virii" is just fine. Why? Because people do it. Oversimplification of linguistic rules from other languages when applying them to words from that language is a common linguistic phenomenon which can be seen, for example, in modern French as it relates to Latin. After all, if we don't speak Latin, how can we be expected to decline Latin nouns properly? In fact, classical Latin was never a household language, it was always a construct of grammaticians that came into being under the influence of Greek writing and had little to do with everyday usage. On the other hand, we should always feel perfectly free to anglicize foreign words, it's perfectly acceptable and often makes us better understood. My main point is that we shouldn't argue over such points of language in terms of who's right and who's wrong, because any word in common usage is inherently correct. That includes "ain't." (But I still like reading about the actual Latin declension of "virus.")
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.
I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.
Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.
After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!
This may seem trivial but i am wondering if /. has declraed war on Adobe as well as MS ?
This article is not new and PDF files are vulnerable if you launch an embedded attachment, but then again so are MS Word, etc etc.
All this shows is that if you go looking for something bad then you are going to find it if you look hard enough, and i think the skylarov case means everyone would like to 'get' adobe
(im not commenting on the merits of the case - but i will say that i think both parties are at fault, skylarov for cracking a proprietry format and adobe for over reacting in a big way - the thing is the PDF format IS proprietary - you need adobe software to make it and view it there fore they have the right to protect their copy right but i think they way they and the US gov went about it is heavy handed and stupid - this guy is not some desperate hacker)
But the thing is the medias coverage of non threats like this, minor threats to the home user like code red and things like good times, michelangelo, hackers defacing web pages etc etc and blowing these said events up to be the end of the world as we know it builds hysteria in the general populace who then call for the govt to crack down on these 'terrorists' - thus they carry out heavy handed actions.
If we all dont watch out we are in for a nother McCarthy like era but instead of reds under beds we will have hackers under the table!!
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Oh, you shouldn't hoist yourself that far above the rim of the foxhole, you're such a tempting target...
By the way, the answer to your question is that there are several operating systems that let you fix problems without bringing the whole machine to its knees. My very first OS, IBM System/360 MVT, let you change all sorts of stuff "on the fly," including supvervisor call modules -- all you needed to do was down the services affecting the change. Most of the reboots were due to running critical utilities that required that OS MVT be shut down completely to performanc regular maintanence, such as -- wait for it -- disk pack defragmentation.
There were a number of embedded systems in which the majority of the services were disk-resident, being loaded and run on request or on demand, depending on the complexity of the system. Even device drivers (except the hard disk and the console) were loadable modules.
Which leads to the answer that most of you were expecting, but were wondering when I would get to it. Linux has moved to loadable modules for many, many kernel functions, and I expect that the trend will continue rather than abate. The original move to kernel modules was to relieve the strain of building very, very large monolithic kernels for workstation and server environments. The current trend is to let package distributors include everything under the sun, and let the user (or the system, when it is smart enough) load the right module on demand.
I look forward to the day when the only thing that is part of the base kernel is...the console and the disk driver.