Slashdot Mirror
Hacker Finds Multiple PDF Backdoors
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.
I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."
Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.
Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...
Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...
Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.
~Mozleron
Never underestimate the power of stupid people in large groups
Comment removed based on user account deletion
Since when is a respected security researcher a "HACKER"?!
Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Whether or not a given piece of software is behaving as intended is not really relevant when considering whether or not the software in question has a security hole. For instance, I can write an app that listens on port 24126 and executes the commands received locally. The software is behaving exactly as intended. It also has a huge security hole - it allows anyone to connect to my computer and run basically any code they want. It may not be a bug in the code, but it is still a security hole. Just as in this case, there might not be a bug in Adobe reader's code, but there appears to be a bug in their design that amounts to a security hole.
Now, you can certainly define an exploit to only include unitended consequences, but if you do that and companies start claiming that the behavior is intentional, your definition becomes not very relevant from a security point of view.
Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
From the Fine Article:
the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.
That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.
Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.
Friends don't help friends install M$ junk.
There are Gnome and KDE UI standards? Who knew?
OK, OK, that's snarky. But when you port a program from one OS to another -- Windows to Linux in this case -- there are going to be UI problems. Most Mac programs are human factors disasters when ported to Windows. And heck yes, that includes Excel. Personally, I've always found Excel to be major aggravation because of its non-Windows (and IMHO pointlessly obtuse) clipboard handling.
Note that Firefox (for example) integration with KDE is less than perfect. The clipboard only works with text, not images. And the cursor control is less than exemplary. Why would Acrobat be any better?
Acrobat doesn't run well in Linux? No suprise. Its ponderous and doesn't run all that well in Windows. Personally, I switched to FOXIT on Windows a couple of years ago and use xpdf on Linux. But I'm retired and don't need to read PDFs to do my job. So I don't mind all that much that images are sometimes missing, and other aggravations that might not occur with Acrobat.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey