Slashdot Mirror
PDF Exploits On the Rise
An anonymous reader writes "According to the TrustedSource Blog, malware authors increasingly target PDF files as an infection vector. Keep your browser plugins updated. From the article: 'The Portable Document Format (PDF) is one of the file formats of choice commonly used in today's enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. Secure Computing's Anti-Malware Research Labs spotted a new and yet unknown exploit toolkit which exclusively targets Adobe's PDF format.'"
I'm sure Secure Computing has a product for that. :-/
My blog
Most PDF files have nothing more than text, vector graphics, and images in "read-only" formats. They don't have fill-in-the-blank fields or load-a-codec-and-play-a-video, or active content.
Web browsers need a "simple PDF" plugin that will activate on PDFs. If the "simple PDF" plugin loads a file with content it can't display, it will display what it can and give the user an opportunity to load the file in a full-fledged PDF plugin or external viewer.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Portable Virus Format, PVF
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
And don't forget to not only patch the latested operating system and browser vulnerabilities, but also keep an eye on third-party browser plugins like Adobe Reader, Flash Player and QuickTime.
Why do all these security articles end up basically saying the same thing?
Patch & update, rinse, repeat.
Everything else in these security/warning articles just show you what happens to the people who never patch anything and open anything & everything.
He who knows best knows how little he knows. - Thomas Jefferson
What if you use a PDF reader that's not made by Adobe?
Comment removed based on user account deletion
Hmmmm. Maybe this is because they've crammed all kinds of interactive content into a Portable Document Format?
I mean seriously. I thought the idea of PDFs was "this is as simple as a printed copy, and looks the same."
No, it's just that for some people PDFs are a hammer and every single printed word on the tubes is a nail.
I have had plenty of times where I was turning in papers electronically or needed to transfer documents between computers where PDF came in quite useful. When I'm turning in a paper electronically, I have no idea what version of Office the professor has. Nor do I even have Office. PDFs are very useful in this case.
Also, it may not be as bloated as you perceive. Acrobot reader is slow as hell. Evince and KPDF, both on Linux, are noticeably faster for me. There are alternatives for Windows as well that are better than the "official" reader.
Use the Sumatra PDF Reader. It is a very lightweight reader. Since it doesn't have all the other useless bloat crap that Adobe's reader has, I'm sure it is a lot less vulnerable. It is also open source, so you don't have to rely on downloading an even more bloated version of Acrobat Reader to fix the exploits.
http://blog.kowalczyk.info/software/sumatrapdf/
I have this installed on all of the PCs here at the office. It has eliminated just about all of the issues i had with the adobe crapware.
PDF is essentially a compressed, higher ability Postscript, right? Postscript is a language, and that therefore would be how malware writers exploit it--they exploit bugs in the readers, which are essentially compilers--to compromise a system.
Colin Dean Go a year without DRM
Interestingly enough, I have gotten 3 PDFs in the past few days in my corporate email inviting me to various "seminars" on technology subjects. All were very well written and professional looking but for products I have never used and companies I had not heard of. They passed both my email server's scanning and the local virus scan on my company laptop, however since I have very rarely gotten PDFs in the past I am now very suspicious.
Jonah HEX
Horror & SciFi Erotic Nudes
Exploit the Windows operating system cause the majority of users have it. Exploit Internet Explorer because the majority of users have it. Exploit Office products because the majority of users have it. Exploit Adobe's PDF format because the majority of users have it.
There is now Mac OS, various Linux distros, etc. There is FireFox, Opera, Chrome, etc. There is Open Office, etc. Maybe Adobe needs some good competition in the eyes of the public?
As a university professor, I actively encourage my students to use PDF files if possible. OS X and Linux come with PDF output, and I'm sure there's a way to do it in Windows without paying Adobe.
I also specifically PROHIBIT MS Office 2007/2008 .docx, .pptx, .xlsx, .xlwx, etc. formats. I'm not paying for an "upgrade" that completely changes the UI and introduces a new format without providing any real benefit to me.
Yes, I accept OpenOffice.org documents (as well as .dvi, .ps, and the formats from iWork)
There is a free .docx, .pptx,. xlsx, etc. format plug-in to do that.
Probably OpenOffice is the easiest way to create PDFs on Windows, there's a save-as-PDF button on the toolbar.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Wait, we're supposed to trust the findings from SCAM Research Labs?
Personally, I'm waiting to get a job at Secure Computing's Over-The-Counter Hardware Research Lab.
There are alternatives for Windows as well that are better than the "official" reader.
Specifically Sumatra PDF and Foxit Reader are alternative PDF readers for Windows.
They are both orders-of-magnitude faster than Adobe Acrobat. Part of the reason for this speed boost is that they don't implement the hundreds of plug-ins that Acrobat supports. But frankly for >99% of the PDFs you encounter, those additional plug-ins are not required. (In the rare case where a PDF needs one of those features, I guess you can load up Acrobat.)
In addition to a speed advantage, using an alternate PDF reader is probably more secure. Both because it is less well-known (fewer exploits tailored to it), and because they don't implement those hundreds of plug-ins (some of which enable certain kinds of code execution).
For Windows the best (and free/open source) tool I've found is PDFCreator. It installs a "printer" on your computer that outputs to PDF. Using PDFCreator, you can make a PDF in any application that allows you to print. Using some of the "advanced" features (not really advanced, but slightly more complex than Print->PDF), you can even combine multiple print-outs from different applications into a single PDF.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
When I used to use Windows, I found Acrobat to be the most intrusive software ever because of its auto-update. Pretty much every time you try to open a document it's in your face demanding you allow it to update itself and then it often requests a reboot (a reboot? For a PDF viewer??)
This seemed to happen every other week, even if appeased it by letting it do its thing. I suspect this update would be one possible attack vector.
Yet another case in which a "fuck off" key would be a useful addition to the Windows keyboard.
Two suggestions: postscript. DVI.
Do you even lift?
These aren't the 'roids you're looking for.
I do the same - PDFs only - except that I don't accept open office files or any other binary format. I do accept TeX, HTML and Docbook though (not that any of these are popular among my students).
The biggest issue is overuse and inappropriate use of PDF.
The only reason to ever use PDF is if it is NECESSARY for your audience to print the document in question.
Way too often websites have PDFs that are the only alternative for information. If you want to look up a train time for example, once and once only, you almost always have to download a PDF -- why? Sure, give people the choice of doing that if they want to, but there's no reason to slow down the internet for one-off pieces of information.
With concerns about the environment (perceived real or theatrical, regardless), you'd think that firms would stop encouraging frivolous use of paper. With the extortionate cost of printer ink, you'd think that firms would also be cost-conscious.
Uploading a 2 or 3 page document to the web in a PDF format is a criminal waste of resources, it's also an irritation that I don't need. I do not (and will never) work in a corporation. I do not need Office or PDF format -- ever. It's slow, and it's crap to read online.
I can cheerfully live my entire life without it, and I sincerely wish retarded developers and content managers would stop forcing it on me.
I'll look into it, but the last time I tried the one for OS X it didn't work. It caused major problems with the formatting of the document, amongst other things. (And I have Office 2004 installed on my machine.)
I will make sure that I provide that information to my students. Thank you!
I would gladly accept Office 2007/2008 format documents if I could read them. The converter for OS X provided by Microsoft does not preserve the document formatting and it does not convert equations correctly. Since I teach graduate level computer science courses, both of those considerations are very important.
Fortunately, Office 2007 and 2008 both provide an easy to use "Save As" option that allows the students to save the document in an earlier format.
If Microsoft can make their converter work correctly, or I can obtain a copy of Office 2008 LEGALLY, then I will start to accept those formats as well.
HTML? Nice, I can make it with FrontPage [ducks]
Don't fight for your country, if your country does not fight for you.
Learning to deal with twits dictating from their high horse is part of the real world... deal.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
There should be a disclaimer on these sort of product-placement articles. Oh wait, there is, it was posted by timothy.
I'm no fan of the PDF format, but it has a place in this world because a) it serves a specific purpose, b) it works reasonably well for that purpose, and c) there isn't any popular format out there to take its place.
Compared with other popular formats, the defining feature of PDF is that it's designed to be turned into sheets of dead tree at some point. Separate pages, with fixed vertical and horizontal size. PDF is very useful for that purpose, but it's often used in places where it makes no sense.
I come accross PDF's mostly as technical documentation like datasheets (for electronic components). Mostly these are scanned pages (dead tree original), linked together as a single PDF file. I use those PDF's only for viewing on a computer, they don't ever make it back to paper. For this use, I would much rather have plain HTML, with illustrating pictures and so on packed in a single file. This would take much less space (text-based vs. scanned images), load up faster (browser!) and allow for easier navigation, searching, and editing. But you know what? Clicking on a .pdf is more convenient than unzipping a directory filled with with HTML, and opening an index file in there (for the user). And scanning 20 pages, linking them into a .pdf file is easier than doing a full conversion to text, and create decently formatted HTML (for the producer). Therefore PDF usually wins, even though there's more efficient ways to bring the info from A to B.
For above application, the reason for PDF's popularity stems from the form of the original (dead tree), and that users are expected to turn the documents back into that format. Why use online viewing all over your office, when you can *wastefully* turn things back into paper and drag around briefcases filled with the stuff?
From what I've seen, the average office still isn't used to going all electronic when it comes to documentation. When you follow a course, you don't get an USB stick stuffed with HTML to crawl through (or pointer to internal company webpage). You get a pile of A4 sheets.
For stuff that I create myself, I prefer HTML, or in general: the simplest format that will bring the info from A to B and is easy for online viewing. How you can turn it into A4 sheets is of secondary importance. But until a true '21st century' paperless office becomes the norm, PDF will have its place.
Sumatra PDF looks really nice!
I just tried it out since I hate when Adobe PDF viewer says "would you like to update now or in a little while (your computer is ours anyway - hahaha). You will not even be given the option of 'not at all' - hahaha".
I know someone here is thinking "Well, yea! You gotta keep up with the patchin'". But Adobe would like to infect my machine with flash. I prefer my coffe black and my PDFs as non-executables.
She made the willows dance
Although I usually decry any MS Windows-only feature proposal for not supporting Linux, I feel it is appropriate in this case.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Firefox should ship with some minimal PDF reader instead of Adobe's. There's an incredible amount of junk in Adobe's PDF reader, which adds both vulnerabilities and load time. Has anyone ever used the WebBuy feature of Adobe PDF Reader?
"or I can obtain a copy of Office 2008 LEGALLY" Isn't it simply a case of buying a copy? Don't you get some discounts through your place of work? I know I can get my hands on it for £17 from my work. You should check if there's any schemes in place for you and your employer.
Actually, that only works for documents that you can view/edit in Open Office. For general purpose use, you can always opt for PDFCreator. We use it at our clients' offices, and have excellent results.
Postscript.
Or just plain text.
Postscript is a programming language though. It can infinite loop and read / write files.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I suspect, that its not the PDF format itself that has 'vulnerabilities' but it is in fact a certain well-known software the *reads* PDF format. And possibly only when running on a certain well-known software platform that is itself not famous for its lack of vulnerabilities.
Of course, the vast majority of PHB's and Joe Sixpacks don't have the capacity or inclination to understand those distinctions, so TFA didn't bother to make it.
1. Has a tendency to make your browser freeze up
2. Tries to infect some sort of TSR in Windows called Acrord32
3. Will frequently pop up a "checking for updates" dialog
4. Makes the fastest of computers slow to a crawl.
5. a super-jumpy scrolling interface
No wait, those aren't malware symptoms, that's just in Adobe's product. Next week we will discuss the incredible annoyances of the "java runtime environment" daily annoyances & clog-ups in "Add/Remove Programs". Do ANY software vendors know how annoying their software can be at times? Even Apple is guilty of forcing add-on installs you have no choice to get out of.
PDF displayers are a great example of the kind of application that should be trivially sandboxable. The process needs access to hardly anything; no network access needed, no filesystem access is even needed (just pipe the data in).
It should run as nobody.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Is the link in pdf format???
Is that better than PrimoPDF? The latest version of PrimoPDF annoys the hell out of me sometimes.
No colour or religion ever stopped the bullet from a gun
CutePDF. It shows as a printer. Print to it, and you get a file save dialog asking where to put the PDF.
As a bonus, it uses GPL Ghostscript as it's backend.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Or one could read his post and discover that was never mentioned.
Boot Windows, Linux, and ESX over the network for free.
Learning to deal with twits dictating from their high horse
I somehow expect more from one who claims to be a university professor.
Boot Windows, Linux, and ESX over the network for free.
MS has always offered free Office document viewers, since the early Jurassic. But, don't tell your students that. Get them used to PDFs while you have some authority!
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
He's no fanboy - read the other responses on the thread. Just someone who has problems with the compatibility pack being not all it's cracked up to be.
"I Know You Are But What Am I?"
This title begs for a notnews. I just can't think of any ideas for it. Although WordPad for Windows 7 is probably vulnerable.
http://rocknerd.co.uk
Mac Firefox users can get a similar lightweight pdf plugin that uses the same libraries with this plugin.
I found that Sumatra and Foxit didn't render as nicely as Adobe's Reader, which is a shame because I really wanted to use them. But you can make reader as fast as Foxit (actually, a tiny bit faster) by just renaming the "plugins" folder found in the folder where AcroRead.exe resides so it doesn't know where all that code is. It starts up without throwing errors at you too. I ended up putting the search.dll back in, but haven't missed anything else yet.
Should I assume that without all that extra plugin crap, this security issue is null?
CutePDF will work for any program that can print.
Shouldn't all professors accept papers in at least one open format like PDF? Or even only accept documents in specific open formats? Just seems like the right way to do it. That way you don't require a student to buy any one specific program or use any specific OS.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I like PDFCreator but the last time I checked it didn't work with Vista.
Still a good program but I am sure that some students are stuck with a Vista machine.
CutePDF works with Vista and XP.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
You are correct in that I neglected to mention that. I am sorry that my omission has lead to this misunderstanding.
It is strictly a technical issue. I want to be able to read my students' assignments. The OS X .docx converter converts to .rtf and does not preserve equations or formatting.
I will support .docx as soon as I can read the file format properly. I have contacted my university IT department and we have an arrangement with Microsoft to provide Office 2007/2008 to faculty. I will be picking up my copy of Office 2008 shortly and I will inform my students that the "ban" on Office 2007/2008 documents has been lifted because the reason it was imposed has been addressed.
I realize I should have _asked_, but on the secured site where we can download the software that our arrangement with Microsoft makes available to us there is only Windows software, no OS X versions of anything. It appeared that they were only providing Windows-compatible software. Fortunately, in this case, I was mistaken.
I'm sorry, but in that very brief article linked, I saw absolutely ZERO analysis concerning frequency.
YAY! There's an exploit and toolkit. The existence of which is, in some sense, a useful piece of prior information for establishing the probability that there MIGHT BE an increase in frequency in the future - but it's quite a leap to have a freakin' /. link to a corporate article that uses hyperbole in claiming that there is some State of Nature or State of Knowledge that points to .pdf attacks being "On the rise".
"oohhh... I didn't know Schopenhauer was a philosopher!"
The solution to the imperfect scan is to scan the image and present that to the reader, but OCR it and use that as the basis for searching. Sure, the search results will be imperfect but they'll be useful.
Google Books is essentially this.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
can anyone answer why i can't get a pdf writer that renders a web page reasonably? two recent examples (which have different problems) from the front page of slashdot are:
http://www.expatica.com/be/articles/news/European-Patent-Office-staff-on-strike.html
and
http://www.newscientist.com/blogs/shortsharpscience/2008/09/precrime-detector-is-showing-p.html
Since Adobe Reader has such a bad rep, can anyone recommend a good free alternative for my windows box at work?
"Can't you see that everyone is buying station wagons?"
From the link you reference:
That vulnerability is from 2006, it was patched long ago.
From the link:
Adobe Reader v.8, OTOH, still has an unpatched vulnerablity --- but v.9 is clean, as far as Secunia is concerned. The statistics for total vulnerabilities:
Adobe Reader v.7 = 22 vulnerabilities (all patched)
Adobe Reader v.8 = 12 vulnerabilities (all patched but 1)
Adobe Reader v.9 = 0 vulnerabilities
Evince = 1 vulnerability (patched)
Foxit = 3 vulnerabilities (all patched)
Note that Secunia does not recommend blindly comparing statistics in this way, and they're right.
Actually, PCs are assembled from components that originate from all over the world.
ASUS, for example, which made the motherboards of every 1 in 3 PCs sold worldwide in 2007, is headquartered in Taipei (which is not in China, no matter what the Chinese government would like everyone to think), and has manufacturing facilities in mainland China, Mexico, and the Czech Republic.
Intel has facilities worldwide, including Costa Rico, Mexico, and Taiwan.
Most often, to avoid tariffs, PCs sold in the U.S. are assembled in the United States, Canada or Mexico.
My blog
Errmmmmm.....wrong thread. Never mind.
My blog
CutePDF(free) to create, and PDF Annotator(shareware), well, to do everything else. We (Virginia Tech) actually got a site license for Annotator and it was $4 a copy.
We provide xpdf and (Sun's build of) gpdf on our Solaris machines here. On the SPARCs we (and Sun) also provide Acroread and the plugin. I'm more worried about problems in the plugin since that's more likely to get weird stuff loaded. I was about to update it on the SPARCs anyway.
Of course Adobe still refuses to provide acroread for x86 Solaris. Though they do on the SPARC and I am about 100% sure the same source code would work there as well (everything else does...). In fact, why would it be different from any other UNIX/X11 version?
So why can't we get it? Because they refuse to provide it, not on any technical grounds, but just because. They just won't do it because... because they're jerks? I guess. So if the security problem's in their implementation, I'll just remove it from the SPARCs and make all our Solaris machines the same.
PDF Files? Are the editors of this webroom a bunch of kiddy fiddlers?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
For Windows the best (and free/open source) tool I've found is PDFCreator [pdfforge.org]. It installs a "printer" on your computer that outputs to PDF.
I agree. I like the fact that PDFCreator can automatically open a file in the default PDF reader (I use Foxit, myself, but I hear SumatraPDF is worth looking into) which is great when I'm developing printed reports. Saves a lot of trees.
The higher the technology, the sharper that two-edged sword.
Duh, all software use has risks. This whole sub-thread is a discussion about the relative benefits, including risks of future vulnerabilities, of various PDF display programs.
Adobe Reader, in terms of the number of known vulnerabilities, doesn't give a very good impression. The last 3 versions, versions 7-9, have had a total of 34 vulnerabilities. Unfortunately, it is practically impossible to quantitatively compare this with the 1 vulnerability found in Evince, since:
I prefer pdflatex.
If it's so secret, then how come I've never heard of it?
I've never used PrimoPDF before, so I do not know how it compares. With PDFCreator, we set all the parameters for them and then all they do is print and save to file or e-mail. A few of the more advanced users have been able to handle the combining of documents in the PDFCreator spool into one PDF document. Note, however, that we do not install the goofy IE/Firefox toolbars when we do the install.