Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Vulnerability Now Exploitable With No Clicking

Posted by CmdrTaco on from the don't-not-click dept.

SkiifGeek writes "With Adobe's patch for the current PDF vulnerability still some time away, news has emerged of more techniques that are available to exploit the vulnerability, this time without needing the victim to actually open a malicious file. Instead, the methods make use of a Windows Explorer Shell Extension that is installed alongside Adobe Reader, and which will trigger the exploitable code when the file is interacted with in Windows Explorer. Methods have been demonstrated of successful exploitation with a single click, with thumbnail view, and with merely hovering the mouse cursor over the affected file. There are many ways that exploits targeting the JBIG2 vulnerability could be hidden inside a PDF file, and it seems that the reliability of detection for these varying methods is spotty, at best."

4 of 206 comments (clear)

  1. Not PDF vulnerability ... Adobe vulnerability by forand · · Score: 5, Insightful

    This vulnerability is not inherent to PDF but to Adobe's implementations.

  2. DONT CROSS THE STREAMS by Gothmolly · · Score: 4, Insightful

    Executable code should not be embedded in documents, the format should not allow it, and document readers should not execute code.

    How fscking hard is this?

    --
    I want to delete my account but Slashdot doesn't allow it.
  3. Non-install alternative for Windows by Morris+Thorpe · · Score: 4, Insightful

    I stopped using Reader long ago - not because of vulnerabilities, but because it was so slow and bloated and it installed stuff I did not want.

    I've been using Sumatra for a very long time and it has done well by me (http://blog.kowalczyk.info/software/sumatrapdf/index.html)
    Download the zip file for a no-install, single-file exe. Minimalistic but more than enough for 90 percent of pdf's I ever need to open (the rest, I open through Google docs.)

  4. Why all the paranoia about executable code by gzipped_tar · · Score: 4, Insightful

    One thing I don't understand is the seemingly common paranoia towards "executable code" in the discussions here.

    First, there's no fundamental difference between "code" and "data". It's all binary blob. The .text section in any of your ELF programs is understood as "executable code" by the interpreter (ld.so) but as plain document by objdump. The point is to always interpret the data as how it is intended to be used, and this is hard. This Adobe fiasco is caused by a buffer overflow in the program (which is not even in a function responsible for JavaScript). Buffer overflows are known to be useful for exploits because they allow an attacker to "cheat" the program so that it misinterprets what intended to be document data as executable code. It just happens that the flawed code can be attacked with greater rate of success using JavaScript. (According to this security advisory http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219)

    Second, embedding executable code in a document is not inherently evil or stupid. It's just an idea that can be either utilized or abused, varying from implementation to implementation. I don't like scripting in PDF either but not for the reason of its alleged insecure nature, but because it bloats the file format.

    Just my 2c..

    --
    Colorless green Cthulhu waits dreaming furiously.