Slashdot Mirror
Rogue PDFs Behind 80% of Exploits In Q4 '09
CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"
1.) Spend millions of dollars on R&D for a new pdf analyzer and redistribute it.
2.) Turn off javascript and any other dynamic content.
We all know option 2 is way too easy, so we'll just go with the first one.
How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?
Or how about:
"Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."
Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.
The Future of Human Evolution: Autonomy
Attacking Adobe Reader means that people who use Firefox are also at risk. For a long while, the popular security paradigm on Windows was that if you used IE you were at risk, but if you kept up with Windows Update and used only Firefox to browse the web you were pretty much safe from the majority of the exploits in the wild. Now that malicious PDFs are out there in force, users of Firefox are vulnerable once again.
So, as I understand it, this article (and the referenced report) refer to code, not the total number of infections/attacks. It would be useful to know (1) how many computers are affected by PDF attacks, and (2) how many PDFs out there are compromised.
Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.
This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?
I agree with this analysis of Javascript. It was never designed with security in mind, much like the original versions of Windows.
That said, it's sort of silly anyway. How do these PDFs arrive? By email or downloaded from the internet. And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.
We all know the defense. It's getting people to use their brains instead of happily clicking on everything that doesn't dodge their mouse pointer.
The weakest link in security is the user. Ya, it isn't ALL the user's fault, but you can only take secure programming so far before you start trying to protect people from themselves. And, as we all know, trying to protect people from themselves is a good way to piss them off.
Primitive how. I use it all the time. I put it on all the computers in the company. It is small, fast and secure. I have never had a problem opening, reading or printing a PDF file. When doing those things it is in fact superior to Adobe reader everytime.
Why is it so hard to only have politicians for a few years, then have them go away?
Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.
And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.
We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.
Yeah it's known to a bunch of nerds but in the real world everyone uses Adobe reader.
Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.
Instead of bothering you when you do something dangerous, it bothers and encourages you to let it behave insecurely. Adobe has become the new Microsoft, with respect to hindering user security.
-- Len
As another poster pointed out: including scripting capabilities in "static" documents is just dumb. We've already been through this a few years ago, with people sending around Microsoft Office documents.
Microsoft "fixed" this, in the sense that Office now warns you if a document contains scripting. Better, of course, is that many people have learned not to send or accept such documents in the first place. This was part of what made PDFs popular: a format to send documents that (a) cannot easily be changed and (b) is not a security risk. Millions of business documents are sent as PDFs just for these reasons.
How stupid must Adobe be, to open themselves to this kind of attack. There should be no scripting in PDF documents. Alternatively - second best - scriptiing should be disabled by default, unless the user specifically authorizes it (as with Microsoft Office documents).
Bad Adobe, no donut.
Enjoy life! This is not a dress rehearsal.
Why does a document viewer need to run code (javascript of whatever)
99.99% of people use it to display and/or print static documents .... it's only that Adobe keep extending it to do thing outside this ....
The core view a PDF is fairly bug free and exploit free it is the extensions that are buggy and vunerable ....
Puteulanus fenestra mortis
The requirements are shit. If you want to edit do not use PDF. PDF should be scaled back to what it was needed for. All these "requirements" are really just trying to use the wrong format to do what you want. When you try to make one format do everything in the world it WILL be buggy. It WILL be slow. It WILL be insecure. Its not like the users here never want a PDF to do something else for them. I just refuse to allow it into my environment.
Why is it so hard to only have politicians for a few years, then have them go away?
Just to be clear: I have no problem with macros. I have no problem with scripts. If you want to write a macro in Word that will make your workflow easier and faster, I think that's great. I think it's great that Microsoft had the forethought to include support for scripting in MS Office.
What I object to is embedding macros in Word documents. I think this is dangerous design. If you want to write your own macro and store it on your computer, then you shouldn't need to embed it in the document itself. If you want to pass the macro to another user, you should be able store the macro in its own file and copy that file sending it along with the file you want to run it on.
However, if you want to pass around a single file where you fill out a bunch of fields and it actively does stuff with that information, then that's an application. It's not a document anymore. If Microsoft and Adobe want to enable their users to create their own mini-applications to do this sort of thing, then that seems like a great idea. Create a new file type with a different filename extension so that I can block them in email and otherwise treat them like applications.