Slashdot Mirror
Rogue PDFs Behind 80% of Exploits In Q4 '09
CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"
1.) Spend millions of dollars on R&D for a new pdf analyzer and redistribute it.
2.) Turn off javascript and any other dynamic content.
We all know option 2 is way too easy, so we'll just go with the first one.
The article does not say "80% of PDF exploits," it says "80% of ALL SOFTWARE exploits."
How much danger am I in once javascript is turned off for Adobe's pdf reader?
[Fuck Beta]
o0t!
How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?
Or how about:
"Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."
Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.
The Future of Human Evolution: Autonomy
Is the problem with the Adobe Reader program itself or the file format? Do third party PDF readers have the same security issues?
Keep the Classic Slashdot.
The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.
And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.
Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.
Which means that I will continue to use "Evince" and hope that it won't be targeted soon.
Just another "Cubible(sic) Joe" 2 17 3061
Attacking Adobe Reader means that people who use Firefox are also at risk. For a long while, the popular security paradigm on Windows was that if you used IE you were at risk, but if you kept up with Windows Update and used only Firefox to browse the web you were pretty much safe from the majority of the exploits in the wild. Now that malicious PDFs are out there in force, users of Firefox are vulnerable once again.
one already can't send pdf attachments or even links to pdf to customers without risk of mail being deleted or lost in spam folder.
a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.
b) Use an alternative PDF reader/viewer.
Probably because, based on UI, speed, size, sheer awkwardness and oddball behavior (does it still act like you're doing a reinstall when you change a config option?), Acrobat consists mostly of unmaintainable spaghetti code - leaving it full of potential exploits.
"National Security is the chief cause of national insecurity." - Celine's First Law
It also can't override the evil^H^H^H^H printing protection bit.
PlusFive Slashdot reader for Android. Can post comments.
So, as I understand it, this article (and the referenced report) refer to code, not the total number of infections/attacks. It would be useful to know (1) how many computers are affected by PDF attacks, and (2) how many PDFs out there are compromised.
I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".
I don't read your sig. Why are you reading mine?
Why is JavaScript so easily exploitable? It's probably the APIs available to the JavaScript, and not the language (or interpreter) itself that's exploitable.
ttuttle is a rankmaniac
(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)
I scan with Secunia's (a Danish computer security company) freeware tool to check if I have insecure applications.
3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.
It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.
It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.
To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.
Firefox Users can use Mozilla's plugin check.
One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.
I agree with this analysis of Javascript. It was never designed with security in mind, much like the original versions of Windows.
That said, it's sort of silly anyway. How do these PDFs arrive? By email or downloaded from the internet. And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.
We all know the defense. It's getting people to use their brains instead of happily clicking on everything that doesn't dodge their mouse pointer.
The weakest link in security is the user. Ya, it isn't ALL the user's fault, but you can only take secure programming so far before you start trying to protect people from themselves. And, as we all know, trying to protect people from themselves is a good way to piss them off.
i just read PDFs, i don't design or write docs in them. Foxit works just as well for that purpose as Adobe. i can open multiple window/copies of a PDF with Foxit. i don't know if i can do that with Adobe.
"To stop the terrorists."
In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.
It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).
The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.
Primitive how. I use it all the time. I put it on all the computers in the company. It is small, fast and secure. I have never had a problem opening, reading or printing a PDF file. When doing those things it is in fact superior to Adobe reader everytime.
Why is it so hard to only have politicians for a few years, then have them go away?
I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).
The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.
It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.
Just take a look at the wtfjs blog to see some examples of JavaScript's outright stupidity. Keep in mind that those are virtually all language flaws, not problems with the DOM or an API.
This inconsistency makes it very difficult to implement properly, let alone with good performance, and lets security issues slip in that just wouldn't happen when implementing more sensible languages like C, Python, Ruby or Scheme.
The problem is with the language itself, not with the DOM or any APIs. That's why the language itself needs to go.
First flash is blamed for most application crashes on the Mac. Now PDFs are the number one vector for malicious code in Q4 '09. Hard month for Adobe?
I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.
With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.
Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.
Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.
Yeah it's known to a bunch of nerds but in the real world everyone uses Adobe reader.
I'm using Foxit Reader right now, but after hearing about vulnerabilities similar to Adobe I'm reviewing my options.
Anyone have some suggestions for a more secure PDF reader?
[Text goes here]
Why is JavaScript so easily exploitable?
Probably because it's a weakly typed language and therefore programmers are sloppy when they use it.
:(){
Uh, no one needs Adobe Reader on any platform. There are plenty of alternatives and Foxit is probably the best one (and isn't as bloat as Adobe's)
As another poster pointed out: including scripting capabilities in "static" documents is just dumb. We've already been through this a few years ago, with people sending around Microsoft Office documents.
Microsoft "fixed" this, in the sense that Office now warns you if a document contains scripting. Better, of course, is that many people have learned not to send or accept such documents in the first place. This was part of what made PDFs popular: a format to send documents that (a) cannot easily be changed and (b) is not a security risk. Millions of business documents are sent as PDFs just for these reasons.
How stupid must Adobe be, to open themselves to this kind of attack. There should be no scripting in PDF documents. Alternatively - second best - scriptiing should be disabled by default, unless the user specifically authorizes it (as with Microsoft Office documents).
Bad Adobe, no donut.
Enjoy life! This is not a dress rehearsal.
They target Adobe's PDF reader because it is extremely widespread, most users don't even realise PDF is a standard and that other readers exist... They think it's a proprietary format only supported by a single program.
As a consequence, virtually every potential victim will be running exactly the same code, or a small subset of possible versions making them a very easy target.
Also Adobe's software hasn't been attacked much before, and therefore is likely to have many more undiscovered bugs.
This is also the reason IE is generally targeted less, now that other browsers are taking significant market share away, except in corporate deployments (where the recent attacks on google proved that targeting IE is still an effective strategy).
Also, most malware filters permit PDF files through..
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Don't defend them. Adobe is one of the worst bloatware software companies on the planet. They deserve this flak. Frankly, when my browser locks up, guess what program is almost always to blame? Adbobe Reader. What a piece of crap.
The difference is that windows is the only platform which doesn't come with a PDF reader by default...
And to make matters worse, many users aren't aware that alternative pdf readers exist at all, how many mac users do you think install adobe's viewer because they don't realise preview.app can handle PDF files very well. Users have the mindset that file formats are proprietary and belong to specific programs.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
A disturbing number of mac users actually install adobe reader and let it set itself as their default pdf viewer, despite that OSX already comes with a much better PDF viewer, people are conditioned to think that PDF files require adobe acrobat.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I had problems viewing documents with complex formatting and embedded Chinese fonts on Foxit. Returned to Adobe. It is easy to miss some information in the document without even realizing it, if the reader sacrifices functionality in favor of being lightweight. I would any day prefer fidelity to the PDF spec over being lightweight.
What no one, especially Adobe, talks about is the possibility that some of these crackers are former programmers for Adobe with access to source code. I'm sure the fact that Adobe rarely fixes holes in its software, preferring to make customers upgrade instead, makes them an even more tempting target. Probably 3/4 of our customers are running Acrobat Reader 7 or earlier because no one wants to go to the trouble of upgrading reader software, and Adobe's filthy habit of forcing customers to install garbage that they vehemently don't want (like their stinking download manager) doesn't help matters.
For that matter I don't know the situation now, but previously security at Adobe's facilities was almost non-existant. I once had a co-irker who, in the days before WiFi everywhere, would drop by Adobe's offices, tailgate someone into the building and sit down at a random cubicle when he needed Internet access.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
You cannot use Foxit on Livecycle forms and other kinds of interactive forms. Foxit doesn't support online commenting and reviewing, Foxit doesn't support 3d annotations (Reader even supports PMI extensions). Yeah Reader is big, but it has a ton of customer requirements.
Foxit does have security advisories - google it, and its not even a major target.
There are plenty of alternatives...
This is true. It is also true that most of them load a lot more quickly than the Adobe product. However (sometimes depending on how the PDF is created), most of then don't actually render the PDF as well as the Adobe reader.
I'm sorry, but it's totally untrue! When your browser locks up, it's probably Adobe Flash which is to bla... oh wait, never mind.
we can no longer wait while this threat emerges, it is time for us all to purchase ScanSafe(c) and renew contracts regularly and indefinitely to their fullest. may there be no further discussion of alternative readers, operating systems, or patches and repairs that could be made. This report clearly outlines the repercussions of using the PDF format in that it is an unholy vessel by which godless demons infest your small business and personal computer to rape the data within. Only through the glory of ScanSafe may you truly be at ease.
Good people go to bed earlier.
This statement shows how clueless the author is about why hackers chose Adobe.
>Exactly why hackers choose Adobe as their prime target is tougher to divine
Adobe apparently has 99% market share for the PDF industry....as well offers free readers without the need for license or redistribution.
If you think also that almost all windows machines have some form of adobe reader, writer or other installed on them, and most apps cross communicate formats, then you can see why the most successful hacks are PDF files.
I use foxit pdf viewer, as it does not contain all the vulnerabilities that adobe does, as it does not allow javascript etc.
for the same reason i prefer firefox over IE
Is the number disturbing because it's too low or too high? I use Reader on my Mac because Preview renders some things poorly and lacks s few features.
It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.
Ahhh I see the problem -- you're confusing JavaScript with PHP!
Acrobat is cross-platform, but this only affects Windows users in practice - because Mac users use Preview, and Unix users use something Xpdf/GhostScript-derived.
Solution: FoxitPro. Now.
http://rocknerd.co.uk
The requirements are shit. If you want to edit do not use PDF. PDF should be scaled back to what it was needed for. All these "requirements" are really just trying to use the wrong format to do what you want. When you try to make one format do everything in the world it WILL be buggy. It WILL be slow. It WILL be insecure. Its not like the users here never want a PDF to do something else for them. I just refuse to allow it into my environment.
Why is it so hard to only have politicians for a few years, then have them go away?
"In 2009, 107 Abode vulnerabilities were logged into CVE, nearly double the 58."
I've been using Sumatra PDF for the last year. It's rather clunky and uses too much memory on long documents, but it's adequate for most viewing.
Its renderer is rather slow, though. And when you zoom, it renders the document first zoomed in X, then, seconds later, in Y as well. That's just stupid.
Users have the mindset that file formats are proprietary and belong to specific programs.
How about:
Users have the mindset that their documents are somehow stored "inside" the program. Consider a conversation I had recently about a customer that needed a newer office suite, but didn't like the Office 2K7 ribbon:
Me: Ok...so we'll uninstall Office 97, and install OpenOffice instead. It's free.
Them: But all my documents are in Word.
Me: Yes. OpenOffice will handle them just fine.
Them: But all my documents are stored in Word. If you take Word off my computer, how will I get my documents?
Me: Just use the File->Open menu in OpenOffice, and load the file.
Them: [blank stare]
Me: The documents are still on your computer, you'll just load them in a different program.
Them: But...[weakly]..all my documents are in Word.
They honestly thought that Word was somehow this black box thing that "contained" all their documents, and gave them the ability to edit them at the same time. They were absolutely convinced that removing Word from their computer would take all their documents with it.
"City hall" in German is "Rathaus" Kinda explains a few things......
Exactly why hackers choose Adobe as their prime target is tougher to divine, however.
Adobe Reader and Adobe Flash have as close to a 100% share of the desktop as makes no difference. The geek's dislike of these programs has had no more effect on their use than the phases of the moon or the rising and setting of the sun.
The Complete National Geographic on DVD was a runaway software best-seller during the Christmas shopping season. Adobe AIR powered, of course
The Flash 10 Beta Player [for Windows] delivers hardware accelerated H.264 HD video today - and not in some nebulous HTML5 future.
Says you, but if you had people handing you cash to do this you'd glad get your company's engineering department to make it.
I mean - how do you personally justify HTML with Javascript? Its the same concept.
This US-CERT vulnerability note has details for steps for making Adobe Reader safe to use:
http://www.kb.cert.org/vuls/id/508357
As you mentioned, disabling JavaScript helps. But you can also prevent PDFs from opening automatically with the plug-in, and also prevent them from opening automatically with the stand-alone reader. There are some other mitigations there as well.
Of course, this all requires manual configuration. There is no hope for the average home user.
'Probably 3/4 of our customers are running Acrobat Reader 7 or earlier because no one wants to go to the trouble of upgrading reader software, and Adobe's filthy habit of forcing customers to install garbage that they vehemently don't want (like their stinking download manager) doesn't help matters.'
The thing I especially love about this is how Adobe have now stopped providing security updates for Acrobat 7 (the full version you pay money for, not just the reader). Acrobat 7 was a current product until just over 3 years ago, and now the only way to get a safe installation is to pay again for a version upgrade. Given the 'security' record of Adobe products over the last few years, you might think they'd have the good grace to hang their heads in shame and continue fixing a flagship product for a bit longer, if only as a public service. But no, Acrobat 7 is EOL and you pay up or risk getting owned. There's Foxit, of course, but they've recently jumped on the 'installing garbage' bandwagon with a slimy bundled toolbar. I guess that leaves PDF-XChange (which seems rather nice).
So do it the other way.
Install OpenOffice demonstrate the files aren't necessarily in Word and uninstall OO.org
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.
It's possible that .PDF exploits are so successful because the average user doesn't think of them as an executable file. Under windows, the idea of "don't open .exe attachments!" has been drummed into the heads of all but the noobest of noobs (grandparents, AOL'ers etc.), but how many "experts" pass every web URL to a virus scanner before browsing to it? (Buffer overflow exploits against some JPG and PNG parsers exist in the wild and may be successfully exploited in older browsers as well as graphics packages.) How many scan a .txt file for viruses? (Even Microsoft's notepad.exe includes one or more undocumented "parsing" features* besides plain text display; who knows if an exploitable bug exists in any of them.) Another way to think is, whose fault is it *really* that a non-executable filetype is... well, executable?
* try this: under Win32, create a new file in Notepad.exe starting with the exact string ".LOG" (no quotes), save and close, and open the file again. The current date and time will be automagically pasted in each time you open the file.
Caveat Emptor is not a business model.
Where is this "real world"? In my experience its been users use whatever crap their computer came with or what they use at the office. Average IT shops are too damn stupid to even think they could get by with an alternative PDF writer, even though they could save a bundle of money. And there's the problem. In the "real world" poorly educated masses of IT shops do a poor job by believing their vendors. Sooner or later the competitive edge will adjust that equation, and I for one would rather be on the leading edge then watch it go by.
Its not the point. What I am handed money for is keeping others in the company able to do their job in a safe and secure way at minimal cost to my company. That means that I have to hear some whining once in a while and keep Adobe reader off my systems. The risk is to high. If my people need to edit documents then they need something that is NOT a PDF. If they need to annotate the PDF then Foxit will do that. It will do it more securely and faster than reader will. My job is to push for best practices and deal with the bullshit that comes from it. Not to collect a paycheck and follow the path of least resistance.
Why is it so hard to only have politicians for a few years, then have them go away?