Rogue PDFs Behind 80% of Exploits In Q4 '09

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

Re:How about

[God'sDuck]

The article does not say "80% of PDF exploits," it says "80% of ALL SOFTWARE exploits."

Or more likely

[FreeUser]

How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

Or how about:

"Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."

Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.

Me too? NOT

[ratboy666]

The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.

And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.

Which means that I will continue to use "Evince" and hope that it won't be targeted soon.

Re:Me too? NOT

[Trepidity]

It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format

That is also my reason for choosing this fine document format for my CV.

Re:Me too? NOT

[gad_zuki!]

Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.

This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?

Re:Me too? NOT

[nine-times]

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.

And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.

Re:Me too? NOT

[LenE]

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Instead of bothering you when you do something dangerous, it bothers and encourages you to let it behave insecurely. Adobe has become the new Microsoft, with respect to hindering user security.

-- Len

Re:Me too? NOT

[Skuld-Chan]

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Hrm tested this in 9 - it only complains with Javascript disabled that the PDF contains some elements that might not be displayed properly because of the preference, and ONLY IF you open a PDF with Javascript in it.

Static PDF files it does not display any warning if JS is off.

Two simple safeguards that help

[BlueParrot]

a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.

b) Use an alternative PDF reader/viewer.

Re:Should PDFs be dangerous?

[toleraen]

That and disabling browser integration generally mitigates the issue. That is until they figure out a way to force Reader to use javascript regardless of your setting...

But does it run in Linux?

[mspohr]

I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".

Adobe is a security nightmare

[Coopjust]

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

I scan with Secunia's (a Danish computer security company) freeware tool to check if I have insecure applications.

3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

Firefox Users can use Mozilla's plugin check.

One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.

Re:Adobe is a security nightmare

[fishbulb-]

I opened the Advanced interface of Secunia PSI, the program overview says:
'Cannot display graph, as Adobe Flash Player does not appear to be installed in Internet Explorer on your computer...' then provides a link to install it.

I feel betrayed.

Re:JavaScript just needs to go, wherever it is use

I agree with this analysis of Javascript. It was never designed with security in mind, much like the original versions of Windows.

That said, it's sort of silly anyway. How do these PDFs arrive? By email or downloaded from the internet. And what do we NOT do with email attachments we don't recognise? We DON'T open them. What do we do with something we downloaded from the internet? Scan it for viruses.

We all know the defense. It's getting people to use their brains instead of happily clicking on everything that doesn't dodge their mouse pointer.

The weakest link in security is the user. Ya, it isn't ALL the user's fault, but you can only take secure programming so far before you start trying to protect people from themselves. And, as we all know, trying to protect people from themselves is a good way to piss them off.

It isn't "I want some of that too"

[asdf7890]

In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.

It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).

The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.

Re:Why does anyone use Adobe reader anymore?

[Dishevel]

Primitive how. I use it all the time. I put it on all the computers in the company. It is small, fast and secure. I have never had a problem opening, reading or printing a PDF file. When doing those things it is in fact superior to Adobe reader everytime.

Not just Adobe

[bjackson1]

I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).

The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.

Because of JavaScript support in Adobe Reader!

[JakFrost]

I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.

With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.

Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.

Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

Re:Why does anyone use Adobe reader anymore?

[Skuld-Chan]

Primitive how. I use it all the time.

You cannot use Foxit on Livecycle forms and other kinds of interactive forms. Foxit doesn't support online commenting and reviewing, Foxit doesn't support 3d annotations (Reader even supports PMI extensions). Yeah Reader is big, but it has a ton of customer requirements.

Foxit does have security advisories - google it, and its not even a major target.

Re:Why does anyone use Adobe reader anymore?

[Dishevel]

The requirements are shit. If you want to edit do not use PDF. PDF should be scaled back to what it was needed for. All these "requirements" are really just trying to use the wrong format to do what you want. When you try to make one format do everything in the world it WILL be buggy. It WILL be slow. It WILL be insecure. Its not like the users here never want a PDF to do something else for them. I just refuse to allow it into my environment.